Why are ATT Yahoo Mail accounts so regularly hacked?

[Glenn Geller]

Quite a few of my clients are ATT DSL subscribers who use the ATT-branded
Yahoo Mail that ATT includes with DSL. Pretty regularly, one of these email
accounts is commandeered by strangers who either use the account to send
spam and if they're nefarious, they'll send an email to all of the victim's
correspondents, pretending to be victim and telling everyone that they've been
robbed of everything in a foreign country and would the recipient please wire
them a quick $1500.

This problem seems to afflict ATT Yahoo Mail users very disproportionately. My
theory is that there some weakness with the servers at Yahoo or ATT that enables
the bad actors to compromise accounts by the handful, maybe by stealing
passwords.

Have you guys noticed this same problem with ATT Yahoo Mail?

Have you seen any news articles about it?

[David Kaye]

"Glenn Geller" <g...@ziiz.co> wrote

> Have you guys noticed this same problem with ATT Yahoo Mail?
>

I've had a couple customers who had problems but after talking with them I
found out they used very weak passwords, such as "password" and "12345". I
can't speak to the ATT/Yahoo interface, but I've never had any problem with
vanilla Yahoo email, and have had numerous accounts on Yahoo since Yahoo
began.

[Jeff Liebermann]

On Mon, 3 Dec 2012 14:44:13 -0800 (PST), Glenn Geller <g...@ziiz.co>
wrote:

>Have you guys noticed this same problem with ATT Yahoo Mail?

I've run into the problem a few times. Upon investigation (and
interrogation) of the customer, I'm finding several common problems.
As David Kaye mentioned, use of a weak password is epidemic. However,
it's not common passwords, that are the problem. It's that AT&T was
using the same password for the PPPoE DSL login and the email account.
In addition, the password was always 6 characters in the form ABC123,
which has a very limited number of possible combinations. If the DSL
PPPoE password is somehow leaked, it would give access to the email
account. There are some other problems with this brilliant AT&T/Yahoo
password scheme, but I don't want to leak security issues here.
Fortunately, this is no longer the practice as AT&T now allows users
to have different passwords for their DSL PPPoE login and their Yahoo
email accounts. However, there are still millions of accounts that
still have identical passwords.

Another problem I've found are customers that use the same password
for every account. All that is necessary is for a compromised web
site to collect logins (usually email address) and passwords, and it's
highly probable that the same login/password pair will work on *ALL*
the customers accounts. I caught one such compromised login/password
pair while some hacker was trying to use it to buy something on eBay
and pay for it with Paypal. All his passwords were identical. While
it's probably impossible to have a different password for every
account, at least those with dollar signs behind the account should be
protected with unique and non-dictionary passwords.

There are other issues, but my guess(tm) is that these are the major
causes. So, far the accounts that have unique, non-dictionary, and
longer passwords have not been compromised.

--
Jeff Liebermann je...@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

[David Kaye]

"Jeff Liebermann" <je...@cruzio.com> wrote

> Fortunately, this is no longer the practice as AT&T now allows users
> to have different passwords for their DSL PPPoE login and their Yahoo
> email accounts. However, there are still millions of accounts that
> still have identical passwords.

This is an excellent point and something I neglected to mention. What's
more, many people never bothered to change their email password, and even
years later their email password is still identical to their DSL password.
Oftentimes they set up their account via the AT&T wizard and didn't even
know their email password because they'd just simply leave the email account
logged in for years at a time.

I still hold to my belief that Yahoo accounts aren't less secure than other
email accounts due to any hacking of Yahoo's email service itself.

[Jeff Liebermann]

On Wed, 5 Dec 2012 17:49:00 -0800, "David Kaye"
<sfdavi...@yahoo.com> wrote:

>"Jeff Liebermann" <je...@cruzio.com> wrote
>
>> Fortunately, this is no longer the practice as AT&T now allows users
>> to have different passwords for their DSL PPPoE login and their Yahoo
>> email accounts. However, there are still millions of accounts that
>> still have identical passwords.

>This is an excellent point and something I neglected to mention. What's
>more, many people never bothered to change their email password, and even
>years later their email password is still identical to their DSL password.
>Oftentimes they set up their account via the AT&T wizard and didn't even
>know their email password because they'd just simply leave the email account
>logged in for years at a time.

There's also the problem of where to change the passwords. Where does
one look? On the AT&T DSL web site? On their AT&T telephone account
page? For Yahoo, perhaps buried under the mail classic, mail enhanced
or mobile mail menus? Of course, it's different if you have a
business or residential AT&T account, or Yahoo free or Premium
accounts. I just tried to find the password menu under my Yahoo mail
classic account. I had to resort to using the help, which led me to
an account config page that is inaccessible from the email pages.

This is suppose to help:
"Change or reset your AT&T passwords"
<http://www.att.com/esupport/article.jsp?sid=KB401397&cv=801>
Note that AT&T doesn't supply instructions on how to change passwords
on older AT&T supplied DSL modems. Even if I point my customers to
the exact web page, I still get calls asking *ME* to change their
passwords for them. Oddly, it's easy to change both passwords using
the AT&T automated support AVR thing. Just say "password change" at
the voice prompt and follow instructions. The problem here is that
security is minimal. All I need is a copy of ANY of the customers
phone bills, and I can change their passwords.

Some of the non-AT&T ISP's that I deal with are no better, and for
some odd reason, seem to hide the password change web page as some
misguided security measure. I guess they're following AT&T/Yahoo's
example.

With the PPPoE login password sometimes in the modem, sometimes in the
router, and sometimes on a computah, there are other ways to screw it
up. Very often, the user changes the DSL password but doesn't change
it in the DSL modem. No problem because as long as the DSL modem has
power, it will continue to function normally for several days, with
the old wrong password saved. Eventually the DSLAM will reboot the
modem, try to issue a new IP address, or the AC power may glitch, and
the modem reboots, fails to login, and I get a phone call. It's easy
enough to fix, but since the customer remembers all the problems
started when they changed their password, they are rather reluctant to
change it again in the future.

To AT&T's credit, the new and improved ADSL2+ service (U-verse) does
not use PPPoE and has no passwords saved in the marginal Motorola DSL
modem/router. PPPoE was a mistake, but AT&T will never admit it.

>I still hold to my belief that Yahoo accounts aren't less secure than other
>email accounts due to any hacking of Yahoo's email service itself.

Probably true.

My big worry are apps and malware stealing my "saved passwords" file
used by various browsers. I'm guilty of using far too many
convenience features that are really security risks. I then multiply
the problem by duplicating these files on multiple computahs.
<http://securityxploded.com/yahoo-password-decryptor.php>

[JC Dill]

On 03/12/12 2:44 PM, Glenn Geller wrote:

> This problem seems to afflict ATT Yahoo Mail users very disproportionately. My
> theory is that there some weakness with the servers at Yahoo or ATT that enables
> the bad actors to compromise accounts by the handful, maybe by stealing
> passwords.

There was a story on NPR yesterday where they mentioned a Chinese
service that guarantees they can break into an email account for $100.
The reporter setup a fake account, said it was his girlfriend's account,
sent the Chinese firm the $100 payment. What the Chinese firm did was
send a email to his "girlfriend's account" that contained an attractive
link of some sort ("check out this funny video!" or similar) where if
the recipient ("girlfriend") clicked on the link it loaded what looked
like their email webmail login page. The impression the user has is
that the webmail login expired and they need to login again. (E.g. your
Google webmail page, your Yahoo webmail page, your Hotmail webmail
page.) Of course the URL isn't the right URL, but if the page LOOKS
like the page they expect, and they enter their username and password
(the username may be pre-filled using the username/email since the
phisher knows who is logging in by the URL they sent them) and when you
type your password and login it immediately takes you to the content you
expected, you might not even think about what you just did.

If you use webmail this type of phish could be very successful at
tricking you to revealing your email password. All the company needs to
do is figure out a way to make the email "attractive" enough that you
open and click on the link. If they are hacking into an account on the
behalf of someone you know (friend, family member, boss) they might send
the email as coming "from them" (your friend or family member etc.) and
that would make you even more likely to open and click on the link.

Once they have your account details, they can delete the phish email
they sent you, erasing their trail. (Of course there are server
records, but you would have to know what happened and ask your mail
provider to look in the server records.)

jc

[(null)]

In article <k9oteh$tvq$1...@dont-email.me>,

David Kaye <sfdavi...@yahoo.com> wrote:
>I still hold to my belief that Yahoo accounts aren't less secure than other
>email accounts due to any hacking of Yahoo's email service itself.

Depends on how you define "account" and "secure". For example, the Yahoo
web client only uses SSL to start a session. Once it's started everything
else is in the clear and vulnerable to say for example a Firesheep
session-jack. On the other hand, the Gmail web client encrypts everything.

[Bhairitu]

The account that I use for Yahoo Groups gets spammed and phished a bit.
But I'm wise to that but I suspect non-tech people wouldn't be so
much. I get a kick out of the phishes and how stupid the sender is.
Love to send them off to prison if I had more time.

I get less though of the spam where someone signs up for something using
the email address thinking maybe just entering an email address would
give them access somewhere. Dummies! Annoying but easy deleted as it
went into one junk folder.

[David Kaye]

"(null)" <dl...@sonic.net> wrote

> Depends on how you define "account" and "secure". For example, the Yahoo
> web client only uses SSL to start a session. Once it's started everything
> else is in the clear and vulnerable to say for example a Firesheep
> session-jack. On the other hand, the Gmail web client encrypts everything.

I can only speak from my experience. I have at present 11 Yahoo email
accounts for various purposes, dating back probably to 1995 or 1997. I've
also used Yahoo's Groups (formerly eGroups), which is a mailing list
service. Spam detection is excellent, and none of my accounts have ever
been hacked as far as I can tell. By this I mean that I've always been able
to get in to the accounts and have never had anyone tell me that they got
errant messages from me.

[David Kaye]

"Bhairitu" <nooz...@sbcglobal.net> wrote

> I get a kick out of the phishes and how stupid the sender is. Love to send
> them off to prison if I had more time.

They're purposely stupidified because it's far faster to phish the totally
stupid than to phish the suspicious and waste precious phishing time trying
to reel in a recipient who knows better.

> I get less though of the spam where someone signs up for something using
> the email address thinking maybe just entering an email address would give
> them access somewhere. Dummies! Annoying but easy deleted as it went
> into one junk folder.

I have several Yahoo Groups email lists (music promotion, my games groups,
etc) and I have the list set to require my approval of new joins and also to
moderate email to the group. It doesn't happen much anymore, but I used to
get these suspicious-looking joins and then about a month later those
accounts would try to spam the email list. Not so fast, sonny... I do turn
off the moderation for people who regularly post appropriate stuff, and
haven't suffered any problems doing it that way.

[m97...@gmail.com]

A client’s yahoo account has been repeatedly hacked the past 2 years and several times last month with log-ins from Benin. The reply to address was changed and all email and contacts were deleted. Yahoo restored the contacts but only a months’ worth of messages. Now how it got hacked is a mystery to me.

I upgraded her system in July, installing a solid state drive and making a clean install of Win7. I installed LastPass password manager at that time and changed the yahoo email password to the max 32 characters, using LastPass's generator. The client does not know the password, so she cannot be spoofed/phished as LastPass only populates log-in screens based on the URL. The password has never been keyed in, eliminating key-loggers. So go figure....

By the way, yahoo now offers optional full-time SSL encryption. I happened upon it in the options page. I just enabled it last month so we'll see if it helps. (It is disabled by default unlike Google:)

In-addition to the hacks (which have always been the help me, send money type), her contacts were repeatedly treated to spoofed messages with links to various sites last month (no remote log-ins were recorded by yahoo).

FYI there is an article in the June 2012 PC World on this problem.

I see this problem frequently in several yahoo groups I belong to. I have not made a study of the problem, but I cannot recall seeing any hacked messages from other than yahoo accounts.

FYI, these hacks do work. Last year, a different client's had a friend whose yahoo account was hacked and a friend (elderly) sent the requested money!!!

Hacking should be a hanging offense...

[(null)]

In article <7b3962dc-cff4-483e...@googlegroups.com>,

<m97...@gmail.com> wrote:
>By the way, yahoo now offers optional full-time SSL encryption. I
>happened upon it in the options page. I just enabled it last month so
>we'll see if it helps. (It is disabled by default unlike Google:)

Hm. I don't see this at all in either the YMail (free) options page or the
account information page. Is it available only with upgraded (paid) accounts?

[Bhairitu]

On 12/07/2012 06:56 AM, m97...@gmail.com wrote:
>
> Hacking should be a hanging offense...
>

And instead they get good paying gigs at security companies. Maybe
that's why they hacked in the first place. A Internet vigilante group
might chill them out though.

[David Kaye]

<m97...@gmail.com> wrote

> A client�s yahoo account has been repeatedly hacked the past 2 years and
> several
> times last month with log-ins from Benin.

I hate to ask this, but did you find out what their password was? I mean,
heck, I'm a prolific poster to lots of forums and newsgroups and I've never
been hacked.

Now, I did happen to get a message this morning purporting to be from an
account I use only for a couple dating websites. I'm assuming that somebody
has been screen-scraping addresses and that this is how they got the
address. It was sent to another address I use, but then as I was thinking
about it, I realized that it was probably a pattern matching algorithm being
used, since both say "David Kaye" on them and neither account has any
reference to the other in address books and no messages have been exchanged
between them.

[SMS]

Absolutely. I wonder why it is always Yahoo mail that gets hacked. But
it's not just AT&T Yahoo mail, it's Yahoo mail in general.

[m97...@gmail.com]

On Friday, December 7, 2012 1:50:10 PM UTC-8, David Kaye wrote:
> <m....@gmail.com> wrote

Sorry, whose password?

I know, I have not been hacked or spoofed and have been emailing since before there was a www and the client I mentioned is 81 years old and only posts to a number of yahoo groups and Facebook....

Aside from her 32 random character password and security seal, I have set her yahoo security questions to require nonfactual answers (example In what city were you born? Answer: North Pole) This prevents hackers from gleaning answers from social networks, emails, etc..

[David Kaye]

<m97...@gmail.com> wrote

> Sorry, whose password?

Oh, I was just curious if your customer's password was at fault for being
too easy to guess.

> Aside from her 32 random character password and security seal, I have set
> her yahoo
> security questions to require nonfactual answers (example In what city
> were you
> born? Answer: North Pole) This prevents hackers from gleaning answers from
> social
> networks, emails, etc..

Oh, okay. I'm very curious about how the account sharing thing works; for
instance, some news websites allow people to post comments, but they use
accounts from other places such as F*cebook, Yahoo, etc. I'm wondering what
happens if a person logs into their, say, Yahoo account, posts, and then
goes elsewhere to do something else. Does the Yahoo account stay open? Can
the news site, say the Mercury News or whatever, gain access to the 3rd
party account? I'm not very trusting in this, so immediately after making a
public comment I go to my Yahoo account and formally log out of it.

Does anybody know how this posting thing works? Is the account information
being passed to the news site or is it protected homehow and just linked?

[Kevin McMurtrie]

In article <b214f3ab-6507-4bdd...@googlegroups.com>,

Yahoo (like Google) doesn't have anyone to contact to report abuse.
They ask you to fill out machine-validated forms that can't be completed
for most incidents. They both rely on machine algorithms to detect
abuse and quarantine accounts. Google's sometimes works but it takes
them a long time to fix it when it doesn't. Yahoo's seems to be mostly
broken. The result is that Yahoo has more live hackers and spammers
trying to inflict more damage.

I reject all e-mail with a Yahoo return address and most of Yahoo's
servers are firewalled at my router. It no longer bothers me that Yahoo
is full of hackers and spammers.
--
I will not see posts from Google because I must filter them as spam

[David Kaye]

"Kevin McMurtrie" <mcmu...@pixelmemory.us> wrote

> I reject all e-mail with a Yahoo return address and most of Yahoo's
> servers are firewalled at my router. It no longer bothers me that Yahoo
> is full of hackers and spammers.

I guess you'll never see an email from me, then. I use Yahoo's mail nearly
exclusively.

[Abigail Bell]

CLICK HERE TO GET ACCESS ➤➤ 🔴 https://shgetlink.click/8z2wbh6

CLICK HERE TO GET ACCESS ➤➤ 🔴 https://shgetlink.click/8z2wbh6

CLICK HERE TO GET ACCESS ➤➤ 🔴 https://shgetlink.click/8z2wbh6

CLICK HERE TO GET ACCESS ➤➤ 🔴 https://shgetlink.click/8z2wbh6