back to article Yahoo! webmail! hijacks! are! back!...

Yahoo! has blamed cross-site scripting security bugs, which it claims to have squashed, for a recent upsurge in webmail account takeovers. Over the last few days several Reg readers have been in touch to complain that their Yahoo! webmail accounts have been hijacked or to point us towards complaints on various support forums …


This topic is closed for new posts.
  1. Alan J. Wylie

    Definitely something odd going on

    I've seen three different accounts compromised in the past few days: two members of a caving club, one member of a mountaineering organisation. No mobile app or Apple hardware involved in at least one of them. I'm wondering whether being a member of a Yahoo! group might be a common factor.

    1. Ilsa Loving

      Re: Definitely something odd going on

      "I'm wondering whether being a member of Yahoo!."


      At this point Yahoo is working on enertia. It's been a very long time since they've done anything newsworthy (besides failing miserably).

      I wouldn't trust them with my old left sock, nevermind something important like email.

    2. Anonymous Coward
      Anonymous Coward

      Re: Definitely something odd going on

      It happened to one of my Yahoo accounts too, without any Apple device or mobile app. Yahoo then put in place a lock on my account requiring me to answer some security question I've never setup myself. When I contacted their support, they required me to provide a non-Yahoo mail address where they will send me a link for a password reset. I pointed to them that this will not prove in any way that I'm the legitimate owner of the account and never heard from them again since. Luckily it was one of my least important Yahoo accounts.

      1. JCitizen

        Re: Definitely something odd going on

        I think one of my friends accounts was compromised, and he was so disgusted he quit Yahoo!. Only problem was I'm still getting the spam from that compromise! Microsoft is slowly adjusting the filters to block it out. But wadda pain in the @ss!

    3. leexgx

      Re: Definitely something odd going on

      my sister and an customer from over the road start spam emailing me as well

      funny thing is my 2 yahoo accounts seem ok, no odd logins but i do have 2 factor login turned for them account, but yahoo 2 factor login does not apply to email (imap,pop3) or yahoo messenger, so i should not be protected from this (as accounts are just been accessed and spam is been sent out, it reads all mail folders and spams all of them, no other action on the account is taking affect)

  2. Ian McNee


    ...and we're getting a sh*t-load of spam from these compromised accounts. Yahoo quality strikes again! Kapoweeeeee!!!!

    1. Wzrd1

      Re: Yep...

      The security patching at Yahoo was performed by a telecommuter that hadn't logged onto the VPN in three years.

  3. Captain DaFt

    They don't even mention the Phishing

    I have a yahoo account as a throw away email address, and it periodically gets hammered with phishing emails screaming "YOUR ACCOUNT WILL BE DELETED IN 30 DAYS IF YOU DON'T RESPOND NOW".

    Most end up in the spam folder, but occasionally one makes it to the inbox.

    They look legit, since yahoo helpfully sends out a template periodically in the form of a "New services we're offering" internal spam.

    The link address is the give away, but if you're using the mobile site, or their app, there's no way to check that.

    Fortunately, it's still easy to tell they're fake since Yahoo *never* warns you when they delete an account, they just do it... no recourse, no appeal.

    C'mon, Yahoo!, you mean to tell me you have no way to detect emails that claim to be from you, but aren't? Shoddy.

    1. Anonymous Coward
      Anonymous Coward

      Re: They don't even mention the Phishing

      Yeah its feeble! For me Hotmail is tied to Yahoo for worse offender in not filtering messages purporting to be from them! Google is definitely the leader is this regard IMHO.

      But all three are massive targets for both Spam and Hacking and I've been thinking the proliferation of these attacks, means its time to get off well known domain names. They're just magnets to hackers....

  4. Mr_Pitiful

    I've been seeing the spam all week

    All coming from compromised accounts overseas

    I've even advised some off them by phone to change their passwords

    Well at least we never click on stupid links!

    Icon - Yahoo!

  5. Anonymous Coward
    Anonymous Coward

    I've had a Yahoo account since they began offering them....yeah, that long. It's not a primary account but does have it's uses once in a while. Problem is, they've changed the interface to something horrible, with no option of returning back, and there is no guarantee that you will receive or be able to send emails. I've sent emails before, it's told me it was sent, but never showed up in the SENT folder and never arrived at it's destination.

    There are others, but it comes down to a choice of the lesser of the many evils. I shudder to think of using MicroSoft, but they are looking better and better.

    1. Mr_Pitiful



    2. Anonymous Coward
      Anonymous Coward

      The new Hotmail (or Outlook as they like to call it) isn't bad, very clean and simple interface. A lot nicer than Hotmail of old.

    3. Anonymous Coward
      Anonymous Coward

      go back to Classic mail

      Classic works, glitch-free. Not pretty but it works. You can change the colours, that's about the only customisation.

      This is the only way to do it (they killed the back-to-classic links ages ago)

      * change your screen resolution to the worst possible

      * open Mail

      * it will complain your browser can't handle the new one , so offer you a chance to go to the "previous version"

      * choose the "permanently" option

      * once the mail is open, set screen res back to your preference

      Bookmark it and use the bookmark to open mail, otherwise occasionally it might give you the new one again

  6. Anonymous Coward

    That's why I only use Y! Mail as a backup

    I only use Yahoo! Mail as a backup Email account because sites I sign up to feel the need to constantly send me updates about their latest product or send me newsletter.

    I'd like to see a hacker make use of a Sky newsletter.

    1. Anonymous Coward
      Anonymous Coward

      Re: That's why I only use Y! Mail as a backup

      Go into My Account and UNTICK all the default "yes please send me junk mail daily" options.


      They do actually honour that one.

  7. Anonymous Coward
    Anonymous Coward

    Simplify web tools so code is decidable otherwise the future is for hackers!

    SQL Injection attacks and cross site scripting attacks.... It boggles the mind how these have been so easily exploited for so long. Once people get comfortable with writing code for different browsers and different versions of browsers the whole playing field changes again. Even when coding standards work for cross-compatibility there's always bugs, and it takes painstaking prototyping to weed these out, until yet again the standards and versions change and we start all over again.

    So over time more and more glue has been added to the web. All of this has led to a perfectly wonderful multi-tier multi-vendor Swiss cheese. I relish the days when you could just write an app and be confident it would work as expected without dealing with complex security holes.

    If we only had a simple toolkit that truly worked across different devices, OS's, and all browsers... We need to go back to something simple. Something that is decidable, something that can be predicted easily. Otherwise security (never mind simple UI) is going to become more and more problematic just to provide simple email or basic social-networking services.

    Otherwise the future is going to be Christmas everyday for hackers.

    1. Dan 55 Silver badge

      "a simple toolkit that truly worked across different devices, OS's, and all browsers..."

      Oracle bought one a couple of years ago.

  8. Anonymous Coward
    Anonymous Coward

    Christ having a Yahoo, hotmail or Google account is like having a target painted on your back!!

    Christ having a Yahoo, hotmail or Google account is like having a target painted on your back!!

    1. Elmer Phud

      Re: Christ having a Yahoo, hotmail or Google account is like having a target painted on your back!!

      O.K., I've got all three and have only experienced the Hotmail address book heist so far.

      It sent mail to people on very old addresses - all I got was mainly a load of 'undeliverables' , though the usual 'sky is falling in, you bastard sent me something dodgy' was received from one person who hasn't a clue about how these things work.

      The Y!a!ho!o! accounts (several) are from BT days.

      I did get an email from a friend who never sends anything out from their Yahoo account - it seems very similar to the Hotmail hack.

      Someone else actually clicked on the link from the bogus Yahoo mail - no 'virus' found but a toolbar was winkled out.

      Target -- those who brag loudly about others having targets are usually the more unwary - fanboi?

  9. Anonymous Coward
    Anonymous Coward

    A lot is not right with BTYahoo! response

    BT are dragging their heels on responding to this latest BTYahoo! webmail problem. No surprise there then.

    1. They have still not yet admitted that there is anything wrong via their status portals - the status pages and Usenet announce groups make no mention of the issue at all.

    2. Staff responses on customer BTCare Community forum are few and far between and so far, they are blaming the customer (flor clicking on dodgy weblinks or using smart phones and wifi) rather than the BTYahoo! mail system. It looks like there is a management information lock down in place. As usual.

    3. Outsourced overseas telephone customer helpdesk staff as usual, appear not to have a clue about the issue or the scale of the problem - so the average customer with an email problem is being given very little useful help or preventitive advice.

    4. Several affected customers report that although they can change account passwords, the online system for changing their "security questions" will not let them enter, complaining of wrong username or passwords, or simply throwing up browser security certificate warnings. BT have made NO response to this.

    5. The BT forum restriction on "troublemakers" (those with valid privacy concerns) is still being enforced rigidly - even if those "troublemakers" are returning to the forums with sensible helpful observations and diagnostic suggestions. I know - I'm one of them - with a forum ban dating back to the days when I made "repetitive privacy complaints" as a consequence of BT were making "repetitive privacy breaches" and covertly and illegally intercepting communicatioins in partnership with Phorm. They don't seem to have learned much about customer relations and PR in the intervening four years.

    I seriously recommend anyone with a BTYahoo! or Yahoo! account who cares about the integrity of their email to, at the very least,

    1. Convert all their accounts to forward mail to a third party so that the webmail interface remains empty.

    If you can't do that - stop using webmail for reading and storing your mail and contacts, and switch to a pop3/smtp client such as Thunderbird or MSOutlook, and regularly empty the webmail Trash folder manually - probably at least once or twice a day. (Yahoo recently altered the system so that popped mail got duplicated into the webmail Trash folder rather than deleted - making it susceptible to harvesting by webmal account hackers - nice one Yahoo!)

    I'm serious - BTYahoo!/Yahoo! webmail simply can't be trusted any more. They will tell you its fixed, and then the next batch of hackers will break it open. It's been leaking for months.

    2. Empty out your online contact address book. Don't store contacts online with Yahoo! Unless you want them harvested by hackers and sent malicious spam/trojans.

    3. Empty out all webmail email folders, including the spam and trash folders and keep them empty by forwarding mail to a third party address. Don't store email messages online with Yahoo! unless you want the sender/recipients to have their addresses harvested by hackers/spammers.

    4. Remove details of any extra email accounts that can be used to "send" from each BTY account, and cut to a bare minimum, the number of addresses that BT can use to contact you on for each email account. Because those can be harvested by the webmail hackers too.

    Best of all - abandon BTYahoo! email services completely and move to a professional secure email provider, preferably one who keeps their scanning corporate eyes off the content of your mail while it passes through their servers.

    1. Anonymous Coward
      Anonymous Coward

      Re: A lot is not right with BTYahoo! response

      Some more:

      Go into account info to see your sign in history, have you signed in from somewhere strange? Unfortunately it doesn't show failed sign ins so you don't know if your account is under attack, just that it's already too late (change password, hope for the best).

      If you use IMAP you get full control over all the folders, there's no need to go back into webmail to delete the trash.

      POP3/IMAP/Messenger/Mobile interfaces don't do two-factor authentication so your main password is always under attack. Correct Horse Battery Staple.

      Webmail does do two-factor authentication if you set it up, but if you clicked on a link from a contact you've probably already been hijacked.

      If you're using Yahoo mail instead of BT Yahoo mail you could set up a second Yahoo mail address. Sign into the Yahoo ID but never send e-mail from it, instead send and receive all e-mail from the second mail address. You can never use the second e-mail address to sign in so the address that everyone sees cannot be used to actually sign into your Yahoo ID. But this won't work if you click on a dodgy link in Webmail. Also if you've already got a Yahoo ID it's probably too late to set up and if you're new to Yahoo the chances of you knowing how to set this up are slim.

  10. This post has been deleted by its author

  11. John Tserkezis

    In the last WEEK?!

    I've been seeing this for the last month or so.

    Or was that unrelated?

    Perhaps we need (along with Java) The Vuln of the Day article...

  12. Charles Manning

    This is caused by telecommuting

    Marissa is right to stamp out telecommuting.


    1. Elmer Phud

      Re: This is caused by telecommuting

      Is telecottaging O.K.?

  13. Pomgolian

    Staying signed in

    There was an outbreak of this sort of nonsense with the yahoo/xtra email service down here in NZ last month.

    The advice here was that it was a cookie stealing vulnerability, which affected those who had the "stay signed in" option set when they signed in to their webmail. Clear your browser cookies and don't check that option.

  14. Mike Echo

    Bye bye Yahoo

    I was getting heaps of these dodgy emails and while I didn't click on the link, I visited the website (top level, then second level) by entering the url manually. I just got curious is all, but it was definitely a momentary lapse of reason, as my yahoo address then sent out some of the same stuff. That will learn me for being cocky and thinking I was too clever to fall for this shi*t.

    Anyway, I have since removed my Yahoo account and also deleted *anything* that required a Yahoo login (eg flickr, Yahoo Answers, etc). I should have done this ages ago, Yahoo is just problematic and not worth the aggravation.

  15. mickey mouse the fith

    Spam spam spam etc.....

    Im getting loads of spam from yahoo accounts of people i had dealings with years ago but havnt contacted since. Looks like their entire address books are in the cc field as well. All the spamy links point to servers in Thailand (i didnt click any of the quite frankly dodgy looking links, just googled em). Weirdly, some point to thai property developers, wonder if their servers have been compromised or they are participating in this sordid little mailshot?

    As an aside, I think i got a yahoo account when i signed up with bt, never even logged into it once, in fact i dont even remember the login details. It could have been pumping out spam for years for all i know.

  16. psychonaut

    Agreed. I run a home/small business it company and ive had 10 customers hit last week. Just sends spam out. Single line url to all contacts.

    1. mickey mouse the fith

      "Agreed. I run a home/small business it company and ive had 10 customers hit last week. Just sends spam out. Single line url to all contacts."

      Weird thing is, apart from the link, everything else in the email is gibberish, a few paragraphs of sydfgbhjjuytf or suchlike. Must be the worst bot ever.

  17. Anonymous IV

    Same problem as psychonaut, but only with compromised accounts, with the person's name as the subject.

    The other variant is the url, with the person's name, again, and an American-format date and time beneath.

    Until the spam furore dies down I'm just quarantining *

  18. David Flanders

    Happened to Mrs

    Login happened in/from Turkey and one of the URLs sent out was to a location in Turkey as well

  19. Paul Rawdon

    Hacked in New Zealand too

    This hacking attack is similar or the same as what happened to NZ Telecom's xtra email accounts where a few thousand email accounts were broken into.

  20. Anonymous Coward
    Anonymous Coward

    never use Yahoo on other sites

    eg for logging in to some news site you want to comment on. Either don't comment, or go to the trouble of signing up with them directly.

    If you try to sign in with Yahoo, many sites will ask Yahoo for access to your address is there in tiny tiny invisible writing that you are agreeing to this. And Yahoo GIVES it to them. So they don't need to hack you at all to get your whole contacts list.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019