I’ve worked in computers since 1967 and all types on the PC since 1985.
There’s a problem out there and it is not being looked at. Yahoo mail is being
hacked and Yahoo is not doing anything about it except blaming the user. My big
mistake was when I paid for it and lost my email and Yahoo will not talk to me
about it. I know a lot of people where their Yahoo email has been hacked and
unless they have a keystroke virus, there is no way it’s from their computer. If
there was a keystroke virus, there would be other problems like credit cards and
bank accounts. I see you have a number of followers.Maybe Yahoo would take a
good look at the problem.
In this excerpt from
Answercast #26, I look at the way that companies like Yahoo manage their
servers and the role of the individual in keeping their accounts safe.
]]>
Yahoo at fault?
Unfortunately, you’re not going to like my answer. I’m actually with Yahoo on this one and let me explain why that is.
I’ve been doing this for a really long time and in my experience, people are very, very quick to blame the service provider for various problems.
They will often claim that Hotmail must have been hacked because, “There’s absolutely nothing I could possibly have done wrong that would have caused my password or my account to be hacked!” Where in fact, Hotmail was not hacked.
Probably not hacked…
I’m going to claim that this same thing is going on here.
Even though you may not be able to think of exactly how your account could possibly have been hacked through anything other than something on the Yahoo side… the most likely scenario is:
-
That nothing is wrong on the Yahoo side.
-
That they are still doing everything properly
-
And that there has not been a breach or security issue at their side.
It’s still more likely, much more likely, that individuals are getting their accounts hacked through individual means.
That can be any number of a series of things.
Of course, as you mentioned, it could be a keystroke logger. I don’t think that having a keystroke logger would necessarily imply that there would be identity theft. It depends on what the hacker is attempting to cull from the keystroke logging.
Easy-to-crack passwords
Even without keystroke logging, I’m going to say that there are other approaches that could just as easily cause an account to be hacked:
-
Things like poor password choices.
-
Things like poor security question choices.
-
Things like using a laptop on an open Wi-Fi connection without using encryption (for example, at your local Starbucks.)
There are simply too many ways that individual accounts can get compromised.
Proper security
Now, to be honest, and to be completely fair: there is too much that the average user needs to keep in mind for them not to be hacked.
It’s hard. There are just so many things:
-
Maintaining a good password that you’ll remember, but that won’t be easily guessable, is not an easy thing to do.
-
Setting up proper security for your trip to Starbucks when you’re going to use their free Wi-Fi; is an easy thing to overlook.
-
Setting up proper security account questions, secret questions, and so forth is a hard thing to do because it’s often in an easy thing for others to guess.
You may know where I was born or you may know what I high school went to and thus what the mascot was. There are just many, many ways for individuals to get things just wrong enough for a hacker to sneak in and steal their account.
Not to mention things like falling for a phishing attempt, which is (at least on the Hotmail side) perhaps the single most common approach.
Hacked accounts
I have to side with Yahoo on this. There is very likely nothing at all going on that they can do anything about.
In general, the number of account hacks that I hear about every day (where people are coming to me) are accounts that have been hacked:
-
Not because there’s been some massive breach at the other end.
-
Or because there’s an issue at the other end.
-
It usually boils down to something that was overlooked by the end user.
Calling Yahoo
I appreciate that you believe Yahoo would listen to me. I know for a fact that they don’t.
There are just too many of us out here who would love to influence Yahoo, or Hotmail, or Gmail, in some way. We just don’t have that kind of clout… but this is a case where I really don’t have anything to take to them.
I really, honestly believe that the vast majority of hacks, I’ll easily say 999 times out of 1000, is user error or user omission.
Next from Answercast 26 – When does installing a hard drive into an external enclosure make sense?
It would be great to see them, just as so many other leading companies in their respective verticals are doing by giving us the perfect balance between security and user experience and moving to the use of 2FA (two-factor authentication) whether mobile or other, as a form of a token where the user is asked to telesign into their account by entering a one-time PIN code which is delivered to your phone via SMS or voice. These organizations need to be made to increase security, and only way that will happen is if we as a user voice our opinion or find a provider that will offer the security.
18-Jun-2012
Sorry, I have to disagree. A minority of my friends are on Yahoo mail but in the last couple of years all the email I get from hacked accounts — all of it — has been from Yahoo. Most of my contacts are on Gmail, yet I see no spam from hacked Gmail accounts. Either all my Yahoo friends are terrible at choosing passwords and everyone else is great at it, or Gmail makes it tougher to hack their accounts; if the latter and Gmail can do it then Yahoo can too.
I agree that weak password are most likely to blame but I don’t think it’s right to put all security responsibility on your users. It’s on the email provider to implement features to prevent brute-force password attacks.