(IMPORTANT: Before I get to my story, if your Yahoo! email has been hacked I recommend that you immediately change your password, update your security questions and ensure your Yahoo! Mobile and Y! Messenger are both up-to-date. You should also visit Yahoo! Email Abuse Help and use this process if you are unable to login to your Yahoo! account. Also, make sure to read the comments on this post since there is a tremendous amount of good information there as well.)
(UPDATE 12/13/11: Yahoo has introduced second sign-in verification as an added security measure. It will require that you add a mobile phone number and verify it via a text message. Here’s the direct link to start using second sign-in verification.)
It happened just before we arrived at the San Francisco Zoo. We are at a red light on Sloat Boulevard when my phone started to vibrate.
Buzz. Buzz. Buzz. Buzz. Buzz. Buzz. Buzz. Buzz. Buzz. Buzz. Buzz. Buzz. Buzz.
Had the rapture come a day late? No. I was getting undeliverable messages. Lots of them. My Yahoo email had been hacked!
Here are the two important lessons I learned as a result.
I Have Good Friends
I didn’t want our day at the Zoo ruined, me staring into my phone resetting passwords and figuring out what happened. So I put the problem on the back burner and proceeded to have a fun family day.
But I did take time to quickly tap out a response to people who replied to the spam coming from my hijacked account. Why? Because they took the time and effort to give me a heads up that I had a problem. These were good people. Good friends.
The thing is, I’d gotten a number of these same emails lately from other hacked Yahoo accounts. I figured these people knew they’d been compromised and I didn’t need to respond. With the shoe on the other foot, I realized those emails were comforting even though I was well aware of the problem.
I’ll shoot off an email the next time I get a hacked email from someone.
Yahoo Email Security Failed
The odds are that I will get another one of those emails because I learned just how easy Yahoo makes it for hackers.
Upon getting home I went about securing my account. On a lark, I checked Yahoo’s ‘View your recent login activity’ link.
Sure enough at 10:03 AM my account was accessed from Romania. This obvious login anomaly didn’t set off any alarms? Shouldn’t my security questions have been presented in this scenario? I have never logged in from Romania before.
I’ve never logged in from outside the US. Yahoo knows this. In fact, Yahoo knows quite a bit about my location.
My locations puts me in three states: California, New York and Pennsylvania. I also have location history turned on, so it’s not just my own manually saved locations (some of which are ancient), but Yahoo’s automated location technology keeping track of me.
Do you see Romania in this list? I don’t.
Why is Yahoo making it this easy for spammers to hijack accounts? Make them work a little bit! At a minimum, make them spoof their location.
Yahoo should have noted this anomaly and used my security questions to validate identity. I still would have had to change my password (which wasn’t that bad) but I would have avoided those embarrassing emails.
A simple rule set could have been applied here where users are asked to validate identity if the login (even a successful one) is outside of a 500 mile radius of any prior location.
I’ve had a Yahoo account for over 10 years without a problem, even as I moved my business accounts over to Gmail.
Yesterday I thanked those friends who had my back. Unfortunately, Yahoo wasn’t one of them.