I am someone who practices pretty decent technical security hygiene, but I had my Yahoo account hacked this week (despite using two factor identification). This post focuses on sharing what I did to deal with the attack, what I think went wrong and some steps and resources you can use for security.
Summary of attack…
The attacker logged in at 4:57PM PST and sent off 28 emails to about 5 recipients in each email from 4:58PM to 5:05PM. I learned about the attack from a friend at 5:08PM and logged in and changed my password at 5:10PM. The attacker appeared to pull email addresses from my account (I’m guessing from my contacts and sent file folders) to use in the spam emails.
Having someone access the account like that left me feeling completely violated. I’ve seen many friends and family get hacked and when it happened to me, I was left thinking what do I do now, where did the attacker get in from and what else was compromised. I thought a number of other things too, but those are a little off topic for this post.
What I did to deal with the attack…
- Password: Immediately I logged into my account and changed my password. Thankfully it hadn’t been changed. I highly recommend that you use as long of a password you can get away with because that is going to be your best password defense. To be clear I don’t mean 6 characters. I mean like over 15.
- Two Factor Identification: I checked whether two factor/second sign-in identification was still on the email. It is a pain to use, but I can’t recommend enough about implementing it on any site that allows you to use it. Two factor is basically a way for sites to provide extra security by require another form of identity verification in addition to a password. Usually a site will text a code to your mobile that you have to enter into the site before they grant access.
- Router: I reset the home wireless router. Since, I didn’t know where the attack came from, I was concerned someone had hacked the router and was sniffing data off it and/or there was malicious software on my computer. So I got hold of a secondary computer that I hadn’t logged into my Yahoo account with and plugged directly into the router with a LAN cable. After pressing the reset button on it, I update the router’s software. I set the router so it was hidden from broadcasting its name (disabled SSID). The reset also required that I reset the router id and password.
- Research: I researched with my phone while the router was restarting to find a couple sources that recommend what to do in this situation.
- OS (Operating System): I updated my Mac’s OS which is your best defense on resolving security weaknesses. I also made sure any other devices in the house had updated OS.
- Antivirus & Anti-spyware Software: I loaded and ran virus checking software on my Mac. I found a free software called ClamXav. I found it through a quick search and can’t say whether its better or the best or even a good idea. I’ve also read all the literature about how the Mac does not get viruses, and it makes attacks very difficult. At the time I just wanted to check the computer for any viruses for my piece of mind and nothing is 100% foolproof. Plus third-party software and applications on the computer are not alway as secure as Mac software.
- Yahoo Mail Security: I went back into Yahoo and made sure the security questions hadn’t been changed (attackers tend to do this to get back in later) and that two factor sign-in would only use my mobile phone to verify my login. I also changed the sign-in settings to automatically log out any open sessions every day, and set it so I can only get help for when I forget passwords through my cell phone. Additionally, I checked to make sure no changes were made to my personal information like any unknown phone numbers or email addresses added to my account. Attackers sometimes change the personal information to their own. Last I de-authorized apps that were granted access to the Yahoo mail. All this can be found under Account Info or Mail Options which are in a drop down list under the gear image in the top right of a Yahoo mail screen.
- Yahoo / Contact ISP: I called and emailed Yahoo to alert them to the hack. It took about 20 to 30 minutes to get someone on the phone. The customer service rep had difficulty recommending how to deal with the issue and was very unsure about her answers to my questions. After I asked multiple times in different ways, she did confirm that the attacker would definitely be logged out after I had reset my password (I had originally asked if they could force a logout across the board of anyone in the account, but it wasn’t something she said she could initiate from her side). When I asked to get information on what the attacker accessed, she told me to file a police report and fax it to Yahoo legal to get that information. There was a list of the most recent login attempts that I found under my account information. That is where I was able to find out when the attacker logged in and their ISP address. But it did not show what the attacker looked at and its unfortunate that I would need a police report to get that information.
- Other Account Security: I logged into my most sensitive accounts (mostly financial) to confirm I had changed all my email addresses away from Yahoo, and that I had the tightest security in place on them. Note, you have to be careful with any accounts you have linked to your email that have emailed you passwords (some actually do that) and/or sends you password change notices. If any of that was floating around in my email it was fair game. I went through the rest of my accounts to check if I had reused something similar to my previous Yahoo password and changed them where necessary. I had already started using different passwords for different accounts. Still I (like many) was lazy about it at times and its hard to keep track of all those passwords.
- Warning Email: The 28 spam messages were in my sent box so I was able to see who received the email. Using Gmail, I sent an email to all those contacts warning them about the spam and letting them know I would no longer use Yahoo to email them.
After all that, I finally logged out of all my accounts and got some rest. The next day I logged into Yahoo a couple of times to check the log files and make sure no further strange activity was occurring.
What I did probably seems like overkill to some, but I had been using two factor and this was my first experience getting hacked (that I was aware of); thus, I really didn’t know where the weakness was and I needed overkill.
What I think went wrong…
Thankfully my mentor helped me narrow down where I think the attack came from which is that my Yahoo SSL (secured socket layer) was not automatically turned on. I had thought it was, but for some reason, that is not a required setting on Yahoo. SSL is a way of managing the security of a message transmission on the Internet. Typically you see that you are using it with HTTPS in the browser address bar.
So here’s what I think happened (can’t completely prove it but seems like the best answer now). I worked out of a coffee shop the other day, and accessed the shop’s open wireless. Granted this can be dangerous anyway for so many reasons, and I typically don’t do it. When I do I usually I log out of my sensitive accounts (like email and definitely financial) as well as turned off any apps (outside the browser) that were automatically running updates (Dropbox or Evernote).
Still I am one of those who will have a zillion browser windows and tabs open. So I think I left a Yahoo session on somewhere in my tabs, and it automatically checks for updates. When it did someone may have been sniffing that router (software/tool that can capture data passed through the router), and picked up my Yahoo session token. At that point they could have used it to access my account until I changed the password.
What you can do…
I’m going to list a few things you can do (beyond what I mentioned above) and resources you can use to help with security. Note, there are many other resources you can research online that can provide help. You don’t have to do everything that is recommended here. Do what works best for you and just know that no security setup is perfect.
- If you are still using Yahoo, go into Mail Options and make sure that SSL is turned on and take any of the steps that I mentioned above regarding changing your Yahoo settings.
- Make sure your computer has a firewall that is turned on and antivirus software (esp. if it’s not a Mac). Make sure that it doesn’t accept bluetooth connections that you are not aware of and that you are backing up your data.
- Load and use HTTPS Everywhere with Firefox and Chrome. EFF (Electronic Frontier Foundation) provides the plugin to help encrypt your communications with many major websites, making your browsing more secure. It basically pushes for the site to use SSL if its available on a website. It is not perfect because it apparently didn’t get Yahoo to switch to SSL, but on the whole it is a good plugin to have to improve your security.
- Secure your wireless router. There are several sites out there that gives you information on how to secure it like this site. There is a debate about how useful it is to turn off SSID (service set identifier). I subscribe to the perspective of why make it easier for people to find it; thus, I stopped it from being broadcast. Also, I highly recommend changing the name of your wireless router (SSID) to something that is unique. It shows you are not a novice.
- Consider using a VPN (Virtual Private Network) when logging into a wireless connection that you are unsure of.
- And if you get hacked, this is the site I used to help give me guidance on some of the steps I took to when addressing the hack. There are many other resources online that can help.
Really we can only be so secure especially with how sophisticated technology is getting. Take some steps to protect your information where it seems reasonable and if you are hacked go a little beyond just changing the password.
Now what with Yahoo…
I opened the Yahoo account around 2002/2003, and I had used it for everything. It was a couple of months ago someone I respect completely in the tech industry convinced me to move to Gmail because Yahoo is perceived as being an email dinosaur. I was reluctant to switch because switching over email is very time-consuming and basically a pain. Also, I wanted to stick by Yahoo because I had used it for so long and a part of me wanted to support it since Marissa Mayer took over as CEO.
Still I thankfully took the advice and had already started making the change. Despite making the move there was still over 10 years worth of information stored in my Yahoo account, and I hadn’t finished making the move. I can say that hack definitely motivated me to quickly wrap up making the switch over.
Even though I was the one to use an un-secure wireless network, I do find fault with Yahoo for not having SSL automatically turned on in addition to their poor performance/response in addressing the hack. They can and should do better and that’s the reason they have lost me as a consumer.