Yahoo Mail Resets Account Passwords After Attack 96
MAXOMENOS writes: "Last night Yahoo! announced via their Tumblr page that they had detected attacks against some Yahoo Mail accounts. They reset the passwords to all affected accounts, and advised users of good password practices. Quoting: 'Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo's systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts' most recent sent emails.'"
Re:WTF (Score:5, Interesting)
Hashing passwords is pretty pointless unless they're also salted. Otherwise all the common and short passwords are as good as being in plain text.
As for why a 3rd party had the passwords, I think Yahoo need to be quite a bit more forthcoming and explain this. Surely they are aware that their customers are going to be reusing passwords and that, by giving a third party these passwords they are also exposing their customer's accounts on numerous other sites?
Re:The real news (Score:5, Interesting)
I've been using Yahoo mail since almost the beginning and still do.
I changed my password as soon as I heard about this. Or, I tried to. Yahoo makes it so difficult to change your password that I actually had to go to Google and search for "How do I change my Yahoo password". Then once I figured out where to go (none of the links worked - I had to paste it from an answers.yahoo.com reply), the AJAXified page wouldn't work in Firefox on Linux, so I had to fire up my work PC and use IE.
Unbelievable.
While I was there, I deleted an old yahoo personals alias (also didn't work in Firefox - had to use IE), and then changed my backup email. But that didn't work either - the link in the confirmation email went to an error page.
My Soapbox! (Score:3, Interesting)
I manage mail servers for a mid sized company, and Yahoo can kiss my ass! Their IP ranking system is stupid and they won't change it, which fucks any smaller ISP hosting multiple domains on a single IP. If we have a company get a mailbox compromised from domainx, yahoo blocks all mail from the IP instead of the domain so everyone else is screwed. Even when we lock the account, yahoo has no method of unblocking.
To make things 10 times worse, their mail interface has a big ole "SPAM" button which allows users to delete mail in a single click where their "Delete" button requests confirmation. Users tend to use the SPAM button because it's easier to delete messages, and not obvious that they are actually reporting the person as a spammer to Yahoo who again fucks the ISP by blocking their mail. After years of complaints from companies, if you use FireFox you will see a button that says "Report Spam", but IE still just shows "Spam".
Yahoo of course does not give a shit and won't add a confirmation to that "spam" button to let users know they are reporting a server for "spam" and not simply deleting a message.
And look, I absolutely hate spam. I would not work for a company that sends spam and think they are as useful to society as telemarketers. Yahoo just sucks at doing anything worthy to reduce spam. Their IP ranking system has been broken and complained about since it came out, but since it's cheep for them to use they continue with the broken program and don't care that this harms their user base more than it saves them money trying to fight spam.
Re:My Soapbox! (Score:0, Interesting)
You sound like a spammer / scammer. Post the affected domains and IP address or shut up. Or put in some decent security and choose your customers better.
RE: My Soapbox! (Score:2, Interesting)
I used to work for a student loan servicer - who only sent emails for things like account notifications, ACH withdrawal notifications, etc. We'd have to fight our way off of Yahoo blacklists two or three times in the five years I was there. Yahoo's "spam" management is a common problem for admins hosting mail services.