[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 23/04/13 16:08, Martijn Grooten wrote: > I've got a Yahoo account. Actually, I've got a few that I use so rarely > that I create a new account whenever I need one. > > Today I got a warning on my Gmail account that someone had managed to login > to Yahoo. Sure enough, I got a spam email at my work account - the only > address in its contact list. > > I don't remember the password for the account, but given that it was set up > a while ago (before I started to use password managers) it could have been > fairly weak. Still, Yahoo should be able to defend against someone cracking > passwords. If that's what happened, though according to Yahoo it is: "a > login attempt with valid password" they say. > > So now I'm even more motivated to find out what went wrong. > > Two clues: according to Yahoo the login used Yahoo's mobile app (Yahoo > mobile has been linked to spam campaigns before). And the login took place > from Bangladesh, which is known to be the world's capital of sweatshops > full of CAPTCHA crackers. > > Martijn > > Welcome to the club! After my experience I reflected a little bit on Yahoo and came to the conclusion that they are a ridiculous, floundering shit-bag of a company run by staggering incompetents at every level. I now actively boycott them completely rather than disdainfully ignoring them as before and have successfully moved everyone I know that uses them forcibly from their 'services'. Even Microsoft's hotmail/livemail/outlook/whatever it's being re-branded as today is infinitely better managed than Yahoo's email. So your account got whacked as well. If you ever do get to the bottom of this, which I sincerely doubt, I'd love to know any conclusions. My thoughts are that there are fatal flaws in an API or a framework somewhere which allows exploit access: in the case of throwaway accounts like ours without real names, banking details, contact lists or indeed anything at all of value connected to it all they can be bothered to do with it is send a bit of desultory spam. I'm sure that if they had been 'proper' accounts linked to real IDs, the fallout would have been much worse. Regards -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq