Wednesday, January 9, 2013
Security & Hacking: Yahoo email
A lot of people have been having problems with Yahoo Email recently http://downrightnow.com/yahoomail
It seems like Yahoo has forced password resets on all recently active email accounts.
Probably because of renewed surge of Yahoo email hacking or exploits this week story(s) about the old XSS vulnerability see this link http://www.scmagazine.com/yahoo-patches-xss-flaw-affecting-mail-users/article/275301/ for more.
But there are, or have been problems with resetting passwords for some.
I have multiple email accounts on various services, Yahoo, Gmail, Hotmail, etc. this lets me test various things, including problems and vulnerabilities.
Yahoo forced reset on my most used account, but it wouldn't let me access email without a workaround, until today.
Even with text message code.
Interestingly enough, one of my never used Yahoo email accounts (I wasn't even sure if it would have been closed down because it was inactive) worked fine with old password, no reset was forced on that account.
I frequently check account activity on my Yahoo email accounts, link here shows how to do so http://help.yahoo.com/kb/index?locale=en_US&y=PROD_ACCT&page=content&id=SLN2073
Though annoyingly default showing is location (of your IP Provider, so don't freak out if it doesn't show your town without further checking).
You have to click on the location tab to select IP address, which is what you really want.
For more information on what IP address is (TL DR version id number for any device hooked to a network, works like a snail mail address so messages go to right place) see http://en.wikipedia.org/wiki/IP_address
This site http://www.whatismyip.com/ if you click on it (WOT score for that link https://www.mywot.com/en/scorecard/whatismyip.com) will show you your current IP address, so you can verify email access for Yahoo email via IP address.
Anyway, it really looks like Yahoo took lazy approach to dealing with this problem, I know my yahoo account that had password reset forced on it was not being used by anyone but me.
Because I monitor what IP addresses access it, additionally that account has a very strong password, so if Yahoo passwords get stolen and it is compromised quickly I will know that it wasn't stored with proper encryption at Yahoo.
So there was no suspicious activity on that account, only ever gets logged into from a single IP Adress, and is normally logged into several times a week from that address, can't see how that would trigger any flags.
And my seldom if ever used accounts were not forced to reset passwords.
So it looks to me like Yahoo forced passwords on all active accounts during some time frame, and that is part of the reason why they, and the people that use Yahoo Email, are having so many problems.
The system crashed under the load of people trying to access their accounts, failing, and spamming attempts.
I strongly suggest everyone see Steve Gibson's Haystacks & Needles (Understanding Passwords) for good understanding of strong passwords.
For more posts on Passwords click the Label Passwords, that Label, with selected other ones can be found in the Label cloud at left side of Blog.
There are also Labels at bottom left of every Blog post.
For Pen Testers and such I suggest one of the these Labels: