Given the company’s public profile and well-documented security failures (RE: my previous blog) anything is possible.
In fact, I have first hand evidence that Yahoo’s security snafus go at least as far back as 2010, when I reported the hijacking of my personal account – Claudiu@Yahoo.com – to Yahoo’s tech people after I received a notification of a new alternate email address having been added to my profile:
|The following email address (firstname.lastname@example.org) was added to your Yahoo! account ?(cl*****)?.
The following email address (Claudiu@<legitimate address>) was deleted from your Yahoo! account ?(cl*****)?.
To ensure that your account information remains accurate and secure we notify you whenever this information changes.
This change request was made on September 27, 2010 at 07:37pm BST.
If the changes described above are accurate, no further action is needed.
And so began a comedy of errors that saw me use the Yahoo email link provided to try to remove the new email and reinstate the old one, a process that required my long, complex password and took minutes to complete. I also changed the password to ensure that external attackers would just stay out. To my surprise, I received a new email notification that the process had been undone, new email re-added, and my real alternate address removed.
The shocking thing was that the note arrived within a minute of my having painstakingly completed the corrective process. I proceeded to carry it out again, taking note of the new password and eliminating the unauthorized contact address. The email arrived again, just as rapidly. Suspecting a keylogger, I switched computers, but the process repeated itself over 20 times and probably closer to 30 before I gave in and contacted support.
During this process, I clearly explained that I hadn’t used the email in a few years, I had used a secure password and that any attempt to validate my identity using my own ID would be fruitless since I had not populated my profile with real information. After all, I had my email address for some 12 years, since the inception of Yahoo Mail and I had signed up with the minimum information required.
Barring some freakishly competent, real-time man-in-the-middle attack, I strongly suspected that the breach was internal to Yahoo, but I was stumped as to the blistering speed with which my profile changes were undone. Could it have been a keylogger on all my secure machines? I suppose. Perhaps one at the gateway, on my DSL modem? Highly unlikely but possible.
But the speed with which the hijacker undid my changes and used my new, complex password to access the account suggested a scripted attack. Internal or scripted, I had few hopes of recovering the account and indeed, between Sept 27, 2010 and May 8, 2011, every interaction with Yahoo support suggested at least a good degree of indifference or incompetence on the part of the team that supposedly investigated and eventually blocked my account for suspected unauthorized activity.
Unfortunately, the company had by then unlocked my account and surrendered it to the hijacker without notifying me, despite claims of having access to all logs and changes to it. It was only months later that I realized the degree to which it was used by someone else, and compromised on at least 9 major sites including:
In light of current events, I dug up my complete email threads with the company and was again amused at the degree of placid apathy displayed in the process.
The top 7 pearls I received during those memorable communications:
- After a lengthy email containing instructions from addressing spam issues to reporting Yahoo impersonators they helpfully added:
“We understand this email contains a wealth of information and hope that it has been of great assistance to you.”
- The passive-aggressive “sound” of these instructions is worth pasting:
CHANGE YOUR PASSWORD:
If the above information did not assist you, please attempt to request a new password. To change your password:
– Sign in to your Yahoo! account using your current password
– Re-enter your current password to continue.
– Click the “Change Password” link in your Account Information page.
– In the space next to “Current Password,” enter your current password
– In the space next to “New Password,” enter a new password of your choice
– In the space next to “Confirm New Password,” confirm your new password by typing it again.
– Click the “Save” button to put your new password into effect.
STILL HAVING TROUBLE?
- “The Yahoo! ID you submitted no longer is a valid ID because a User requested for the account to be deleted. At this time, it is not possible to reactivate an account that has been deleted. You are welcome to sign up again for a new account. You are welcome to sign up for a new Yahoo! account.”
- “It appears we previously requested a fax in regards to accessing the “claudiu” Yahoo! account, to which we have not received. The Yahoo! Account Security team provides support via email only. Your email is important to us, and we strive to answer all reports within two business days.”
- After a 6-week lull in the conversation:
“I’d like to apologize for the delay in my responding to your inquiry. We are currently receiving unusually high volumes which caused the delayed response.”
- “It appears you are submitting multiple emails within one report for investigation. In order to assist you most effectively, we are requesting that you send us an individual report for each instance of unsolicited email that you would like investigated.”
- Upgrade to a Safer Version of Internet Explorer 8 – Download Now: http://yhoo.it/duCKHc
For kicks, I just clicked that shortlink which is still active, 6 years later and it now points to an updated, Internet Explorer 11, ostensibly more secure but also more … moist:
To conclude, are Yahoo’s perennial foibles evidence of gross negligence, stupendous incompetence or sheer malice? On that, let’s give the embattled Internet giant the benefit of the doubt one final time and pay heed to Hanlon’s Razor.