Yahoo Email Account Takeover

By Henry Bagdasarian

The last time my Yahoo email account was taken over by hackers to send spam emails was on January 28, 2010. A few people I know contacted me to warn me that they received emails from my Yahoo email account with just a link to a health related website. These people who know me well had immediately noticed that the email with no subject line or any text in the body which just included a link to a health site could not actually be sent by me, although the emails appeared to come from my personal account. Anyhow, my Yahoo email account information was illegally accessed by spammers to send unauthorized emails to my Yahoo contacts at 3 o’clock in the morning from my Yahoo account. This wasn’t a case of spoofing but an actual case of email account take over.

The privacy intrusion and the abuse of my personal information was yet another awakening moment for me which caused me to rethink my approach to managing my contacts and my trust level with regards to the email account systems and their security measures. Also, it’s not apparent to me how intruders gained access to the Yahoo email account and maybe Yahoo can shed some light on this mystery through an in depth investigation as multiple Yahoo accounts have been compromised in the past as I found out later (to this date, Yahoo has not responded to my request with an explanation and details about this intrusion). Cracking a user’s password is not the only way to gain unauthorized access to emails. System backdoors might be vulnerable allowing intruders to invite themselves into the system from the backdoors or, disgruntled employees who already have access to Yahoo customer information might be abusing their privileged access. Based on my initial assessment of this case, I noticed a few details about the incident that might be interesting to some.

First, the emails spammed to my contacts were organized in multiple batches of just a few emails at a time to probably bypass the system’s anti-spam controls in place. Obviously this control didn’t work completely because some email batches passed through the system controls and reached my contacts while others were blocked by the system and never sent out. Although, the anti-spam controls were not effective in protecting my email account from being abused for spam purposes, the controls were in full protection mode when I tried to email all my contacts to warn them of the yahoo email account incident. Isn’t this great that the same controls that we implement to protect our email accounts, prevent us from sending emails to our contacts while they fully cooperate with the spammers? And then, after I tried to send emails in batches, the system started asking me to input a code for making sure that automated programs were not attempting to send spam emails. This was never required from me before the incident, which tells me that either their system had noticed something was wrong by design and was trying to prevent additional damage, or, Yahoo somehow discovered that many email accounts were compromised, either through system monitoring or user complaints, and was trying to close the loop and prevent further spams. Either way, security controls were insufficient to both prevent and detect unauthorized takeover and abuse of user account information. Password cracking as a way to penetrate email accounts is plausible when a single account and select email addresses are targets. The speed by which the email distribution lists were put together and sent one after another within just a couple of minutes of interval suggests that this was an automated program designed to complete a spam scheme within a very short period of time. Plus, the timing of the spams which was in the middle of the night and the number of cases involved suggest that spammers or rather the program intended to avoid taking the Yahoo system down and being noticed during the day when most people are actively using the system.

Second, the sent emails were not saved in my “Sent” folder which is what normally happens when I send emails because that’s how I have configured my email account. This is rather interesting and further reinforces the assumption that Yahoo’s backdoor was left unsecured which allowed the theft and abuse of the Yahoo email account information.

Third, other people also suggested that their Yahoo email accounts were abused this week as I mentioned. After I shared my story with a few people, they also shared information regarding their own incidents or others who had also experienced similar cases.

And lastly, when I investigated the possibility of using another email system such as Gmail as suggested by a friend, I was not impressed when I saw the number of people who were complaining about similar issues at Gmail. So, I figured running away from a problem to face similar problems elsewhere is not the best solution, although it is a solution to consider and I have a few others which I’ll share next.

In conclusion, this yahoo email account intrusion probably happened through an unauthorized backdoor access to a Yahoo database table which includes email contact information. And then, automated programs executed the well planned spam scheme. As we all know, email spams are inevitable because they’re cheap marketing tools and we can’t control the security of external email systems. When we share information with others, store information on external systems, or use various systems for free, we risk the safety and privacy of our information. I’m not suggesting that paid systems have better security; however, I’m saying that our expectations of privacy and security are lower when we use free systems such as Yahoo, Gmail, Linkedin, Facebook, Twitter and others. We accept the additional risk of identity theft in exchange for free services.

Although spams and identity theft are inevitable, there are actions in our control that we can take to reduce our spam exposure risk when it occurs. We can reduce the spam risks by 1) avoiding duplication of emails stored on multiple systems, 2) elimination of unnecessary emails, and 3) using multiple accounts for personal, business, and other purposes. If we are currently using multiple messaging systems such as Yahoo, Gmail, Linkedin and workplace email systems such as Outlook or GroupWise, we should consciously decide what systems we want to use for storing and sending emails and why. I believe that we should use 3 separate accounts for personal, business and other purposes such as when placing orders online. That being said, I also suggest storing the absolute minimum number of emails in their respective email accounts without any duplication. For example, if we use a Yahoo account for personal communications, then we should not use that same account for sending and storing business emails. Also, speaking of business contacts, most of us who use Linkedin as a way to stay in touch with our business contacts, may not need to store their email addresses in our business email account as this might be considered duplication and additional spam risks. We can always use Linkedin and other social networking systems, depending on our interests, to send messages. This will eliminate the necessity to store infrequently used emails in our email systems.

As I write this article, I can’t stop thinking about the fact that future intrusive incidents are inevitable and all systems are vulnerable to attacks and unauthorized access. The question is do I want to be a victim of that incident and if yes to what extent? Therefore, it’s up to us to decide what systems we want to use, why, how frequently, and to what extent. We have to determine our risk tolerance level and act accordingly. All I can say is that my risk tolerance level and confidence level I place on others to protect my information is really down after the incident which have forced me to take drastic actions to protect my information.

I was a victim and so were many people who were deceived by receiving emails sent from the Yahoo email account because these email systems and websites remain unprotected. Although we get spammed with unwanted emails every day, the ones that appear to come from our own accounts with our names stamped to them are the worse kinds in which case the "sender" is the real victim.

Let's be identity safe.

Read a related article and watch a short video if your Yahoo email account is hacked.