If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(BBC)   Having lost so many of their users, Yahoo reinvents itself as the go-to website for identity thieves and blackmailers   (bbc.co.uk) divider line 30
    More: Asinine, Yahoo, InformationWeek, identity theft, Mr. Jenkins, Privacy International, Internet radio  
•       •       •

3018 clicks; posted to Geek » on 27 Sep 2013 at 9:07 AM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



30 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest
 
2013-09-27 09:10:23 AM  
Holy shiat.. That is some epic levels of stupidity on Yahoos part..  There is no way for that to have not bitten them in the ass..
 
2013-09-27 09:10:42 AM  
my main personal email address is an @yahoo.com address.

suck it, haters.
 
2013-09-27 09:14:11 AM  
Mr Jenkins told Information Week: "I can gain access to their Pandora account [online radio] but I won't. I can gain access to their Facebook account, but I won't. I know their name, address and phone number. I know where their child goes to school. I know the last four digits of their social security number. I know they had an eye doctor's appointment last week and I was just invited to their friend's wedding."

I have serious doubts that you can get that much current info from an email address that's been inactive for over a year.
 
2013-09-27 09:17:46 AM  

ReapTheChaos: Mr Jenkins told Information Week: "I can gain access to their Pandora account [online radio] but I won't. I can gain access to their Facebook account, but I won't. I know their name, address and phone number. I know where their child goes to school. I know the last four digits of their social security number. I know they had an eye doctor's appointment last week and I was just invited to their friend's wedding."

I have serious doubts that you can get that much current info from an email address that's been inactive for over a year.


You would be surprised..
 
2013-09-27 09:20:20 AM  

ReapTheChaos: I have serious doubts that you can get that much current info from an email address that's been inactive for over a year.


Sounds perfectly plausible to me.

Yahoo said they weren't going to let this happen. I don't know how, but they said they wouldn't. Obviously they failed.
 
2013-09-27 09:27:59 AM  
I guess scammers were just inspired by the 9 degrees of whimsical rotation on the new exclamation point.
 
2013-09-27 09:44:15 AM  
YahOOPS!
 
2013-09-27 10:51:37 AM  

jonny_q: I don't know how


They (along with Facebook) came up with a new "active since" email header. The receiving system is supposed to check the header, and bounce mail for which the account has not been active long enough. Of course, any mail that doesn't include that header will go right on through....
 
2013-09-27 11:02:33 AM  
This borders on criminally stupid.  It doesn't matter if they deleted all of the old data - there's going to be new data pouring in.

Had a service tied to that account?  Did they have a run-of-the-mill password reset that sends a link to the email of record?

This is every bit as bad as bulk-publishing the account passwords would have been.
 
2013-09-27 11:13:19 AM  

ReapTheChaos: Mr Jenkins told Information Week: "I can gain access to their Pandora account [online radio] but I won't. I can gain access to their Facebook account, but I won't. I know their name, address and phone number. I know where their child goes to school. I know the last four digits of their social security number. I know they had an eye doctor's appointment last week and I was just invited to their friend's wedding."

I have serious doubts that you can get that much current info from an email address that's been inactive for over a year.


1.  Re-create email address.
2.  Visit various social and online merchant websites and throw it into the 'forgot password' dialog box, see what comes back.
3.  Profit.
4.  Write script that rapidly does steps 1-3 against old & large spammer lists.

I know I still have a few stale accounts on sites that refer to an ancient address because I either forgot about them or worse the site had no way to actually change the referencing address (at least one online merchant I did business with worked that way...*grumble*).  How many can you think of for yourself?

Now fortunately that ancient address wasn't via yahoo.

/or AOL, you jerks :P
 
2013-09-27 11:27:15 AM  

ReapTheChaos: Mr Jenkins told Information Week: "I can gain access to their Pandora account [online radio] but I won't. I can gain access to their Facebook account, but I won't. I know their name, address and phone number. I know where their child goes to school. I know the last four digits of their social security number. I know they had an eye doctor's appointment last week and I was just invited to their friend's wedding."

I have serious doubts that you can get that much current info from an email address that's been inactive for over a year.


Then you haven't been paying attention.  You can do amazing things with just a tiny foothold into someone's PII.

And this... this is not a tiny foothold.

Consider the effort that phishers normally go to to gain access to an email account.

This is basically phishing with dynamite - you don't need some sucker to take the bait, you can just start registering email addresses and wait for the PII to pour in.  Get a newsletter from XYZsite.com to the bob­s­m­it­h­[nospam-﹫-backwards]ooha­y*com account?  Let's go check that out.  Yeah, I totes "forgot" my password, could you reset that for me?  Oh, cool, Bob had his home address stored here.  And his credit card!  Sure they obfuscated most of the digits, but they gave me the last 4, and those last 4 are frequently used for "proving" your identity, so let's see what else we can get with that, now.

And there's a really good chance Bob was an idiot who reused the same password in a lot of places, too.  Find one site whose "forgotten password" resolution system merely emails you your old password instead of resetting it (these exist and are pretty common, people are bad at the internet still) and now there's a good chance you can get into Bob's entire farking life.

So, yeah.  Don't doubt.  If anything, that is a  grossly conservative estimate of what you could get with this.  Best part is, you can bulk-farm PII without even running afoul of the CFAA with this.
 
2013-09-27 11:29:50 AM  
And heaven help you if, for example, your old, forgotten yahoo account was the backup account on record for your current gmail account.
 
2013-09-27 11:46:24 AM  

GWSuperfan: They (along with Facebook) came up with a new "active since" email header. The receiving system is supposed to check the header, and bounce mail for which the account has not been active long enough. Of course, any mail that doesn't include that header will go right on through....


If that was the whole plan, that's stupid.
 
2013-09-27 12:27:51 PM  

jonny_q: GWSuperfan: They (along with Facebook) came up with a new "active since" email header. The receiving system is supposed to check the header, and bounce mail for which the account has not been active long enough. Of course, any mail that doesn't include that header will go right on through....

If that was the whole plan, that's stupid.


I agree. But in case anyone wants to read about it, here's the IETF link
 
2013-09-27 01:12:47 PM  

China White Tea: And heaven help you if, for example, your old, forgotten yahoo account was the backup account on record for your current gmail account.


This - I know far too many who jumped to Gmail but kept the @yahoo for quite some time.
 
2013-09-27 01:22:13 PM  
What is sad is this story isn't running on any major American news network (that I can find).. This is pretty serious shiat... One of the worst decisions I've seen since the dot-com era..  Someone said it above.. It's criminal..
 
2013-09-27 02:06:29 PM  
I knew this was going to come back and bite them in the arse
 
2013-09-27 02:29:34 PM  
Should be the Obvious tag. My elderly father-in-law uses yahoo mail and has been repeatedly scammed.
 
2013-09-27 02:30:56 PM  
More importantly, yahoo needs to realize that the vast majority of companies are not going to pay them $299 per year for a commercial listing (even if most businesses eventually get listed through other means anyhow)
 
2013-09-27 02:51:53 PM  
Can you imagine how dead they would be without fantasy football?
 
2013-09-27 03:33:54 PM  
Who could have seen this coming?
 
2013-09-27 04:16:53 PM  

frepnog: my main personal email address is an @yahoo.com address.

suck it, haters.


Same here, until I set up my own private mail server I think it will stay that way too. Most of the other major mail providers seem just as bad
 
2013-09-27 06:59:13 PM  
I have had my Yahoo! account since 1998.

When we moved in in 1990 we got a recycled phone number. I don't know who Mary Scott is or what she does for a living. But she sure got some strange calls at all hours of the day and night. They dwindled and stopped after about 10 years.
 
2013-09-27 07:32:58 PM  

InternetSecurityGuard: I have had my Yahoo! account since 1998.

When we moved in in 1990 we got a recycled phone number. I don't know who Mary Scott is or what she does for a living. But she sure got some strange calls at all hours of the day and night. They dwindled and stopped after about 10 years.


I moved to my current residence about two years ago, and some bank in Taiwan is still air-mailing statements addressed to the previous owner.

P.S.  Anyone know if writing "not at this address; return to sender" and dropping it back in the outgoing mail works for international mail?
 
2013-09-27 08:40:00 PM  
I've got my own me @ my last name dot us mail address that I accidentally let expire a few months ago. I got it back up and running about 2 weeks later. You would be surprised how little junk mail now shows up at that address now. Legitimate e-mails continue coming in. I used to get over 100 junk mails per day, now it's down to about 2 or 3. Point is, legitimate e-mail will keep coming even after yahoo dumps the unused addresses. Luckily, the new address holders won't be getting the junk mail that the original user quit using the address because of.
 
2013-09-27 09:53:56 PM  

ReapTheChaos: I have serious doubts that you can get that much current info from an email address that's been inactive for over a year.


It's pretty easy.  Just go to random sites and hit the "send me a new password button"
 
2013-09-27 11:20:45 PM  
My account was "recycled " without warning. They didn't delete the private data either, as I was able to successfully use pw recovery and continually got told my account was inactive/deleted regardless. I took three weeks of talking to their CS and they had zero comprehension of what I was trying to explain.

If someone files a class action, I'm joining for sure.
 
2013-09-28 12:58:00 PM  

styckx: ReapTheChaos: Mr Jenkins told Information Week: "I can gain access to their Pandora account [online radio] but I won't. I can gain access to their Facebook account, but I won't. I know their name, address and phone number. I know where their child goes to school. I know the last four digits of their social security number. I know they had an eye doctor's appointment last week and I was just invited to their friend's wedding."

I have serious doubts that you can get that much current info from an email address that's been inactive for over a year.

You would be surprised..


Yeah...people use their "throwaway" addresses for fairly personal and sensitive shiat--maybe not banking but things like schools and doctors offices. Then they forget about them.

I'm thinking it's probably safer to have only 2 or maybe 3 addresses total instead of a ton that you can't keep track of. Frequently visiting and monitoring an account is a huge part of its security, even if it's not Yahoo. Have a strong password on your most important one and for borderline cases, like a dentist's form, just use your main one. Spam is a minor concern nowadays considering that a) you'll get it anyway, and b) spam filters are pretty good on all major services.

But this was a boneheaded move by Yahoo. Was anyone actually clamoring for this feature?
 
2013-09-28 01:44:48 PM  

frepnog: my main personal email address is an @yahoo.com address.

suck it, haters.


I have one. I don't use it but I sure as hell logged in to prevent it from going away.
 
2013-09-28 01:49:23 PM  

Intrepid00: frepnog: my main personal email address is an @yahoo.com address.

suck it, haters.

I have one. I don't use it but I sure as hell logged in to prevent it from going away.


Mostly cause it is tied to my Steam account. My SPECIAL Steam account.
 
Displayed 30 of 30 comments

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report