Yahoo Account Hacked

My Yahoo account was hacked this morning. The first sign that something was up was an email from Yahoo saying that an email address was added to my account. The address was “[email protected]”. Tricky. It definitely gave me pause. That’s my name, but I didn’t think I had that account. I went in and deleted it.

Suddenly Adium went nuts, popping up 20+ dialogs saying “<username> has (retroactively) denied your request to add them to your list.” Huh. Then came the first of a number of emails from friends (basically, Y! IM friends) saying that they had gotten an email from me saying that I was stuck in Wales without my creditcard and passport yada yada. Yup, hacked.

I was already on my way to changing my password. Unfortunately, my Yahoo account was still tied to my old AT&T DSL account, and I had to remember the username for that before I got in (this actually probably saved my butt, preventing the attacker from changing my password). I did eventually get in, though, and changed it to a nice, long random string.

So, how did this happen? Well, Yahoo was my spam-bucket account–I used it on a lot of throwaway sites that needed an email address. Unfortunately, I never changed the password from a common one I use on a lot of those same throwaway sites (for sites that I actually care about, I generate a random password, which I store in 1Password). Stupid. I’m sure one of those sites got compromised and were storing their passwords in plaintext.

I don’t think much damage was done, other than spamming a lot of Y! IM friends. The upside was that I got back in touch with some friends I hadn’t talked to in ages.

The lesson here is to never trust any site to keep your password secure. Count on it getting compromised at some point. Use a random password for each one, and a tool like 1Password or LastPass to keep track of them.

Most important, never use the same password on your email accounts that you do on any other site. If your email account gets compromised, the attacker can use that account to gain access (via “forgot password”) to any other sites that use that email address.

Tweet