Heads Up, My Yahoo Email Account got hacked!

I have no phones number listed and Yahoo ask me quite often to add one for my convenience should they have to send me my pass word.
How do you know it was from Russia?

Guess I'll have to watch and see if some adds a number for me.

Facebook and Google both ask me to add phone number. Don't trust either one to either use that number for marketing, or lose the info if they get hacked.

There are tons of password managers out there for PC, Mac, Linux, Android, iOS, etc.

Use a different password for each account you have. Make each of them over 20 characters and include letters, numbers, special characters, and a mix of upper and lower case. Use the password manager to save and manage your various passwords.

Your e-mail account is the most important of all of them. If somebody gets that, they can get access to pretty much everything else you have. Make your e-mail account password the most lengthy and complex.

Most password managers include a tool to generate passwords according to your specifications. For the truly paranoid, use this:

https://en.wikipedia.org/wiki/Diceware

http://world.std.com/~reinhold/diceware.html

Also, never give correct answers to security questions. If you do, somebody who knows you could potentially answer those questions and get access to your accounts. Always use a few random words as answers to security questions and keep a record of them in your password manager.

Same here, been asked, will not give. More and more ways pop up every day to steal from you in this electronic age, gone are the days the robber had to look you in the eye.

What a surprise. How many times has Yahoo been hacked...

I use one, can generate large passwords using everything on the keyboard, however, the program itself still requires a password to use that you have to remember, only as good as the weakest link comes to mind.

wifey uses Yahoo email, seems like every few months.

Why use it.

Do you use Android smartphone? If you do, it's safe to say that Google already got your phone number. Same goes for Facebook. If you use it on the phone, they have your number. I don't fill out my phone number on my Facebook profile but I assume they already know it.

Are you saying that you check Yahoo Account Security and find out that there's a recovery phone number that you never added? And when you look at Recent Activity, there's a device with a Russian IP address?

When did you last change your Yahoo password? Was it before or after that big news about Yahoo breach? Care to elaborate?

Exactly! it was 380 xxxxxxxxxx... whatever it was..

Kinda Sorta; the time zone setting and the phone number that had been added were both set to be Russian.

Prior discovering this breach, I changed all my passwords on 2018-01-29, then after finding my Yahoo email password had been hacked while I was using it on 2018-02-02, I changed them all again on 2018-02-02. I get into all my email accounts several times a day so it happened sometime on 2018-02-02 while I was actually using the account.

This is kind of akin to sites where you get 3 chances to put in your password before you get locked out. While you are logged in to many of these systems, if someone tries to get into your account 3 times, and fails, your account password gets locked, so you can't get into it and you need to get it reset somehow.

This hack happened on 2018-02-02

I routinely change all my email passwords, all my financial and health account passwords every 30-45 days unless I'm somehow forewarned there's been a breach of one kind or another, then I change all the passwords at that time. Then I continue on to change all my passwords on their normally scheduled 30-45 day change cycle.

All my passwords are 16-30 characters in length, Upper; lower, numeric and special characters.

No two passwords are the same. They don't even follow the same pattern.

Please use two factor authentication to be safe.

She says because she has had that address for so long it would be impossible to notify everyone of a change, some folks she hasn't talked to or seen in years. She's a teacher and some former student reach out once in a while, etc etc etc.

Personally, I think she should dump it.

FYI:

https://www.theverge.com/2017/9/18/16328172/sms-two-factor-a...

Because years ago AT&T outsourced email hosting services for their various operating subsidiaries' customers to Yahoo, authentication for users during login happens at AT&T, which then "opens the doors" to your email account. Any attempt to verify phone numbers or other owner-specific credentials just takes you to some server on AT&T's customer networks--effectively a man-in-the-middle weakness BY DESIGN! Not sure who to distrust the most.

Does Yahoo offer multi-factor authentication?

NOt that I'm aware of...

have my Yahoo email from AT&T years ago, no problems but, I also use RoboForm. RoboForm Everywhere keeps my passwords up to date and password protected on all my computers.
My 2 cents.

Yahoo does offer 2FA, under Account Info, FYI:

http://oi68.tinypic.com/v5zhh2.jpg

As long as Yahoo (or any other email host) will not take seriously security on their side, there is not much you can do. If they "giving away" your account credentials to hackers, even 100 layers of authentication is worthless.

All you can do is to change your password on regular basis (often is better) and hope, that in meantime another breach will not happen.

It may not be 100% secure but the advantage is that you get notification right away on your phone when someone tries to temper with your account.

While most are probably legit... If I were going to try to collect people's passwords, I think a great method would be to create a password manager that sends me your passwords in the background. I'd make it look and feel legit. Maybe even charge a few bucks instead of making it free, just to give my "clients" a warm fuzzy that it was legit. Even jump through whatever hoops are needed to get it on the app stores.

Thank you for sharing.

If RoboForm gets hacked, wouldn't they have all of your passwords in 1 place?

And that is the problem with all "multi-platform sync across all your devices" software. If it only stored the passwords on one device most people would not even download it, but they forget about privacy because of they want it all on all devices.

If you can't review the source code and compile it yourself you can never truly be sure.

...give a fake phone number. I usually give them a phone number that I used at work that was an emergency phone that was in place just in case our phone system went down. If they call it, they will get nothing but a lot of ringing.

I use Roboform and have not synced it across all my devices. There is one file that has all the info under my control. Important password protected stuff is only done on that device, no matter how inconvenient it can be at times.

Roboform's weak spot is the master password you have to remember to access the program. It's strong point is the ability to generate and remember very complex passwords that would be nearly impossible to remember.

They do. Check your Yahoo Account security settings. Btw, I just checked my throw away Yahoo mailbox. In Preferences I see the following (under My Locations):

Hong Kong, Hong Kong
Sydney, NSW, Australia
Tokyo, Tokyo Prefecture, Japan
London, England, United Kingdom
New York, NY
Paris, Ile-de-France, France
Los Angeles, CA
Sunnyvale, CA
Rome, LZ, Italy

I have not visited those places recently except Los Angeles, CA. I've never visited some of the above places in my life. Looks like this account was either breached or there have been attempts to sign in from those locations. I removed everything except Los Angeles. I'll check back in a few weeks/months. Let's see if there are new places listed under Preferences.

Here's another reason:
http://www.androidpolice.com/2018/02/06/t-mobile-sued-portin...

I'm going to look into it for my accounts right now!