Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Yahoo account compromised -- now what?

Sep 23, 2016 5:35PM PDT


I'm upset that millions of Yahoo user accounts have been compromised, which most likely includes my account. I have already gone through the process of changing my password and security questions as Yahoo has recommended. I have been using this account as my primary email address for over a decade, and I really do not want to give it up. Not only do I love this email address, but I also love using the service. I even pay an annual fee for it. Am I being stupid and stubborn for continuing to use it? Is it a higher security risk? I'm just not sure what to do, and I'm scared of it being compromised again. What would you do? Please help me out. Thank you.

--Submitted by: Evelyn C.

Discussion is locked

- Collapse -
Fake Answers
Oct 4, 2016 10:00PM PDT

All GREAT Points! We had a discussion a long time ago about security questions in general. The thought, by the average user, was that answering these questions is giving someone out there (a website employee, perhaps) too much information about yourself. So, letrs say, you answer the question about "mother's maiden name" accurately; then an employee of the website can use that information to hack into one of your other websites, like your back. Answering security questions accurately also caused a bunch of female celebs to have their nude photos hacked on iCloud.
Unfortunately, you are VERY correct on using fake answers. If the initial issue is that you forgot your password, what makes anyone think they fon't forget their fake security answers? It is self defeating.
In my book, all security data should be heavily encrypted. Nobody at the website's office should be able to know what your password is no matter how trustworthy he or she is because even these people can have their machines hacked as well as the servers. The security questions/answers should also be encrypted. That would solve a lot of problems but nobody bothers these days.

- Collapse -
OOOPS
Oct 4, 2016 10:02PM PDT

That should have said "bank" not "back".

- Collapse -
compromised
Sep 30, 2016 9:51PM PDT

Not quite the same problem , but some mongrel with a Yahoo account hacked my playstation account blocking me out of my games and account also purchased games on my credit card which Sony requires for a playstation account.
So watch out Yahoo hacked and used to compromise other accounts

Cheers Lenny

- Collapse -
Yahoo is my main account and I'm not worry.
Oct 1, 2016 12:31AM PDT

I have had a yahoo account since they took over geocities. I have been paying for the account since they started yahoo plus. I am not worry. First of all, I have a pretty strong password and its pretty new. The credit card I have used for my account back in 2014 already expired and been replaced. Other than yahoo groups and news, I don't use any other feature of Yahoo. come to think of it, I have not used yahoo groups as much since 2014. That was about the time they made creative changes and messed things up. In other words fixed it so there would be more ads. I don't use any other feature because yahoo has this bad habit of closing them after a year or so. anyone remember yahoo briefcase, geocities, delicious...

so basically, I am not worry...

- Collapse -
Your "Pretty Strong Password"
Oct 3, 2016 1:30PM PDT

Has already been compromised. If you don't change it, that pretty strong password was given out in 2014 and is probably sitting on the dark web somewhere. How strong the password is doesn't matter if the website does not encrypt it and it is available to anyone who hacks into their database or flat file. So, if your "pretty strong password" is the same one you used in 2014, it is already too late and I suggest that you change it. Password strength is only good if someone is trying to guess your password, not if a bad guy already knows what it is. The interesting thing is, you get these sites that POST the most frequently used passwords (like, "123456"). If you think about it, no website should EVER be able to come up with a list like that as all of the passwords should be hidden, even from their employees, by encryption. Shows you the general lack of talent we have in I.T.

- Collapse -
Free accounts are not secure.
Oct 1, 2016 12:51AM PDT

My concept has always been, if it's free it cannot be secure. What do others think? I never use any free email accounts at all.

- Collapse -
Not true
Oct 1, 2016 4:46PM PDT

imo, some of the best and most services are free. some of the worse and most unsecured services are not free.

- Collapse -
No such thing as a free lunch!
Oct 1, 2016 6:55PM PDT

Remember there is no such thing as a free lunch! There is a catch and you can't see it.

- Collapse -
same catch whether free or paid
Oct 1, 2016 7:39PM PDT

In a lot of cases, you have the very same catch with the paid accounts but it has nothing to do with security.

- Collapse -
Free vs. Paid
Oct 3, 2016 1:35PM PDT

To be honest, it doesn't matter. If the whiz kids who created the website didn't incorporate any one-way password encryption, all someone has to do is hack into the website or back-end systems and find the unencrypted file holding the passwords. By the way, nothing is really "free". There is always a cost. Sometimes it is hidden (you can get a flavor of what it is by reading website documentation such as Terms of Service and Privacy Policy). If you use a product such as Ghostery or a good ad blocker, you can find out just how many websites you go through just to display one page. Most of those sites are considered "trackers". Today, information is money.

- Collapse -
Not just email
Oct 1, 2016 2:24AM PDT

Be careful before you delete your account what other Yahoo services you use. In particular - think of Flickr. Do you use Flickr to share and store your digital photos? Don't delete your account or you'll lose all your photos!!

- Collapse -
The better alternative?
Oct 3, 2016 10:06AM PDT

Upload your photos to a cloud account AND THEN delete your compromised accounts.

- Collapse -
Did what Yahoo required & changed my password
Oct 1, 2016 6:46AM PDT

It was not really a hassle for me since these things happen. I good website to use when changing is called Howsecureismypassword.net. With smart thinking on user part a person can create an easy to remember passwords.

- Collapse -
Reward Hacking Prevention?
Oct 1, 2016 10:28AM PDT

Thought I'd start with some folk wisdom, Fool me once, shame on you; Fool me twice, shame on me.
This seems appropriate for you Evelyn. Or do want to give Yahoo a second chance to have your personal information stolen? Of course this is a personal decision.
Since I am not affected by this problem (never used Yahoo) I can be more objective but it troubles me how many internet providers seem to be quite able to run a business profitably and provide so many functions to keep clients amused and using their service yet it is your responsibility to protect your own privacy, not theirs.
Drawing a parallel with the requirement recently enacted by the state of Texas regarding allowing refugees to be resettled in the state, i.e., require a signed statement by various government organizations, FBI, Homeland Security, etc. guaranteeing that no resettled refugee will be a terrorist or commit any terrorist acts in the state.
If the management of Yahoo were to provide you, Evelyn, with a guarantee regarding their protection of your personal information I feel you might be justified in changing your password and continuing to use the service, otherwise it's up to you (I'd drop it).
If fact, given the current atmosphere and appreciation of the need for privacy protection, mighten all internet service vendors be providing a needed service by including a Private Protection Guarantee as the first item in their terms of usage. Then a new or exiting user will have the option not to choose a service (and provide it with the ability to conduct a successful business) without that guarantee.
This problem kind of sounds like a car manufacturer selling a great car without the safety of brakes and suggesting that the driver provide braking capability when they replace his totaled car.

- Collapse -
Privacy Protection Guaranty
Nov 7, 2016 10:25PM PST

You will probably NEVER see that. The reason is that these "free" websites, give out your information willingly and freely to advertising partners and will admit that they do that in their Terms of Service and Privacy policies. I worked with law enforcement and had to read up on some of these as the feds require certain levels of privacy of data such as HIPAA/HITECH and CJIS rules. We could not use Google services for a project because the City of Los Angeles (LAPD) found that Google didn't support CJIS. Now, if you look through Google's policies, they state that you are NOT allowed to store medical patient data on their websites without a special business agreement (BAA with PHI). So, if they are a free website, even Google, they cannot guaranty privacy and actually state the opposite in their documentation to support their use of your data (including GMAIL) for advertising. And companies that spread themselves over the globe can't do background checks on their employees.

- Collapse -
Security Question Tips
Oct 1, 2016 12:36PM PDT

First, make sure you use a password manager, so you don't have simple or reused passwords for accounts.

Second, make the security questions really obscure. If the question is, "What was your high school mascot?", don't give the real answer. Instead, answer it with some nonsense like, "potato sprinklers." You'll never remember your nonsense answers, so keep the question and the answer as a note field in your password manager program.

When a hacker breaks into Yahoo! or some other service, they may be able to see your security answers and questions. This gives them more information about your history and private life further take over your ID.

- Collapse -
Yahoo compromised IPad use?
Oct 1, 2016 12:43PM PDT

When using my IPad I don't have to 'sign in'. Is this dangerous? Can I/should I change the way I use my email accounts on IPad? It is so convenient not having to 'sign in' for each one, and seeing All Mail in one place.

- Collapse -
Yahoo not your iPad.
Oct 1, 2016 12:47PM PDT

The article should have explained this was accounts at Yahoo. So change your passwords and if you are like most folk you used the same password at more than one site.

This means you should forget that password and change it where ever you used it.

Not an exploit of the iPad.

- Collapse -
Yahoo IPad
Oct 4, 2016 12:17PM PDT

Not quite sure what you mean by 'not an exploit of the Ipad' or 'accounts at yahoo'. Are 'accounts' different to an email account?
My concern was that when I open my IPad (with a security code), my emails are open and do not require me to put in my Password. Is this problematic, or are you saying that the IPad cannot be exploited with my passwords, unless I gave someone access of course.
Not a technical person, so appreciate the insights.

- Collapse -
Try a new post with your questions.
Oct 4, 2016 12:22PM PDT

A new post would be best as this is buried here and we can't have a discussion.

Try formatting as a question so members can answer. If more than one question, number them like this.

1. Does it rain in Spain?
2. When will it rain in Spain?

- Collapse -
What damage is already done..
Oct 2, 2016 7:22PM PDT

I realize this may be too late for your situation Evelyn C, but when I opened my Yahoo account I never used my true details, so I'm not even worried about any compromise so far. However it may still be wise to replace all of you personal information with fake or inaccurate data, so that the next time there is a breach, at least the criminals will not be sure just who they are dealing with.

When I went to Yahoo to check on this, I couldn't see any suspicious activity on my account at all, but Yahoo suggested DELETING the security questions entirely - so apparently they've switched to sending alternate email alerts for their customers. The only problem is you might think of using a junk email account at another company like Gmail or whatever, so that you can dump it if this happens again. You only need it for alerts of nefarious actions on the Yahoo account, so that you can monitor it that way. 2 Factor authentication is getting popular using cell phones, but I so far have resisted this for the same reason - because I don't want the crooks knowing my phone number too!!

You should be able to keep using the account from now on, but make sure you never repeat the password anywhere and make it at least 9 characters long with upper and lower case letters mixed with numerals and special keyboard characters. You may be able to change the user ID as well - to something that is not the original email address. I notice Yahoo no longer asks for the email address for the user ID, but I'm just guessing about that factor. It can't hurt to try it, as you should still be able to get back into it. IF the account is tied to social networks, you may have to give a short explanation to your friends that a breach made any personal information a liability and that is why the change is being made. Since you will be keeping the original email address, it will not be necessary to broadcast any changes that you don't really feel are important to your contacts.

Changing the password and taking Yahoo's advice, should be enough to keep your account - it would be unlikely for them to reacquire the account with a big change in the access data like that. Once upon a time I did something stupid ad registered with a spammer - but thankfully I was able to block these using the filter controls at Microsoft Live. I don't know how good Yahoo is at doing this, but so far I haven't received any junk mail for years, so I'm guessing they are okay.

At least till next time! <sigh> :/

- Collapse -
I forgot a major check to be made.
Oct 2, 2016 7:31PM PDT

Make sure nobody added some strangers into you contact list, or they may be able to reacquire your email again. The chances are that you were ever compromised are low enough not to worry if just these few cautions are taken.

- Collapse -
I would definitely switch.
Oct 3, 2016 8:54AM PDT

To be honest, my first thought is "People actually still use Yahoo as their primary e-mail address?". I shied away from Yahoo over a decade ago when GMail launched. I had kept and maintained my Yahoo account for a few years but it was never my primary account once GMail came about.

Secondly, Yahoo getting hacked is nothing new. In fact, my own Yahoo account, after years of sitting idle, was hacked. The one thing I did use my Yahoo account for was my online gaming account (World of Warcraft). I had set the account up with Yahoo (just before I opened my gmail account) and kept it attached to my Yahoo account for years. When I stopped playing the game, both my game account and my Yahoo account sat idle and unused for over 2 years. Then one day, I reactivate my account to find it had been compromised because my Yahoo account, which had not been touched in over 2 years, had somehow been hacked.

Typically the most common causes of e-mail hacking are from phishing e-mails, but Yahoo...it was just always getting hacked. Hotmail may be the only provider out there that's worse than Yahoo when it comes to being hacked without the user being duped, but it's a tough call now...both Yahoo and Hotmail are horrible e-mail services when it comes to security.

I know it's a major pain to switch over to a new e-mail provider, but I would suggest going to GMail and slowly converting over all of your accounts, subscriptions etc one at a time until you completely roll everything over, then get rid of the Yahoo account. No e-mail service ins infallible and Gmail suffered its own hack not too long ago, but anything is better than Yahoo.

I later ended up working for Blizzard Entertainment, and handled customer account compromises constantly. I would say confidently that 95% of ALL compromised game accounts that stemmed from compromised e-mail addresses were attached to Yahoo e-mails. The worst thing would be when customers didn't listen to our instructions - they would not change their password on their e-mail account, and leave it as it was. Sure enough, their game accounts would be compromised again within a few hours.

Trust me, this was a wake up call and likely the beginning of the end for Yahoo (which I believe is up for sale anyway?). You are better off finding another provider (not Hotmail!)

- Collapse -
The BEST alternative to yahooey!
Oct 3, 2016 10:03AM PDT

So, Evelyn............what to do, what to do?

First of all, do not reward yahoo for their lack of security and lack of timeliness by keeping their service! They DO NOT DESERVE your business.

Secondly, huge companies offering these kind of services are notoriously poor providers in general......I suggest you shop around your local area and find a long time IP provider with a good reputation who can provide you with everything you need in an email program with the advantage that they are small enough that no one will ever bother to hack them! They might even provide their own overarching security, such as postini.com, on their servers that will make it even more difficult for you to get hacked as well as provide the best virus protection available all as part of their (probably) small fee for just using their email program. The local service I use provides killer virus protection, local customer service, 4 email addresses and a reliable GUI and always up and running service that is easy to log in to and use. All this for $5 a month!

- Collapse -
More SPAM in Inbox
Oct 5, 2016 3:42PM PDT

I changed my password and immediately my INBOX filled with emails from Avanquest and then later from snagajob. What did Yahoo do that let these two companies swamp us with useless emails. Even if I wanted a job (I'm 77.), I don't need multiple emails daily from snagajob.

- Collapse -
Inbox on Yahoo
Nov 7, 2016 10:32PM PST

While nobody needs to have your password to fill your inbox full of junk (all they need is (userid)@yahoo.com), I opened a yahoo account but never used the email address to send or receive messages ever. Within a day, the box was full of junk. Since I only use the yahoo ID for commenting or, sometimes, to get into other sites, I don't care about the inbox. Others DO, I imagine.

- Collapse -
Security of using Yahoo account
Nov 5, 2016 9:08PM PDT

It should still be safe to use, but I would recommend using 2 step verification to ensure your security. I would also suggest having complicated passwords to prevent your account from being hacked easily. Try changing your passwords once in a while. If you follow what i've said you should be safe Happy

- Collapse -
Good advice but...
Nov 7, 2016 10:58AM PST

don't forget that this was not a compromise of one single account but a big compromise of the membership servers, and all data on it. That is a whole other problem, and makes individual security practices rather limited in success. All we can do is maintain awareness of the news, and also changing your password at your web based services every three to six months as regular habit is a good practice. Then if your email provider doesn't know it has been breached, at least you know your latest password has probably already taken care of the problem.