I Was Hacked

Well, let me apologize if I have your email in my Yahoo account because you probably spent part of the afternoon getting spammed by me.

I’m not exactly sure how it happened. I mean, yes, my email password was Password1234, but I thought the capital P would be tricky. Ha ha ha. No, just kidding. My password wasn’t something simple to guess or associated with me in any obvious way.  Yahoo lets you track where log-ins happen and from where (kind of), so I was able to ascertain that some dude from Poland got in using a Yahoo affiliated application. I’m not sure what applications Yahoo has other than Flickr, so that’s my guess for how he got in–through Flickr somehow.

I already had in place all the things Yahoo says to have in place to keep from getting hacked–strong password, fancy picture on the login page, etc. So, other than changing my password, I’m not sure what more I can do, but I’m hoping it’s over.

Unless it’s retaliation for my snarky attitude toward government snooping in our data. In which case, yes, you got a few emails from me, but the NSA just had to sift through hundreds. So, that’s kind of fair, right?

Again, I am sorry.


8 thoughts on “I Was Hacked

  1. Hey, how did you find out he logged in from Poland? Because the same thing happened to me a few weeks ago, and I’d be curious to find out how/why/where. Thanks!

  2. I’ve gotten spam from everyone I know with a Yahoo address, so I think it’s their security not your password that is the issue.

  3. …I mean, maybe everyone I know with a Yahoo address has a weak password, but I’m sure people I know have weak passwords on their gmail etc accounts too. So.

  4. Not trying to be pedantic, but here’s a tip. I don’t remember where I read this but a good way to create strong passwords *that you can actually remember* is to make an acronym of a memorable phrase. For instance, if I take, “Shall I compare thee to a summer’s day? Thou art more lovely and more temperate,” I get /sicttasdtamlamt/, a long string of characters that does not contain any actual words. Throw in some numerals and some top-row characters if only to fulfill the site’s rules.

    I don’t know if this makes a difference, but when it comes to those other characters I never use !, @, $, 1, or 3 just because those are common substitutions. I figure hackers are looking for those harder. I don’t know. Like I said, it might not make a difference. That part will make the password harder to remember, but figure out a system.

    Needless to say, I hope you weren’t using the same password at any other sites. The real scary thing about your email being compromised is anyone who gets access to it gets access to any other accounts that are tied to it, thanks to the good old “Forgot your password?” function, which has saved my ass many times but which also makes us and our–ERT!–credit card information much more vulnerable.

    I don’t bother with any of this on sites that don’t have any of my important info, like twitter and tumblr and so on. I use the same stupid password on all of those, for convenience. I have all my shit backed up. When I inevitably get hacked I’ll just change user names and start over. Worst case scenario I switch to another platform. But no one will be able to go and use the same password to steal my bank account.

  5. O.C. if you go into your account info, you’ll see an option to view your recent sign-in activity. But I have to say, looking at it just makes me more pissed about the situation. If Yahoo saw that I logged in at lunch in Tennessee, how the hell did they think I was logging in from Poland at four Tennessee time? How does a person get to Poland from Tennessee in four hours?

    The more I think about it, the angrier that makes me. Motherfucking Yahoo doesn’t have some kind of way to check just to see if a log-in is logically possible?

    Elias, we get massive password lectures at work, so I feel sure that it wasn’t some vulnerability unique to my password. I will, however, be taking a lesson from the article sunraven 01 sent me on Twitter:


    and moving around where I put the numbers in my password, since it seems like a lot of brute force hacks start from the assumption that your first character is a letter.

    But, yeah, I mean, I’m sure a hacker would have looked at my password and been all “Oh, ha ha ha ha, that you thought that was going to be hard” but I contend that, for a non-geek person, it was–because of my taking to heart my work lectures–pretty damn good. (Though I’m also going to be going through all my passwords and weighing them against your advice. Yesterday morning I would have felt confident that I was doing all those things. Today? I just want to double-check.)

    And I’ve now heard from a handful of people that this has happened to them through Yahoo, so I also feel pretty confident that this is on them. Like I said, just the fact that I know I’d checked my email at lunch before I went out… How the fuck does Yahoo think I then could log on from Poland?

    To go back to sunraven01’s article, I think Yahoo’s doing a shitty job of encrypting these passwords. Because, here’s the other thing: it wasn’t anything more than a quick nuisance hack. He got in through the “affiliated application” and then got in through the web browser, spammed everyone in my address book, and within fifteen minutes, JR had texted me, i got back to a computer, and changed my password. But the hacker, as far as I can tell, didn’t do anything to indicate he wanted longterm use of the email–he didn’t change my password or set himself up as an alternate email or anything.

    This leads me to think that it’s so relatively easy to get into a Yahoo account that they don’t need to find a way to stay in there once they get there, because they can just get in again or onto the next one.

  6. Based on the experiences of some friends who use Yahoo, I strongly suspect that you were (as you think) compromised through Yahoo, not that some hacker was targeting you personally. It seems like every Yahoo user I know has been compromised at some time or another.

    Last year I had two accounts compromised — my Playstation Network account, and one other I can’t recall at this point. After the PSN account was compromised, I picked up 1Password (https://agilebits.com/onepassword) and then went through and made the effort to change every single account I have to a unique, randomly generated password. Each password makes use of the strongest algorithm the site will allow (ie, if it says up to 30 characters, then that password is a full 30 characters long), with as many numbers and symbols as I can cram into it and still pass the site’s allowable passwords policy. Because they’re all unique, if one account is compromised, then I only have to change the password on that one account.

    I also turned on two-factor authorization for everything that offers it (that’s where you have an app on your phone that generates a 1-time use code that you have to enter to log in, in addition to your password).

    Still, none of this will protect you in the case that the company is hacked (ie, they steal 100K Yahoo user credentials), but it’s the best you can do to secure yourself.

Comments are closed.