FJL Micro (Home)

Yahoo email accounts compromised

We're getting a couple of calls a day about mysterious emails sent from Yahoo accounts. There's a big security flaw with Yahoo that means that if (a) you use a PC for accessing Yahoo mail; and (b) go do a web site set up by criminals, the criminals trick your PC into giving them your account details. You don't see it happening; you'll never know. One way they do this is by emailing links to their dodgy web page from one of the accounts they've stolen to all that person's friends. We're  intercepting several a day from all sorts of accounts, sent from various world-wide locations, particularly Hyderabad and the Gaza Strip.

If you've clicked on any of these links and you, or anyone using the PC, has a Yahoo account the best thing you can do is change your Yahoo password NOW. It would be a sensible precaution to change your password anyway, as there is no real way of telling if you've encountered one of these traps just lying around on the web somewhere. You must also assume that the criminals have read all your email, so review it to make sure there was nothing sensitive (e.g. passwords from your Bank or PayPal account!) Yahoo has known about this for at least six weeks, and claims to have fixed it, but I don't believe them.

To change your Yahoo password, log in and go to Account Info - normally an option that drops down on the top-right of the screen. You'll find an option to change the password under Sign-In and Security half way down the screen. While you're there, check the email addresses for you under contact information - make sure all your registered addresses are really you and delete any that aren't (obviously).

There's some more information and possible discussion on this blog post.