Yahoo Mail users have been seeing their accounts broken into for months. While Yahoo says it has plugged at least two separate security holes leading to accounts getting hijacked, it appears the problem persists.

It’s unclear how long these attacks have been going on for, though we did first report Yahoo Mail users were seeing their accounts compromised back in early January. We’re now in March, and it appears that Yahoo still has a big problem on its hands.

Not only are we still getting reports from individual Yahoo users about their accounts getting hacked, but we are seeing spikes in traffic from Google to our previous stories. We believe these clicks represent a rise in users realizing their inboxes have been hijacked after hackers send out a bunch of emails from already compromised accounts.

Attacks typically consist of Yahoo users receiving an email from a friend or colleague (and sometimes a completely unknown party) containing a link that if clicked on, results in the account being hijacked. Some say their hijacked accounts send emails to select individuals, others report they get sent to all their contacts, and one even noted that they went out to “anyone I had ever received and/or sent a message to.”

We asked the users who got in touch with us if they got such an email and clicked on the link. Reports were mixed: some said they got an email and clicked the link, some said they got the email but didn’t click, and others said they never got such an email.

Amongst those that did click on a link, however, there was at least one aspect that recently seems to corroborate: the attackers have apparently been referencing a non-existent MSNBC news report in the email. The bit.ly URL that is included (we’re not linking it here for obvious reasons) redirects to a fake MSNBC page that reportedly hijacks your Yahoo Mail account immediately if you are logged in.

Yet many insist they never got such an email or click on such a link: their accounts were simply hijacked out of the blue. These individuals only learned about the incident from contacts who received shady emails from them.

Below are three excerpts from what Yahoo users have been telling us about these attacks. The first one comes from a Yahoo user who is part of a larger organization:

We were hacked at the end of January. They spammed everyone in the “contact” folder and deleted all the contacts. We just had another yahoo account hacked yesterday. Not only did it spam the entire “contact” folder, but we are unable to send out e-mails or access our “secret question” to change the password.

There was a toll free number to call and when we did so we spoke with people who spoke very poor English, and they asked for a one time fee of $100 for assistance with the issue. When we refused they hung up on us. We called the number twice, the first time we spoke with a woman and the second time we called we spoke with a man. Both times we called when we refused the payment of $100 we were hung up on.

It’s fair to say that this number in question does not belong to Yahoo. These are scammers attempting to get a ransom payment in exchange for an account they have compromised.

Another story comes from a Yahoo user who wants to simply be known as “someone in California”:

Actually, my yahoo account is a dummy account. Yahoo hosts my domain for another e-mail address and I never send/receive using the yahoo email address. That’s why I feel so certain that the hack had to have been on the yahoo-side. Also, the spam that went out was to people who had sent messages to my hosted domain name – not the yahoo account (even though the message they received was FROM my yahoo account).

so whatever the hack was, they were able to connect the dummy yahoo account to the hosted domain account. I know this because some recipients were people that were not in my address book and wouldn’t have even known about the yahoo account to ever have sent anything to the yahoo account. Their only connection was messages in the domain-hosted in box. Other reason I suspect it’s not fixed (and not just me) is that the spam filter for this account (my work email) picked up at least two other yahoo spams like mine at the same time. They were – like the scenario in mine- from people who probably had an email from me in their in box even though I wasn’t in their address book.

This is one of multiple stories we have seen that show those behind these attacks are using hijacked accounts to heavily spam others. This is one of the reasons why this campaign is ongoing and doesn’t look like it will be slowing down anytime soon.

A Canadian also had a similar story to tell:

My yahoo.ca email account was compromised last night and the same spam email, something to do with working at home for great money, was sent to all my contacts. Fortunately the account list that was attached to this email address was ten year old (it has now been archived) and half the messages came back as undeliverable. I also received the same spam message last week from a friend who sent it from her yahoo.ca account.

My Yahoo email account was set up during pre-BlackBerry days to retrieve messages remotely from other mail servers and is only used nowadays to track deliveries from e-retailers and to receive notices of updates from software providers and other non-essential vendors who require their clients to register in order to access their services. It has been linked passively to smartphones for the better part of a decade and I logged on yesterday to delete the outdated contact list and to change password for the first time in many years. As the account is been absolutely spamless and requires no management effort whatsoever, I will continue to use it as an electronic mailbox.

For reference, here’s the timeline of events up until today:

  • On January 7, a lone hacker by the name of Shahin Ramezany uploaded a video to YouTube demonstrating how to compromise a Yahoo account by leveraging a DOM-based cross-site scripting (XSS) vulnerability exploitable in all major browsers. The same day, Yahoo got back to TNW with two statements, first saying it was investigating and secondly confirming it fixed the flaw.
  • On January 8, researchers from Offensive Security let TNW know they had discovered that the vulnerability is still present, demonstrating a workaround showing they can still exploit the flaw in question.
  • On January 11, Yahoo issued a third statement to TNW: “The cross-site scripting vulnerability that we identified on Friday was fixed the same day. We can confirm that we’ve now fixed the vulnerability on all versions of the site.”
  • On January 28 and January 30, two Yahoo users contacted TNW to say their account was compromised via what they believed was the same way that was described in our previous articles.
  • On January 31, we followed up with a story regarding a known flaw in the SWF Uploader component of Yahoo’s developer blog as pointed out by Bitdefender Labs. Yahoo says it fixed this flaw and recommended affected users change their passwords.
  • On February 25, February 27, March 1, and March 4 we received more emails from Yahoo users saying their accounts had been compromised.

We contacted Yahoo about this issue but the company merely reiterated its previous stance. “The XSS flaws reported to Yahoo! have been fixed and we continue to aggressively investigate reports of any email accounts exhibiting anomalous behavior,” a Yahoo spokesperson told TNW. “We’re committed to protecting our users and their data. We strongly urge our users to change their passwords frequently and to use unique, alphanumeric passwords for each online site they visit.”

Yahoo is the third largest email provider after Microsoft and Google. Regardless of whether the flaws haven’t been patched properly or if these are new flaws, it’s simply unacceptable for Yahoo Mail users to have their accounts hijacked so easily and for Yahoo to stay passive for so long. The company needs to do more.

See also – Yahoo Mail users quietly given HTTPS security option following pressure from privacy advocates

Image credit: Justin Sullivan/Getty Images