[kwlug-disc] OT: Hotmail/Yahoo account breakins

Rashkae rashkae at tigershaunt.com
Thu Feb 28 15:31:37 EST 2013

On 02/28/2013 01:38 AM, Bob Jonkman wrote:

> I can tell it's an attack on Yahoo's servers, not a drive-by
> vulnerability on web browsers that access Yahoo's webmail site because
> one of the message I received was "from" a friend who passed away in
> 2011, so I *know* he wasn't using a vulnerable browser or a malware
> infested computer. The spam messages also list a number of addresses in
> the To: field from the victim's addressbook. Some of the addresses
> listed in the To: field from my friend were from unpublished accounts on
> a mail system we administered, so I'm pretty sure Yahoo's servers were
> compromised, giving the attackers access even to dormant accounts and
> their addressbooks.
> I've also been receiving a ton of messages where the name in the From:
> field is someone I know, but the e-mail address is something like
> qwertysplat at yahoo.com It seems that's a different spam engine, because
> those messages are an ordinary case of header spoofing, and not
> particularly well done.
> In both cases my spam filter catches them nicely, except when the
> message has been sent to a mailing list. At least two mailing lists I
> manage have been spammed this way, and the TLUG list too. Have any
> messages snuck through to the KWLUG list?

> And there doesn't seem to be anything in the online technical press,
> either.  There's this:
> http://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=10864681
> but I'm not sure it's the same thing or an older attack (the article is
> from 11 February).  Also, a source in the article claims that attack is
> an XSS attack, but that doesn't explain how dead relatives could be
> affected.
> "Telecom have explained, I guess that it's a compromise of the Yahoo
> database...and the data appears to have been stolen."

Thank you..  This was where my gut was leading me, but without a Press 
release or announcement from yahoo that "By the way, all your accounts 
belong to someone else." I was hoping there would be some collaborative 
evidence.  This is a serious breach on the part of Yahoo.  Not only that 
the breach has somehow happened, but the complete silence puts lots of 
people at risk.

More information about the kwlug-disc mailing list