At precisely 20:26 local time my Yahoo app began buzzing like a bee hive. 72 ‘Mailer-Daemon’ failure to email messages popped up one after the other in my home-use email.
Shortly afterwards I started getting emails from concerned buddies. ‘You have a virus’ was the most common reaction, with ‘Hacked…’ being the second. Someone I emailed with 5 years ago said I’m a spammer and they’ll immediately report me as such, and two
other guys said they’re not interested in what I’m offering and asked to be remove from my mailing list.
I then went through the following checklist, which I’d recommend if something like this happens to you guys:
I logged into Yahoo from a Mac computer I consider relatively safe. I considered accessing from a clean desktop image or ‘safe browser’, which essentially means a zero-chance-of-having-malware session, but then decided against it. If after recovering the
account it’s re-owned, then it’s a clear sign that the problem is on the Mac, which is x100 more worrying than having the Yahoo credentials compromised.
I changed my password reset information and then selected a new password. This should be the first step because if the credentials are compromised, just resetting the password isn’t enough; the nice people that got my credentials can easily change the password
reset information, change the password and lock me out which will be quite annoying.
I added a secondary authentication using mobile one-time code, which I was too lazy to add previously when Yahoo announced it’s available. My work email account is 2-factor protected, but as for my Yahoo account, it was essentially a risk management decision:
the friction of using a secondary factor, vs. the risk of compromise. I’m not using the Yahoo account for work or any sensitive / financial stuff, and it’s only one of my several personal accounts, so the worst thing that can happen is… well… that someone
will spam everyone I know using my account ;)
After taking care of the urgent, I started taking care of the interesting.
First thing I did was check the sent message box to see the damage. There was a burst of emails sent from the account for about 6 minutes, starting 20:25, to all my contacts. Each email contained 5-6 alphabetically ordered recipients, and the Yahoo system
automatically blocked the account from sending further emails when reaching the letter ‘G’.
Looking at the access logs, I saw a log in from India using “Yahoo! Partner's Application” at 20:25. Aha! And then a browser access, same minute, again from India. The next access was mine.
I spent a few minutes thinking of what happened. I’m extra careful with the credentials, and never access from untrusted computers (e.g. my mom’s). Also, the local main news site reported a lot of spam coming from Yahoo accounts. So – a small breach, perhaps.
In a partner site that shares Yahoo contacts. A social network, probably, they’re excellent at asking for credentials so they can access the contact list, and there are so many of these requests that when you’re too tired you might cave in and just give it,
which may have been the case. Couldn’t put a finger on a likely culprit, but it’s probably the general direction.
Then I started emailing the folks that took the time to warn me about a virus. Only I couldn’t – the account was locked, and it took a full 60 minutes after the initial spam burst for me to be able to start sending genuine emails, after multiple authentications
from Yahoo.
This was actually fun. People I haven’t talked to in YEARS said hi, and ‘don’t worry, it happens to the best of us'. They asked me what’s up, and told me what’s going on with them. It was pure delight. I spent 3 hours communicating with folks that I last
talked to before iPhone was launched.
It kind of reminded me the famous attack on RSA, where I worked until recently. I looked at the Anatomy of Attack blog I wrote 2 years ago after we’ve been hit (the Vanity Fair article
mentioning it is one of my favorite post-incident article), and was flooded with good memories. Sure, the initial few days were a mess, and a media nightmare, but there was also a positive thing: a burst of positive energy, talking to customers that signed
the original deal with the company long years ago, rekindling lost connections, and generally reaching out to those that were buried deep in the ‘business as usual’ pile. The company not only survived the crisis but came out much stronger.
Anyway, I shared this insight with Eitan, one of those colleagues with whom I now exchanged emails. Eitan said it’s going to be an excellent blog topic. The positive side of malware…
And here we are. A bit of harm done, yes, but also a bit of fun in the remediation process. If you’ve ever had similar experiences, do share :)