Saturday, September 24, 2016

Yahoo Data Breach Not The Only Problem - Gives Easy Access to Stranger's Account

On September 23, 2016 Yahoo announced to the world that 500 million accounts had been hacked way back in 2014.

I was one of millions that received an email notice of data breach from Yahoo.  Always suspicious of such notices, I clicked nothing.  Instead I did a quick Google search to confirm the facts. And of course went directly to Yahoo's site and also looked for the lock icon in the address bar.

It had been years since I had done anything active on Yahoo and even more years since I had used their email or other services.

Still, seeing what info might have been compromised then deleting the account seemed logical.

But that was so long ago! I typed in my long standing email address--the one the notice had come to-- but it did not recognize it. Strange.  So, the other option they gave was to try my cell phone number, which I've had for many years.  Yahoo took it and said it would text me a code. It did, and I entered the code from the text and to gain access to my account.

Surprise!

The account name, gender, DOB, etc was someone I've never heard of before!

Fantastic.  Yahoo not only lets a "state-sponsored" hacker get our info, but then Yahoo itself passes out access to a stranger's account like candy at Halloween.  

Yahoo associated my long standing cell phone number with another person's Yahoo account and gave me total access.  This means there was no verification at the time that cell number was put in to Yahoo's system as a security measure.

I tried to find a real person online at Yahoo to message or talk to, but as you discover there is nothing anywhere.  Just support articles and the "community" to post an issue and let thousands of people weigh in casually.

I could just see that:  "Hey everyone, Yahoo just gave me full access to someone else's account using nothing more than my own cell phone number as the one and only security ID requirement.  Can anyone suggest what to do next?"

Thankfully it looked as if this person had wisely had quite using their Yahoo account long ago and had only their name, gender, and DOB as info.  What would I want someone to do if the situation were reversed?  Delete the account!  So I deleted the account since it was still linked to my own cell phone number.  Incredibly dangerous for me too!  Thank you Yahoo for creating such chaos!

Goodbye forever and good riddance. 

No comments:

Post a Comment