In July 2012, Marissa Mayer became the new CEO of Yahoo! and tasked with creating a turn-around strategy for the beleaguered search engine giant. Of the numerous challenges facing Yahoo!, one of the biggest has been getting a handle on the growing volume of customer complaints related to the 2011 launch of Yahoo!'s new e-mail product and the security flaws that have been exploited.
I started researching and writing about the latest threat when a friend of mine discovered that her Yahoo! e-mail account had been hacked. At this point in time, the only type of hack that has been reported only impacts your system when you open a link sent by another hijacked account. In my friend's case, the challenge of this narrative is the account that initiated the e-mail had not been used for well over a year.
After gaining access to all accounts, we (my friend and I), started looking at the failure notifications and discovered that the e-mail (I'll call it account B) that sparked the research was the secondary e-mail. It was received last week and sent by account A. Account A was hacked last month and started generating e-mails to all e-mail address found in the unopened e-mails in the inbox (not all of the addresses were in the contact list). Like account B, account A had not been accessed at for over a year. Therefore, she could not have opened, much less sent, e-mail from either account during the time frame.
Continued research indicates that Yahoo! was, in fact, hacked by overseas criminals. And it isn't isolated to American Yahoo! users. According to 3 News in New Zealand, nearly 80,000 Xtra users also received unwanted e-mails this month, all originating from hacked accounts, all containing a shortened URL asking the recipient to click on the link. One individual in New Zealand received suspicious e-mail from an account of a friend who died three years ago.
Xtra is a subsidiary of New Zealand's Telecom and outsources content access and e-mail services, to Yahoo! In a statement on 3 News' website, Telecom's retail chief executive Chris Quin said, "essentially, a spammer has got into Yahoo! and been distributing a phishing email across a number of contacts in that customer base, and then that is distributing itself through the contact emails of people." This had a potential impact of 450,000 Xtra customers plus any not subscribed to Xtra who also received the e-mail.
3 News' article also reveals more unsettling details in that the recipients may not have to click on the link. According to the article, "just getting the email gives hackers access to the recipient's contacts, which means spam can then be sent to them as well, regardless of which e-mail provider they're with."
Even more disturbing is this vulnerability was declared fixed in January after an Australian security company issued a security warning. Paul Brislen of New Zealand's Telecommunications User Association expressed his frustration to 3 News, "they were supposed to have fixed it back then. They assured everyone they fixed it in early January. Here we are halfway through February and it's happening again. They're running the service. There's no one to point the finger at but them."
Though Yahoo! states all of the issues have been fixed, in all likelihood the e-mails may continue.
Logan Douglas, a software engineer in New Zealand, summed the frustration up best, "when that security's breached, when they cannot provide a solid, strong response about what’s happened, we really should be a little bit worried."
He's right. America used to have security and rapid response plans. We used to be the "most secure." We set the standards and followed them. In an effort to rush to market, cut costs, we're at the most vulnerable cyber-security point in our history.