Dedicated to Deposits: Deals, Data, and Discussion

Yahoo Mail Accounts Hacked - How Online Banks Make This Worse

POSTED ON BY

Yahoo Mail Accounts Hacked - How Online Banks Make This Worse

Yahoo reported on its official blog that it "identified a coordinated effort to gain unauthorized access to Yahoo Mail accounts." It’s unclear how many Yahoo email account were compromised. Since Yahoo chose to publicly disclose this news, it seems likely that it affected a large number of users. According to Yahoo’s blog post, the passwords of impacted accounts have been reset to protect customers.

This incident is an important reminder for those who bank online to not only keep secure your online bank passwords, but also your email account passwords. Email has become an important communication channel for banks. The emails sent by banks don’t contain full personal information. However, they often do contain some personal information that could help hackers if they are able to access your email.

There are steps that you can take to reduce the risk of hackers gaining access to your email and bank accounts. The Yahoo blog post has some useful tips that are applicable to both email accounts and to bank accounts:

In addition to adopting better password practices by changing your password regularly and using different variations of symbols and characters, users should never use the same password on multiple sites or services. Using the same password on multiple sites or services makes users particularly vulnerable to these types of attacks.
users should never use the same password on multiple sites or services

The above advice is important for both your email accounts and for your online bank accounts. You should not share passwords on multiple sites, and that’s especially true for questionable sites. I often come across some new cool website like a discussion forum which requires a password to register and to fully access the site. That site will probably not be as secure as sites like your internet bank. So make sure that you use passwords significantly different than your online bank or email address.

Banks Email Lots of Information That Could be Useful to Hackers

When you establish an online account at a bank or credit union, you are typically required to provide an email address. That email address will be used by the bank to send out notifications and account alerts. These emails should not contain sensitive information like full account numbers, but they often contain details that could help hackers. For example, Ally and FNBO Direct email alerts to customers when an online transfer executes. Ally’s email contains the amount that’s transferred and the name of the other bank. There is no way to disable this notification. FNBO Direct’s email contains this same information and in addition it contains the last four digits of both the customer’s FNBO Direct account number and the customer’s other bank account number.

In addition to notifications and alerts, many banks are using email as an extra layer of login security. To access your bank account, you not only have to enter your username and password, but you also have to enter a security code. That security code is automatically generated by the bank and sent to either the customer’s email account or to the customer’s phone. If a hacker has access to the customer’s email account, they may then get access to this security code. These security codes usually expire within minutes so the risk is low. Nevertheless, if the hacker can see this security code, it does make it easier for the hacker to access the customer’s bank account. If your bank gives you a choice on where your security code is sent, your phone is probably safer choice.

Bottom Line

I’m still confident in the safety of online banking. If you take prudent safety precautions, the chance of hackers accessing your bank accounts is rare. One of the important precautions is maintaining a secure password. How careful are you with your bank and email passwords?



Related Posts

Comments
17 Comments.
Comment #1 by Anonymous posted on
Anonymous
From a report I saw, the Yahoo Mail breech happened owing to Yahoo having shared usernames and passwords with a third party.  There was a question, but no answer, as to why a third party would have been entrusted with pivotal Yahoo private data.

In addition, the report I saw indicated Yahoo is in process of resetting passwords.  I just accessed my Yahoo Mail account.  The password of my account has not been changed so far.  Also, I have had no warnings about this which came directly from Yahoo.

Somebody needs to take pretty Marissa aside and tell her this stuff is unacceptable.

12
Comment #17 by Anonymous posted on
Anonymous
cannot access my yahoo email account since sunday.  tried password rest a number of times but not working.  the email password is unique to yahoo so there doesn't seem to be a problem for  bank accounts which all have different passwords as does this website.  it appears to be a "foreign" problem that needs to be addressed by are government as it is invading all forms of the internet.

1
Comment #2 by Shorebreak posted on
Shorebreak
5. MEMBER ACCOUNT, PASSWORD AND SECURITY You will receive a password and account designation upon completing the Yahoo Service's registration process. You are responsible for maintaining the confidentiality of the password and account and are fully responsible for all activities that occur under your password or account. You agree to (a) immediately notify Yahoo of any unauthorized use of your password or account or any other breach of security, and (b) ensure that you exit from your account at the end of each session. Yahoo cannot and will not be liable for any loss or damage arising from your failure to comply with this Section 5.

https://info.yahoo.com/legal/us/yahoo/utos/utos-173.html

4
Comment #3 by Sam (anonymous) posted on
Sam
I'm surprised anyone would use yahoo mail for anything serious.  Most people I know use it specifically as a junk account.

5
Comment #4 by Anonymous posted on
Anonymous
This is excellent - masking email addresses, credit card numbers, etc. - 

https://www.abine.com/maskme/

3
Comment #5 by me1004 posted on
me1004
I must say, it is not news if a lot of Yahoo e-mail accounts are hacked into.That has been the routine for man years now, just about everyone with a Yahoo account  has been hacked, and even repeatedly. It is news if your Yahoo account has not been hacked.

I have no idea why Yahoo accounts have proven to be by far the most popular e-mail accounts to be hacked, but they are. I have been aware of this for years now, its not something new with Marissa Meyers. What might be new with Meyers is that they divulged the attack this time.

In fact, since Meyers has taken over, Yahoo has implemented some truely onerous security crap, making passwords now pretty impossible to remember and use. They are now forcing users to create new passwords regularly, and have imposed much greater demands of what characters you use for passwords and how you use them -- and never let you use a password you have ever used before.

As such, I have no idea what my password is any more and so I can only access by using the Forgot Password function to create yet another new password (good thing I have always used Yahoo only for signing up for places that might spam me, so I have nothing important there).

I REFUSE to write down a password -- I consider that a far more egregious security no-no than any of the concerns about changing passwords regularly -- and besides, am I supposed to carry this written password in my wallet everywhere I go so I can use it whenever needed wherever I am -- that's just begging for trouble? 

If what #1 Anonymous says is true, that Yahoo has shared user names and passwords with a third paty -- well, that certinaly is a horrible pratice and could be the source of the longrunning problem with hacking of Yahoo accounts.

7
Comment #6 by Anonymous posted on
Anonymous
I wish that more information about Yahoo's sharing user names and passwords with third parties could be obtained. Who are these third parties? I was not aware of such a practice and am appalled by it.

2
Comment #7 by Anonymous posted on
Anonymous
I closed all Yahoo and Gmail accounts long time ago, because the employees at both entities have access to all e-mail accounts and dBase. It takes only one rogue person to do damage to all accounts at them.

3
Comment #8 by DCGuy (anonymous) posted on
DCGuy
There are a few of the online banks (and other membership websites) that email you your password when you ask for a reminder notice and forgot it in order to sign into the site.  Whenever they do this, I delete the email immediately after reading it.  Of course, even a deleted email could be hacked.

So far, I haven't been notified of any password changes to my email accounts.  I have updated some of those email accounts over the years, but for the most part, my account information has not changed since I first accessed Yahoo back in the late 1990s.

1
Comment #9 by Sarah (anonymous) posted on
Sarah
I hear "you should change your passwords regularly" and "passwords should have a mix of upper and lower case, numbers and symbols".  But I've never heard a good explanation of how exactly people are expected to REMEMBER all of these complicated, constantly changing passwords, particularly when different sites have different requirements so a standard algorithm cannot be implemented.  I have at least 50 sites which all require logins; using the same password on multiple sites with the same risk level is necessary for self defense.  Other than password managment software, what do other people do for this?

4
Comment #10 by Anonymous posted on
Anonymous
Paper works fine.  Of course, it must be hidden.

2
Comment #13 by me1004 posted on
me1004
Yes, Sarah, that's why I consider that proposal a far more egregious security danger than not doing it -- because no one can remember all that changing, you must write down the password if you use such an approach. You can never write down a password -- that is far too dangerous. 

I have a little formula in my head about what a password might be at any particular place. I HATE it when a place decides to override my formula with a ridiculous, onerous one of their's that leaves me no possibility of ever remembering my password. As if I could possibly have a different formula for each and every of maybe 50 different places, or even 25. That leaves you the option of either writing it down -- a worse practice -- or using the Forgot Password function every time, a big, irritating waste.

2
Comment #14 by Anonymous posted on
Anonymous
Sarah, Another alternative is to put the passwords and login ids on a wordpad file.  Then you can zip the file with one password.  Very easy.

1
Comment #12 by cactus posted on
cactus
Never been able to figure out why the common advice to change your passwords regularly improves security.
The key advice is to not use the same password on multiple critical accounts.

4
Comment #15 by Ratesaver posted on
Ratesaver
As to password problems I found it easy to just mark them down on a small tablet and just put in in the desk drawer with your own ID type of identification.. Something only you would know what they are... It work for me... 

2
Comment #16 by Anonymous posted on
Anonymous
Anyone have experience with password managers?

2