Very important safety message for our readers

38

By Kim Christiansen
IT security specialist
We’ve been tackling hackers who have targeted a few of our readers who use Yahoo (and other) email by somehow placing fake “click here” messages in the email alerts we send to our readers.

We’ve tracked these guys down (Panama) and they are well-known scammers. But our efforts to get rid of them have fallen short, mainly because they are sneaky and know how to bend the rules to their favor.

Here’s what we know so far:

  1. The hackers are targeting users of Yahoo email services. This includes emails that end in Yahoo.com, frontier.com, citlink.com, verizon.net and aol.com. All of these companies are owned by Verizon Media and Verizon moved these email services to Yahoo years ago.
  2. We’re talking less than a dozen people so far that have come forward.
  3. We DON’T think this is a problem with Yahoo.com or any service provided by Verizon Media – their servers and services seem reasonably safe and secure.
  4. We DO think that hackers got a hold of several readers passwords and have had their accounts breached by hackers (not because of their relationship with RVtravel.com) and that is how they are messing around with them. We can’t confirm this at this time.

If you’re wondering how your email account could be breached, that is, unfortunately, all too easy. Each year many companies are hacked. These hacks usually involve email addresses, user passwords and sometimes financial information. And because so many people re-use the same password over and over, email accounts are usually the first stop for hackers once they have that information.

For the record, RVtravel.com itself does not retain any of our readers’ email addresses or other information. Our email list is maintained by a large and reputable company that specializes in email distribution for publishers and marketers.

So, out of an abundance of caution we’d like to recommend that all of our readers who have email addresses that end with Yahoo.com, Frontier.com, citlink.com, verizon.net or aol.com immediately change your email password. PLEASE – make up a new password, one that you have never used before and not just adding a letter or number to your existing password. This Yahoo page has info on changing your password.

I’d like to recommend a service I’ve personally used for several years, 1Password. 1Password is a password manager that creates and stores unique and complex passwords for every single online account you have. You only have to remember ONE password – the app remembers the rest.

Beyond just storing passwords, 1Password has a feature that scours your existing passwords looking for simple re-used or hacked passwords. It works on Windows, Mac, iPhone/iPad and Android. And best of all, when you create and save a new password on your PC, it shows up on your iPhone right away.

I can’t really say enough good things about 1Password. You can sign up here.

A family plan (up to 5 users) is just under $60 a year. There’s also a monthly plan if that’s more your style. Get 1Password, get peace of mind and get your password situation under control! You won’t be sorry.


We need your help to stop these bad guys. We’re not giving up on this (including trying to involve law enforcement) but until we can make some headway, we wanted to make sure YOU are protected. So please, change your password as soon as possible.

Subscribe
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

38 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments

Michael
3 months ago

There are many password managers. Do a search and read reviews on reputable sites like cnet.com and pcmagazine.com. You’ll find a manager that fits your needs and budget (or lack thereof).

Tom Smithbrother
3 months ago

Just $60 a year in order to use a free e-mail server. Just use you own server . Problem solved.

tom
3 months ago

Do not use a Windows machine for any financial transactions. Learn to use a more secure operating system, such as Linux. Buy a cheap chromebook and use it for this purpose only. The less exposure your computer has on the I-net, the better.

Ken
3 months ago

Regarding Passwords.

I use 3×5 cards in a file, arranged alphabetically for each site with the password on it.

Very low tech but the cards are not getting attacked every day by hackers like those “Password Sites” are.

Alan Goldberg
3 months ago

And now “haveibeenpwnedthey” has all your passwords …sure hope they don’t get hacked 🙂

Tom B
3 months ago

1- Don’t use the same password for everything. At the very least, your email, financial, and online shopping accounts should all have unique passwords.
2- Use strong passwords (includes at least one upper, lower case, number and symbol). Especially important for your email, as your email account is the gateway to every other account.
3- For your financial accounts (at least), use two-factor authentication if it is offered. When you log in, they send a PIN number to your phone. You need the PIN number to complete the login. Without access to your phone, any hacker can’t get into your account, even if they guess your password. Amazon also offers two-factor auth. Use it.
4- Don’t EVER click on a web link in an email that claims to be from your financial account, paypal, the IRS, etc. Always go to that web site yourself without clicking on an email link. There are easy ways to tell if an email is fake, but if you never ever click on one of these email links, you don’t ever have to worry about making a mistake.

TravelingMan
3 months ago
Reply to  Tom B

Excellent ideas but also try to structure long, difficult passwords similar to this:

“Pass Go and collect $200”– p@$$GOandCLCt$200
“Humpty Dumpty sat on a wall” — humTdumt$@t0nAwa11
“It is raining cats and dogs!”– 1tsrAIn1NGcts&DGS!

No two passwords should be alike either.

TravelingMan
3 months ago

Consider a more secure email service…

https://protonmail.com/

SWISS PRIVACY:

Data Security and Neutrality

ProtonMail is incorporated in Switzerland and all our servers are located in Switzerland. This means all user data is protected by strict Swiss privacy laws.

END-TO-END ENCRYPTION:

Automatic Email Security

All emails are secured automatically with end-to-end encryption. This means even we cannot decrypt and read your emails. As a result, your encrypted emails cannot be shared with third parties.

ANONYMOUS EMAIL:

Protect Your Privacy

No personal information is required to create your secure email account. By default, we do not keep any IP logs which can be linked to your anonymous email account. Your privacy comes first.

OPEN SOURCE:

Free Secure Email

We believe email privacy should be available to all. That’s why our code is open source and basic ProtonMail accounts are always free. You can support the project by donating or upgrading to a paid account.

EASY TO USE

Security without the hassle

ProtonMail can be used on any device without software install. ProtonMail secure email accounts are fully compatible with other email providers. You can send and receive emails normally.

*************************************************************************************

You can use the limited free version or pay for an upgrade.

***DISCLAIMER*** I do not work for or have any associates working for this company. Nor do I profit in any manner from it. I personally use it as my email service provided and am very well pleased. Be advised though that if you do loose your password, ProtonMail CANNOT help you. It is encrypted.

TravelingMan
3 months ago
Reply to  TravelingMan

And for the RV Staff, here are a couple of interesting reads that might help with your service:
*************************************************************************

Introducing ProtonMail Professional – Encrypted Email for Organizations

Today, we’re happy to announce a brand new ProtonMail plan. With ProtonMail Professional, encrypted email is finally available for organizations…

https://protonmail.com/blog/encrypted-email-for-organizations/

*************************************************************************
Everything about GDPR compliance and email security

Encrypted email can help you comply with privacy laws, limit the risk of hacks and data breaches, and improve your company’s overall online security strategy…

https://protonmail.com/blog/gdpr-email-compliance/

TravelingMan
3 months ago

That’s where I think a service like Proton can help. Everything is encrypted. Of course, if someone sends you an email and you open the attachment, all bets off.

Gary Smith
3 months ago

I was a 1password fan up until a couple of years ago. An update occurred that caused the app to crash when I tried to open it on my iPhone X. I quickly learned how dependent upon it I had become and how difficult life was without access to my passwords. Repeated messages to the developer were ignored. Fortunately the app still worked on my iPad and I was able to manually transcribe all of my info and migrate to another service.

warmonk
3 months ago

I use Locko. No cost. No fees.

Ernie Kosek
3 months ago

I have used an app called Dashlane. It also stores passwords and will generate them if you wish it to. Also I believe Norton Security stores passwords but I don’t use that feature.

Wolfe
3 months ago

My phone has a fingerprint reader, and I added a $5 USB one to my main PC… both act as simple authenticators to a password vault that gets synced between them. At any login, I touch the reader and a program feeds my login credentials including a scrambled password.

For sites that ask for passwords for no good reason, I have a “low security” password that I can type in quickly, and never use on sites that “matter.” OH NO, someone might find out which news site I’m reading… 😀

Wolfe
3 months ago

Yep, once set up it’s pretty cool and fast… The main downside to it is that if I’m on other computers, I don’t actually know my own passwords, and sometimes have to retrieve them or authenticate through my google account… which is sorta like trusting your exwife to hold your checkbook.

Of course from a security standpoint, if you’re on my PC or cellphone, you’re probably rather “authenticated” for access even before the thumbprint… The main benefit is really just that I’m using really hard to guess passwords over the network…

friz
3 months ago

Yahoo mail does not appear to be concerned. I have heard nothing from them.

TPalmer
3 months ago
Reply to  friz

There was/is a whole Yahoo hack class action going on. I received info: anywhere from reimbursement for hack costs to credit monitoring for settlement.

J J
3 months ago

How about replacing the link shortener you used in this article with the true URL or better yet, list the step by step directions for people to get to the password change page after they manually type in Yahoo’s domain?

j.mp resolves to bit.ly which does another redirect to a Yahoo domain. No one should EVER trust a link shortener to take them to the correct URL when security-sensitive information is involved. It’s too easy to put up a lookalike web page copied from the original page.

In fact, no one should ever trust a link to a URL where security-sensitive information is involved. Always get there manually.

I lead the operational IT security teams for a large bank and a large insurance company for two decades and I agree with the advice otherwise with the caveat that it should have recommended the use of an email service with two-step authentication. The email services listed in this article are heavily targeted in phishing attacks because they’re free, old services. When we worked with customers that experienced fraud and it involved one of these email services, and others, we told them they should change their email service to a different company. And even after one person lost thousands of dollars to email fraud, they still whined “But I’d have to tell too many people my new email address. I’ll take my chances.”

J J
3 months ago

Thanks for the quick work. I saw the actual page content but I’m glad you changed it anyway. Any web site running on the ****Press platform is automatically at a higher risk of compromise, historically-speaking…

From some passive checks you’ve done a good job of securing the system, which actually is not as common as people would think (and hope and assume). You could consider disabling TLS 1.0 and TLS 1.1 and increasing the HSTS duration to the recommended minimum of six months but overall it’s better than many others.

At a minimum I’d put some access restrictions on the default WordPress admin login page, such as two-factor if you haven’t already. I can tell you’re not using Google Authenticator but you may still be using SMS. Personally, I never allowed access to ANY administrative functions directly from the Internet. Admins had to VPN in to administer. The risk is just too high when literally anyone on Planet Earth with Internet access can access your admin login pages. Unauthenticated access bypass vulnerabilities are way too common.

Nice work.

Ed K
3 months ago

LastPass is another password manager I have been using for years and they have a free version that works on most devices.

Steve Sims
3 months ago
Reply to  Ed K

+1 for LastPass. The free version has all the secure password management our family needs, and we use it on our PC’s, Mac’s, iPads, Android phones… you name it.
One feature we use most is the ability to securely “share” passwords, so we all have the same, e.g., Netflix password, even after we change it periodically.

Highly recommended!

ARM
3 months ago
Reply to  Ed K

Another vote for LastPass. I’ve been using the free version for years