By Kim Christiansen
IT security specialist
We’ve been tackling hackers who have targeted a few of our readers who use Yahoo (and other) email by somehow placing fake “click here” messages in the email alerts we send to our readers.
We’ve tracked these guys down (Panama) and they are well-known scammers. But our efforts to get rid of them have fallen short, mainly because they are sneaky and know how to bend the rules to their favor.
Here’s what we know so far:
- The hackers are targeting users of Yahoo email services. This includes emails that end in Yahoo.com, frontier.com, citlink.com, verizon.net and aol.com. All of these companies are owned by Verizon Media and Verizon moved these email services to Yahoo years ago.
- We’re talking less than a dozen people so far that have come forward.
- We DON’T think this is a problem with Yahoo.com or any service provided by Verizon Media – their servers and services seem reasonably safe and secure.
- We DO think that hackers got a hold of several readers passwords and have had their accounts breached by hackers (not because of their relationship with RVtravel.com) and that is how they are messing around with them. We can’t confirm this at this time.
If you’re wondering how your email account could be breached, that is, unfortunately, all too easy. Each year many companies are hacked. These hacks usually involve email addresses, user passwords and sometimes financial information. And because so many people re-use the same password over and over, email accounts are usually the first stop for hackers once they have that information.
For the record, RVtravel.com itself does not retain any of our readers’ email addresses or other information. Our email list is maintained by a large and reputable company that specializes in email distribution for publishers and marketers.
So, out of an abundance of caution we’d like to recommend that all of our readers who have email addresses that end with Yahoo.com, Frontier.com, citlink.com, verizon.net or aol.com immediately change your email password. PLEASE – make up a new password, one that you have never used before and not just adding a letter or number to your existing password. This Yahoo page has info on changing your password.
I’d like to recommend a service I’ve personally used for several years, 1Password. 1Password is a password manager that creates and stores unique and complex passwords for every single online account you have. You only have to remember ONE password – the app remembers the rest.
Beyond just storing passwords, 1Password has a feature that scours your existing passwords looking for simple re-used or hacked passwords. It works on Windows, Mac, iPhone/iPad and Android. And best of all, when you create and save a new password on your PC, it shows up on your iPhone right away.
I can’t really say enough good things about 1Password. You can sign up here.
A family plan (up to 5 users) is just under $60 a year. There’s also a monthly plan if that’s more your style. Get 1Password, get peace of mind and get your password situation under control! You won’t be sorry.
We need your help to stop these bad guys. We’re not giving up on this (including trying to involve law enforcement) but until we can make some headway, we wanted to make sure YOU are protected. So please, change your password as soon as possible.
There are many password managers. Do a search and read reviews on reputable sites like cnet.com and pcmagazine.com. You’ll find a manager that fits your needs and budget (or lack thereof).
Hi Michael, Yes there are a number of them out there, and a couple are free for the basic version. And there’s even one you can host yourself if you are so inclined. My recommendation was meant for the average user being able to implement one of these tools and for that 1Password (or the other best rated one Dashlane) are a good fit for most people. PC Magazine has an excellent article for those who wish to do more research.
Just $60 a year in order to use a free e-mail server. Just use you own server . Problem solved.
Hi Tom, this is NOT an email server. This is a password manager, it helps you create and store unique passwords for each login you have on the internet. As mentioned here there are free versions, but in each case, free means that there are trade offs. Your passwords are probably the single most important part of being online. They are the digital keys to your entire life online. They must be unique. They must be complex. They must be impossible to guess from your social media presence online and they must be secure. You can do that with your own 3×5 cardfile as another reader suggested, but carting that around with you all over the place could get cumbersome. Password managers are worth every penny.
As to running your own server, I’ve been doing IT for over 30 years and I would >NEVER< run my own email server unless I had a very specific reason. I gave up on the idea that I could manage a server better part time than a team of professionals could full time. I pay Microsoft to run my business email, but Google does a fine job as well.
Do not use a Windows machine for any financial transactions. Learn to use a more secure operating system, such as Linux. Buy a cheap chromebook and use it for this purpose only. The less exposure your computer has on the I-net, the better.
Hi Tom, that advice might have been true a few years ago, but Windows 10 today is considered a fairly secure operating system. And if we look at Linux, there was a critical bug in the core of Linux for many years that no one found until a few years ago. I used to say “get a Mac” but even Apple has security holes, some of them have been very serious. The BEST way to stay safe online is use a good password manager and a good security suite to protect your machine from intrusions and viruses. Windows, Mac or Linux, the onus is on the person using the machine to “surf safely”.
Regarding Passwords.
I use 3×5 cards in a file, arranged alphabetically for each site with the password on it.
Very low tech but the cards are not getting attacked every day by hackers like those “Password Sites” are.
Ken, good ‘ol tried and true. But here is one major caveat, how do you know if one of the passwords you use has been compromised?
You can go to https://haveibeenpwned.com and check usernames and passwords to see if they have been compromised in a breach. So keep up the good work at using different passwords, but be sure to run through that website.
(Yes, you can even check the passwords, they are converted to another format that is encrypted so no one can actually read the password but it can be checked against the database.)
And now “haveibeenpwnedthey” has all your passwords …sure hope they don’t get hacked 🙂
Hi Alan, Absolutely not, they take your passwords and they are converted on the fly to a hashed format that no one can reverse hash. They have a pretty good, but technical, explanation of how this works on their site. It’s 100% safe and no one but you has your passwords. Your email address and usernames are generally known and are not as important, but you can check your email address and usernaems as well.
1- Don’t use the same password for everything. At the very least, your email, financial, and online shopping accounts should all have unique passwords.
2- Use strong passwords (includes at least one upper, lower case, number and symbol). Especially important for your email, as your email account is the gateway to every other account.
3- For your financial accounts (at least), use two-factor authentication if it is offered. When you log in, they send a PIN number to your phone. You need the PIN number to complete the login. Without access to your phone, any hacker can’t get into your account, even if they guess your password. Amazon also offers two-factor auth. Use it.
4- Don’t EVER click on a web link in an email that claims to be from your financial account, paypal, the IRS, etc. Always go to that web site yourself without clicking on an email link. There are easy ways to tell if an email is fake, but if you never ever click on one of these email links, you don’t ever have to worry about making a mistake.
Good advice Tom!
Excellent ideas but also try to structure long, difficult passwords similar to this:
“Pass Go and collect $200”– p@$$GOandCLCt$200
“Humpty Dumpty sat on a wall” — humTdumt$@t0nAwa11
“It is raining cats and dogs!”– 1tsrAIn1NGcts&DGS!
No two passwords should be alike either.
Consider a more secure email service…
https://protonmail.com/
SWISS PRIVACY:
Data Security and Neutrality
ProtonMail is incorporated in Switzerland and all our servers are located in Switzerland. This means all user data is protected by strict Swiss privacy laws.
END-TO-END ENCRYPTION:
Automatic Email Security
All emails are secured automatically with end-to-end encryption. This means even we cannot decrypt and read your emails. As a result, your encrypted emails cannot be shared with third parties.
ANONYMOUS EMAIL:
Protect Your Privacy
No personal information is required to create your secure email account. By default, we do not keep any IP logs which can be linked to your anonymous email account. Your privacy comes first.
OPEN SOURCE:
Free Secure Email
We believe email privacy should be available to all. That’s why our code is open source and basic ProtonMail accounts are always free. You can support the project by donating or upgrading to a paid account.
EASY TO USE
Security without the hassle
ProtonMail can be used on any device without software install. ProtonMail secure email accounts are fully compatible with other email providers. You can send and receive emails normally.
*************************************************************************************
You can use the limited free version or pay for an upgrade.
***DISCLAIMER*** I do not work for or have any associates working for this company. Nor do I profit in any manner from it. I personally use it as my email service provided and am very well pleased. Be advised though that if you do loose your password, ProtonMail CANNOT help you. It is encrypted.
And for the RV Staff, here are a couple of interesting reads that might help with your service:
*************************************************************************
Introducing ProtonMail Professional – Encrypted Email for Organizations
Today, we’re happy to announce a brand new ProtonMail plan. With ProtonMail Professional, encrypted email is finally available for organizations…
https://protonmail.com/blog/encrypted-email-for-organizations/
*************************************************************************
Everything about GDPR compliance and email security
Encrypted email can help you comply with privacy laws, limit the risk of hacks and data breaches, and improve your company’s overall online security strategy…
https://protonmail.com/blog/gdpr-email-compliance/
Hi TravelingMan, Thanks for the info, I’ve known about Proton mail for a while. Getting secure email when you’re on the road is a good idea.
There are a lot of good email services out there, but I want to stress this, we DO NOT think that there is a problem with Yahoo or Verizon. We think the problem is that some readers’ passwords were breached and that the hackers are targeting individuals for whom they have passwords.
That’s where I think a service like Proton can help. Everything is encrypted. Of course, if someone sends you an email and you open the attachment, all bets off.
I was a 1password fan up until a couple of years ago. An update occurred that caused the app to crash when I tried to open it on my iPhone X. I quickly learned how dependent upon it I had become and how difficult life was without access to my passwords. Repeated messages to the developer were ignored. Fortunately the app still worked on my iPad and I was able to manually transcribe all of my info and migrate to another service.
Hi Gary, I’ve also had a problem with 1Password in the past, but they were always able to help me right away.
I use Locko. No cost. No fees.
I’m not familiar with Lucko, but as long as it’s secure then go for it. It sounds like this is run on your local machine without a central server, and if that works for you then great!
I have used an app called Dashlane. It also stores passwords and will generate them if you wish it to. Also I believe Norton Security stores passwords but I don’t use that feature.
Dashlane gets really good reviews, but our experience has been with 1Password, so that’s our official recommendation. But Dashlane is rated just as highly.
My phone has a fingerprint reader, and I added a $5 USB one to my main PC… both act as simple authenticators to a password vault that gets synced between them. At any login, I touch the reader and a program feeds my login credentials including a scrambled password.
For sites that ask for passwords for no good reason, I have a “low security” password that I can type in quickly, and never use on sites that “matter.” OH NO, someone might find out which news site I’m reading… 😀
That’s pretty secure, and easy to use as well. Glad you’re playing it safe out there.
Yep, once set up it’s pretty cool and fast… The main downside to it is that if I’m on other computers, I don’t actually know my own passwords, and sometimes have to retrieve them or authenticate through my google account… which is sorta like trusting your exwife to hold your checkbook.
Of course from a security standpoint, if you’re on my PC or cellphone, you’re probably rather “authenticated” for access even before the thumbprint… The main benefit is really just that I’m using really hard to guess passwords over the network…
Yahoo mail does not appear to be concerned. I have heard nothing from them.
Hi Friz, I’ll just say this again, we don’t think that Yahoo/Verizon has a problem. We think hackers have gotten a hold of some email addresses and passwords from some data breach and are using that to target our readers. We’ve got over 20,000 readers with Yahoo email addresses and we’ve only heard from less than a dozen who are experiencing this problem.
There was/is a whole Yahoo hack class action going on. I received info: anywhere from reimbursement for hack costs to credit monitoring for settlement.
This was quite a while ago, before they were bought by Verizon. And yes, that settlement is still winding it’s way through courts and disbursement.
How about replacing the link shortener you used in this article with the true URL or better yet, list the step by step directions for people to get to the password change page after they manually type in Yahoo’s domain?
j.mp resolves to bit.ly which does another redirect to a Yahoo domain. No one should EVER trust a link shortener to take them to the correct URL when security-sensitive information is involved. It’s too easy to put up a lookalike web page copied from the original page.
In fact, no one should ever trust a link to a URL where security-sensitive information is involved. Always get there manually.
I lead the operational IT security teams for a large bank and a large insurance company for two decades and I agree with the advice otherwise with the caveat that it should have recommended the use of an email service with two-step authentication. The email services listed in this article are heavily targeted in phishing attacks because they’re free, old services. When we worked with customers that experienced fraud and it involved one of these email services, and others, we told them they should change their email service to a different company. And even after one person lost thousands of dollars to email fraud, they still whined “But I’d have to tell too many people my new email address. I’ll take my chances.”
Hi JJ, but don’t you trust me? (I kid) Seriously, though I just changed the article to include the actual link instead of the shortened link. For reference, the shortened link did not take you to the “Change Password” page but to the Yahoo help page that described how to change your password. There are no links there just a description of how to once you’re logged in.
Thanks for the quick work. I saw the actual page content but I’m glad you changed it anyway. Any web site running on the ****Press platform is automatically at a higher risk of compromise, historically-speaking…
From some passive checks you’ve done a good job of securing the system, which actually is not as common as people would think (and hope and assume). You could consider disabling TLS 1.0 and TLS 1.1 and increasing the HSTS duration to the recommended minimum of six months but overall it’s better than many others.
At a minimum I’d put some access restrictions on the default WordPress admin login page, such as two-factor if you haven’t already. I can tell you’re not using Google Authenticator but you may still be using SMS. Personally, I never allowed access to ANY administrative functions directly from the Internet. Admins had to VPN in to administer. The risk is just too high when literally anyone on Planet Earth with Internet access can access your admin login pages. Unauthenticated access bypass vulnerabilities are way too common.
Nice work.
LastPass is another password manager I have been using for years and they have a free version that works on most devices.
+1 for LastPass. The free version has all the secure password management our family needs, and we use it on our PC’s, Mac’s, iPads, Android phones… you name it.
One feature we use most is the ability to securely “share” passwords, so we all have the same, e.g., Netflix password, even after we change it periodically.
Highly recommended!
Another vote for LastPass. I’ve been using the free version for years
I hate to throw shade on an App that has been around for so long, but here’s the thing – LastPass had a very serious security breach a while back and their response to it was not stellar. At that point they fell off my recommend list and went to not recommend. But if the service works for you, then more power to you. At least you are one of the few using a password manager and that is a good thing!