I’m writing this blog post in response to a growing pattern of completely isolated account hacks of Yahoo! (and, consequently, Bellsouth.net/ATT email, which is downstream from it) that began years back, but has accelerated notably in recent months.

The common thread connecting most of these hacks is that the users do not have 2FA (two-factor authentication) switched on for the account — so it’s trivial for any attacker who happens to find the password (whether by way of a database hack, local malware/extension compromise, or mere password reuse) to just login and do their bidding.

However, worse yet, there is evidence also of script-based vulnerabilities that can force email filters to be unilaterally added to the user’s Settings without their knowledge — probably by way of a link they clicked in a targeted phishing email. These don’t even require the user to enter any information. These filters are typically used to redirect specific emails (such as those with financial institution names/terms in them) to a different folder than the Inbox (commonly “Archive”), so that the user doesn’t notice that the hacker is working to get inside those accounts and change their password/login information or steal from them.

The response to these increasingly numerous security breaches is:

1. Change the Yahoo!/Bellsouth.net/ATT password first.
2. Enable 2FA on the account. Verify the info.
3. Remove any unrecognized trusted devices or login sessions from within the Yahoo!/ATT security settings.
4. Navigate to the email settings next and inspect the filters. Remove any unrecognized filters, noting the search terms for clues as to which institutions were being targeted for account hacking.
5. Move all affected email from the filter folder target back into Inbox and read through them.
6. Check any affected PCs for infiltration/extension fraud.

That’s it. Similar attacks target Outlook.com email accounts, and there are some sophisticated methods hackers have been using to actually overwrite email body content in that case — forever destroying the information in exchange for (typically) some sort of ransom note. This is perhaps an even more insidious technique. However, by far, the most common email hack currently propagating is the Yahoo!/Bellsouth/ATT one. All the more reason why users ought to strongly consider transitioning off that historically troubled platform toward a stabler, more secure service such as Gmail!