Did A New Account Show Up In Your Inbox You Didn’t Sign Up For? “Steal” It.

by on May 23, 2012 | 3 comments

Stealing is bad, but in this instance it’s actually OK, and I’ll explain why in a moment.

I have a really, really old Yahoo! Mail account that I originally created in 1997 (it’s only 5 letters long). While I don’t use that mail account for anything, I do periodically check it because there are a handful of instances each year that someone tries to steal the account. Yes, I could abandon the account, but it has some sentimental value to me since it’s so old and that’s why I keep it.

I have to change the account password several times a year to keep hackers from busting into it. If you’re thinking, “Well, you must use simple passwords if that’s what you have to do to keep hackers from gaining access”, no, that’s not the reason the account keeps getting almost-busted into. What happens is that hackers from foreign lands brute force their way into the Y! system by any means necessary, look for backdoors (usually in non-US Yahoo! servers), and periodically bust their way in. Or in the instances I’m about to tell you, “mostly” in.

The latest that happened with my Y! account is that someone registered an Apple ID with it. As for why they did, I have no idea. But somehow they were able to get one registered and successfully confirm it using my Y! address.

What most people would do in this instance is spam-flag anything they didn’t sign up for. That wouldn’t do me any good here because Apple obviously isn’t a spammer, so the emails would keep showing up. Setting up a filter usually doesn’t do any good either.

Instead, what I do is go to the site where the account was registered and do the “forgot password” thing. I absolutely do not click any links in the emails. If the account was legitimately registered, I will receive a new “change your password by clicking this link” email. With the Apple ID, that’s exactly what happened, so the account was legitimately registered to my Y! address.

Once the password is changed, I “steal” the account (which is not really stealing since it used my email address to begin with), change every bit of information in there, set up a ridiculously cryptic password along with ridiculously difficult challenge questions/answers. With the Apple ID, again, this is what I did.

After that, the Y! account password and challenge questions/answers were changed.

One day later, my Y! inbox had something in the neighborhood of 6 to 10 requests from Apple – made by the guy who tried to hack my account – to change the Apple ID password. Obviously, he ran straight into a brick wall there. All the security information was changed, so he never received the emails. After that he just gave up.

Mission accomplished.

What you can you learn from all this?

A few things.

It is better to “steal” an account that some hacker registered using your email address instead of just letting it sit

The hacker had a reason for registering whatever account he did. As for what reason, I couldn’t say because I don’t know. But had it been left active for his use, that can ultimately lead to identity theft.

Consider this: Once you “steal” the account for yourself, your email address can’t be used to register another account at the same site again.

Flagging emails as spam and/or setting up filters is not always the answer

You can flag-flag-flag and filter-filter-filter until you’re blue in the face, but in the end this may serve to be a rather large inconvenience to you because you may flag/filter out emails you’d actually want to receive.

Changing only the password is not enough

Above you read about me changing “challenge” questions/answers; these are separate questions in order to verify your identity.

Example challenge question: “What is the name of your pet?”
Example challenge answer: “Fluffy”

The way I do challege questions and answers is that I always specify my own question, which will usually read, “it’s in the database” where I will have a cryptic over-24-character challenge answer.

If the system for whatever it is requires two questions/answers, I label those as “it’s in the database 1″ and “it’s in the database 2″, both with separate cryptic answers.

At this point you’re probably thinking, “Geez.. all that for a Yahoo! account?” Yep. This is why I’ve been able to keep my Y! account for 15 years without it having been stolen.

Change your passwords and challenge questions/answers routinely, and the chance of your account being stolen decreases a great deal.

Final note: Do all Yahoo! Mail accounts suffer this fate? No. Mine does because it’s short, 5 characters and desirable. However, what happened to my Y! account can happen to any.

Free eBook!

Like what you read?

If so, please join over 28,000 people who receive our exclusive weekly newsletter and computer tips, and get FREE COPIES of 5 eBooks we created, as our gift to you for subscribing. Just enter your name and email below:

Post A Comment Using Facebook

Discuss This Article (Without Facebook)

3 comments

  1. mmseng1 / May 25, 2012

    I do the same thing with challenge questions answers except I go the extra step and make the question gibberish as well. I don’t need to be told that the answer is in “my database”, and neither does a hacker. I simply record the gibberish question in the database along with the answer.

    Of course this strategy breaks down when you can’t specify your question. I hate it when sites make you pick from 3-5 lame generic questions. Still the gibberish answer works in those cases.

    Reply
  2. Gannag9f / May 30, 2012

    There is such a thing as mindlessly paranoid.  What possible reason would anyone have to register something that they purchased to your email address? 

    Did you stop to think that an innocent user probably typo-ed your email address in by mistake?  And when asked to retype the same thing, some folks cut and paste the first one.  And you have made it impossible for her to register her software?  Perhaps the decent thing to do would have been to have let the registrar know that you didn’t pay for the product and someone must have typed your email address by mistake.  That would at least “unregister” the product so it could be taken care of later.

    It’s fine to secure your account with good passwords and challenge questions.  But you’re right; stealing IS wrong and that’s exactly what you did.  It isn’t necessary to deliberately create a problem for someone else.  Try to keep in mind that everyone in the world isn’t out to get you.

    Reply
    • Rich / May 30, 2012

      It’s cute how you’re almost defending identity theft on the assumption that everyone on the internet is innocent, sweet and would never do anything wrong (perish the thought!) to anyone else. I got a nice chuckle from the absolutely naive bile you wrote, so thanks for that.

      Reply

Leave a Reply

PCMech Insider Cover Images - Subscribe To Get Your Copies!
Learn More
Every week, hundreds of tech enthusiasts, computer owners
and geeks read The Insider, the digital magazine of PCMech.

What’s Your Preference?

Daily Alerts

Each day we send out a quick email to thousands of PCMECH readers to notify them of new posts. This email is just a short, plain email with titles and links to our latest posts. You can unsubscribe from this service at any time.

You can subscribe to it by leaving your email address in the following field and confirming your subscription when you get an email asking you to do so.

Enter your email address for
Daily Updates:

Weekly Newsletter

Running for over 6 years, the PCMECH weekly newsletter helps you keep tabs on the world of tech. Each issue includes news bits, an article, an exclusive rant as well as a download of the week. This newsletter is subscribed to by over 28,000 readers (many who also subscribe to the other option) - come join the community!

To subscribe to this weekly newsletter simply add your email address to the following field and then follow the confirmation prompts. You will be able to unsubscribe at any time.

Enter your email address for
Free Weekly Newsletter: