Someone hacked into my e-mail account and sent everyone in my address book e-mails with links. I e-mail everyone not to open. They were sent early before I was even out of bed. I would think the links would open up a virus. Why would someone do this?

You had an insecure or easily brute-forced password ... it was done automatically. It was likely a phishing attempt or yes, a virus. They do it because it = money. People actually pay for the fake spyware / virus removal software that actually is a virus.

Another possibility is you used the same username and password on multiple sites and one of the sites you used it on stored their passwords in plaintext rather than hash, and that site was hacked and its list of usernames/passwords was stolen. Fairly common as a lot of websites out there just aren't well-designed when it comes to security.

Yeah, most likely just change your email account password and you'll be good. I would also make sure your online bank account passwords are not used only for those sites and not anywhere else.

Happened to me as well, i changed my password today, for the record i was using a Yahoo account.

I had this happen on Yahoo, also. I changed my password, but found that afterward, new emails were still being sent to my contacts. I am still trying to figure out how to stop this from continuing.

I had this happen on Yahoo, also. I changed my password, but found that afterward, new emails were still being sent to my contacts. I am still trying to figure out how to stop this from continuing.

Same here. It wasn't a user issue, it was a provider issue. For a few days, you had to put in a code displayed on the screen to send and e-mail. It wasn't a problem on my @me.com account, or gmail, or my work account, only yahoo.

I'm pretty sure that's still a "user issue" because I believe that was still a large-scale brute force that Yahoo didn't detect (my sister in-law had this happen). This has happened several times before (http://www.scmagazine.com/rampant-brute-force-attack-against-yahoo-mail/article/149373/).

Not every email account was affected.

There's a lot of misunderstanding about password strength, too. The passphrase "monkeychocolatethistle" is more secure against brute force attacks than the predictable "m0nkey1982!"

I'm a big fan of KeePass, which lets you generate and retrieve secure passwords. Another critical thing to do is not reuse passwords.

Had this happen to me with the Playstation hijack. Decided to delete my contacts and also changed my password to my email account. Kind of comical now, but everyone got an offer for a penis enlargement from my email. Got a few emails back from some people asking what my problem was. Some of the contacts were parents from my basketball team that I coached. I still think some of them think I am a perve or something.

That goes back to the "never use the same password in two places" policy.

I'm pretty sure that's still a "user issue" because I believe that was still a large-scale brute force that Yahoo didn't detect (my sister in-law had this happen). This has happened several times before (http://www.scmagazine.com/rampant-brute-force-attack-against-yahoo-mail/article/149373/).

Not every email account was affected.

There's a lot of misunderstanding about password strength, too. The passphrase "monkeychocolatethistle" is more secure against brute force attacks than the predictable "m0nkey1982!"

I'm a big fan of KeePass, which lets you generate and retrieve secure passwords. Another critical thing to do is not reuse passwords.

Then we disagree. Yahoo was at fault, not its customers.

This could be caused also by simple email spoofing. An email looks like it comes from a friend, but really it's coming from Taiwan or Croatia. The end result is the same -- people think their friends are sending them junk.

In the end, all of the advice about using strong passwords and general computer security is good advice. And I second the motion for KeePass (http://keepass.info/). Excellent (and free) utility.

Then we disagree. Yahoo was at fault, not its customers.

The onus of security is shared anytime a user must designate their own password.

The onus of security is shared anytime a user must designate their own password.

Sure. But the breach was on Yahoo. Not the users. We are their customer.

Yes and no.

Remember, tons of users were unaffected. Why? Stronger passwords.

Not to mention, there's no way to know for sure this one was a brute force and not from a passwords list.

Yes and no.

Remember, tons of users were unaffected. Why? Stronger passwords.

Not to mention, there's no way to know for sure this one was a brute force and not from a passwords list.

Exactly. No way to know if a yahoo password list was snatched.

I have a long complex pass phrase password. I doubt it was a brute force attack.

Do you use it in multiple places?

This could be caused also by simple email spoofing. An email looks like it comes from a friend, but really it's coming from Taiwan or Croatia. The end result is the same -- people think their friends are sending them junk.

This, too. It is trivial to fake an email address as it's simply a header line. They could have gotten a large list of email addresses.

That said, it's unlikely this would happen with one provider were that the case ... the other big variable is that you cannot access a contact list through this method, which greatly reduces its effectiveness.

That said, it's unlikely this would happen with one provider were that the case ... the other big variable is that you cannot access a contact list through this method, which greatly reduces its effectiveness.Good points... I agree.

Do you use it in multiple places?

No.

Well good for you. :)

Thats why I blame yahoo.

Well that still assumes that your password was not otherwise breached.

Well that still assumes that your password was not otherwise breached.

Based on the info at hand, it seems to be yahoos fault.

does it?

it does for me

Which info, might I ask?

If it was the old story I posted, that was specifically weak passwords ... a strong password would have prevented this.

To further illustrate this point ...

One of the most popular disk encryption services in the world right now is True Crypt. Utilizing SHA-512 or Whirpool hashes, it is almost impossible to break. Even the FBI is on record saying they cannot crack a TrueCrypt volume.

But if your password is not secure, even TrueCrypt can be brute forced in a matter of minutes. So is that TrueCrypt's fault or the user's?

Which info, might I ask?

If it was the old story I posted, that was specifically weak passwords ... a strong password would have prevented this.

I used a very strong password.

But was it strong enough?

Apparently no.

But was it strong enough?

Apparently no.

Can't tell. Again. Yahoo could have been hacked. No password is strong enough if it is given away. That's how it looks to me. Since I have said that several times, I'm done here.

Exactly. No way to know if a yahoo password list was snatched.

I have a long complex pass phrase password. I doubt it was a brute force attack.

Let us be the judge of this. What is your password?

He can give it to you, but he needs your credit card number first to process the transaction. Operators are standing by...

Weak password.

In the future, your passwords need to be simply a sentence, as in, Mydoglikestoplayfetch. It's been proven that, of course, it's easier to remember and, ultimately, more secure than the capital letter, numbers and symbol routine.