Earlier this month Yahoo! became officially DMARC compliant. That’s supposed to mean your Yahoo! email inbox should be heavily armoured against phishing attacks and spam. The Domain-Based Message Authentication consortium is a group of Silicon Valley companies like Facebook, Google, LinkedIn and PayPal who all pledge to use tools to identify and authenticate an email’s sender, and report any issues.
However, in the last 24 hours we’ve started getting reports from readers that, at least for some, Yahoo’s email is filling up with spam. But not the spoofed stuff – these spam emails are coming from within verified accounts.
A few days ago one TechCrunch contact who works in tech said they started receiving spam from their own ‘contacts’. Finally he got some from his wife. He checked all the victims and were all from Yahoo accounts. To double-check he logged-in to his wife’s account, since in Yahoo you can see where the logins came from. The log-ins were from all over the world. In other words, the account had been hacked.
That suggests either that she was unlucky, or that some mail account passwords have been hacked at Yahoo. However, we’ve heard from other Yahoo users who have had the same thing happen. Right now it’s hard to gauge the scale of this problem, and there is no suggestion at this stage that Yahoo Mail has suffered a significant security breach.
Now, normally the spam you get is spoofed from a victim’s account: but spam filters generally recognize the spoof approach and usually do a good job of filtering it.
What is different about what we’ve seen is the spam being sent from someone logged into a victim’s account. Being logged-in when you send emails to contacts bypasses the standard filters.
On Twitter, there is a lot of buzz about this issue. But commenters don’t seem to realise that this is not normal spam, rather that it may well be a full blown hack on the sender’s account, not mere spoofing.
We’ve reached out to Yahoo for comment.
Meanwhile here’s just a taster of what people are saying on Twitter right now.