When Will Email Providers Quit Blaming Their Users For Security Breaches?

February 23, 2014 –

If you have an email account managed by Yahoo!, (eg. Bellsouth, AT&T, Prodigy, etc.) or AOL, then I bet the majority of you have had to change your password at least once in the last 3 years.  The problem starts when you start getting calls or reply emails from the people in your address book describing strange emails they are receiving from you.

The emails in question either have a virus attached, links to infected websites or spam.  Sometimes they are emails begging your friends for money because “you” are stranded somewhere and have had your wallet stolen.  Whatever the case may be, you now have an email account that has been breached.  I get several calls a month by customers who say, “I have a virus on my computer that is sending email…”  Actually, they are wrong, probably 98% of the time.

In almost all cases, their passwords have been compromised – not by a virus – but by a hacker.  And the hackers haven’t accessed the user’s computer; they have hacked their email provider’s servers directly.  The solution is to simply change your password, but the root issue remains.  The email provider has one or more vulnerabilities and thousands of their customer’s accounts are getting hijacked – all at once.

The biggest problem is the email providers lie to their customers and blame things like weak passwords as the culprit.  Sure a hacker can brute force or guess a weak password, but why would they bother when they can hack authentication servers and get thousands of email accounts all at one time?  Both Yahoo! and AOL have had this problem for years now, with no resolution.  It doesn’t matter if your password is “password” or “Sup3rc@l1fr@G1l1st1c3Xp1@l1D0c10us”, if the hackers get into the server and steal your information, the account will be compromised.

I’m writing this today because I have seen another wave of attacks, specifically with AOL.  I have received multiple emails from different AOL accounts, all hacked within the same 24 hour period.  I’m also seeing a rise in “mom and pop” web and email hosting being targeted by sophisticated overseas hackers.  Yahoo! recently admitted to a breach.  I laughed as they acted like it was the first time.  Of course, they still didn’t take responsibility for the problem, blaming it on a 3rd party vendor.

I wonder how much longer these companies will continue to make up lame excuses to their customers before the truth is finally publicized.  If you have had your email account hijacked, I encourage you to share your story.