4

Many Yahoo!/SBC Global email accounts have been hijacked via an infamous XSS attack. The accounts are often used to send spam to random members of the user's personal address book. The spam often advertises a weight loss solution on a fake clone of a news site, which accepts credit card details, and possibly hijacks accounts as well.

I know that the accounts are hijacked using stolen session cookies. Therefore, resetting the password should invalidate any stolen sessions. Should any other actions be taken?

Sean W.
  • 835
  • 4
  • 14

1 Answers1

4

If you change your Yahoo password, this will invalidate all existing sessions with all Yahoo services (not just webmail). This is true whether you use SSL when you change your password or not.

You can also review recent activity from your Yahoo account, to check for suspicious actions taken using your account.

After changing your password, you could consider enabling two-factor authentication if you want (not that it's related in any way, it's just a good opportunity to see whether it makes sense for you).

SSL is a separate topic. The only connection is that, if you are connecting over an insecure network, you might want to use SSL when you connect to SSL and enter in your new password. But that's a good idea, regardless of whether you've been hacked by XSS or not. SSL is mostly a distraction here.

(To avoid confusion, I recommend you stick to one question at a time. If you want to know both (1) how to recover from a compromise of a Yahoo account, and (2) how complete Yahoo's SSL support is, you should ask two separate questions. You might want to edit this one to focus on just one of these and post a new question on the other.)

D.W.
  • 98,420
  • 30
  • 267
  • 572