HELP! I Received Email Saying They Have My Password!

ParatoOptimal

Golden Member
Jan 27, 2004
1,094
2
81
I got an email in my Yahoo Email Spam folder from losep Stevens. His first name is not capitalized. The Subject line reads ... " RE: NNNN-XXXX I will directly come to the point. I know that XXXX is your p"

The viewable space of the subject line ends there. NNNN I used in place of my userid. XXXX represents my password.

What's going on? Should I open this to read it? Should I go to the library to open/read it there where they probably have better security to stop any malware ... read it and delete it at the library?

I Googled but found nothing on losep Stevens.
There are lots of stories of Gmail PW scams in spam folders.
None are about Yahoo email. None have the enduser's userid and PW.

I use MS Essentials AV. I only use my WiFi network at home and one, nice neighborhood Starbuck's WiFi network.

Now that I think of it. I don't use that userid for any forum. I only use it for my Yahoo email address. The PW is my Yahoo email PW. I use that email address for various, legitimate, online stores and ebay and i think only two forums including anandtech. The stores are BestBuy, JCPenny, Macy's, Newegg, Kohls and Walmart. There's one other forum I haven't been on in ages. I tried to get on months ago but it wouldn't accept any PW I tried. Dell's enduser forum banned my email address for no reason. The only post I made was about which RAM to use for a specific model laptop and how Dell's own website offered RAM for it that their techs said wouldn't work with it.
 
Last edited:

mikeymikec

Lifer
May 19, 2011
17,575
9,266
136
Yahoo was compromised a few years ago (2014 IIRC), did you change your password when you were told to by Yahoo?
 

ParatoOptimal

Golden Member
Jan 27, 2004
1,094
2
81
Thanks for the fast response. I think I changed it. I'm pretty sure I did. Yes, I'm certain I did. Recently, Yahoo bought some other company and they made us change our PWs I think. I think that's when I went back to an old PW I haven't used in a long time.

A few months ago I went back to an old PW for some sites. One may have been Yahoo email. I recall a few months ago either Yahoo email or gmail MADE ME change my PW or was that ebay? I think it was Gmail AND ebay.

Yahoo usually just logs me in via Firefox's saved PWs. Every so often Yahoo email runs through a few pages where I have to enter my email address and PW and asks me to update my cellphone. I have to enter my address or maybe not the address but definitely the PW and verify my cellphone and maybe alternate email contact which I never do. I skip as much of it as I can or enter blank and it moves on. But I HAVE TO enter my PW.
 

mikeymikec

Lifer
May 19, 2011
17,575
9,266
136
If you changed your password back to one that was compromised (I think Yahoo has been compromised more than once), then that's likely the reason why someone knows your password.

By 'compromised', I mean that the userids/passwords list was put into the public domain.

If I were you, I would absolutely change your Yahoo password to something historically unique and sufficiently complicated (I tend to go for multiple random dictionary words inc. bastardised English words and throw some numbers in). I would change any account password linked with your Yahoo account (e.g. if you have an ebay account linked to your Yahoo address, change the password). I would also double-check recovery details for all such accounts to make sure nothing has been added that you haven't added yourself as that has been a common tactic used by attackers to maintain access to your account despite a password change.

I would also keep e-mail account passwords unique from any other password. Ideally, they would all be unique, but that does make things more complicated. Also, have a password list (paper, document on the computer, a decent password manager - ask for recommendations on the last one on this forum), whatever).
 
  • Like
Reactions: compcons

ParatoOptimal

Golden Member
Jan 27, 2004
1,094
2
81
Thank you. I thought of if that was the old PW when Yahoo was compromised I'm screwed.
I was hoping I could just change my Yahoo PW and not every forum and store that I use that email address. I don't see how having the email address would give them the forum's or store's PW. One site uses the same email and PW to login. That one should definitely be changed. If you recommend changing them all, I will. Thank you, thank you, thank you for being their with your knowledge.
 

mikeymikec

Lifer
May 19, 2011
17,575
9,266
136
Let's say you have an Amazon account tied to your Yahoo address. The attackers finding out your Yahoo ID and password doesn't immediately grant them access to the Amazon account unless you used the same password on both AND they tried that (because it's a very common thing for people to do). However, a quick rifle through your e-mail will likely tell them a fair bit about any sites you have accounts with, and if you've used similar passwords or they can guess your password generation scheme then they could have figured out how to access those other accounts.

It might be the case that the sender of that e-mail hasn't any malicious intention as they've done you a service by alerting you to the risk you're in.

But it's better to assume the worst and take more precautions than necessary rather than less.

Also bear in mind that there have been documented incidents of people having two e-mail accounts and setting each as the other's recovery account, so an attacker compromises one and gets both with a minimal amount of work. There have also been incidents of social engineering attacks on the customer services departments of sites like Amazon, who end up getting duped into believing the attacker is the customer because they have 'enough' information/access to convince the employee. If I were you I'd also go back and check e-mails from such sites telling you about changes with your accounts and I'd browse the account settings areas to make sure nothing's there that shouldn't be there. If in doubt, ask.
 

ParatoOptimal

Golden Member
Jan 27, 2004
1,094
2
81
That was an old PW from a long time ago no longer in use. I checked my other subscriptions and I do use variations of it on a few sites. I'll have to change those. I use that email address everywhere. I also use the same userid of the email address on a few different email services. There's nothing I can do about the email address.
 

Plar

Junior Member
Aug 6, 2018
22
0
16
I recommend changing the password as soon as possible. Also use all possible protection levels for your mail. Use as a fashion more complicated password. I don't know for what purpose this is done, but the opportunity to crack the mail exists.
 

mikeymikec

Lifer
May 19, 2011
17,575
9,266
136
Knowing an e-mail address doesn't tell anyone anything, but having access to that e-mail account very likely does, given the contents of one's mailbox.