Google Blogoscoped

Friday, March 16, 2007

When Someone Kidnaps Your Mail

Here’s what can happen if you fall for a phishing site which grabs your email account password. Fred Jeffry emailed this with the subject “Who needs Yahoo?” (edited for clarity):

Since 1997 when I started surfing, until yesterday, my Yahoo Mail had been loyal to me, and vice versa. It started with a meager 2MB inbox, , then went to 6MB, 50, 100 and now at 1000MB. Today morning Yahoo mailed me at my “Alternate Email” to notify that I changed my password recently. I didn’t. Fearing the worst, I tried logging into my Yahoo Mail account, but it wouldn’t accept my password. Clearly the hacker has changed it. Now I have lost my mails, Yahoo groups, Photos and contacts in my messenger. I vaguely remember that I clicked on a link in an IM, which redirected me to some Geocities URL and then showed up a (fake) Yahoo Photos login page. I guess I must have logged into that.

I have a backup of all my photos, so that part is not critical. But mails? Even though this is not the end, I could have restored all my mails, if Yahoo had allowed free POP3 access like Gmail !

I have a Gmail account, which I use as my secondary account, but it surely will become my Primary Mail account from today. Picasaweb is far far better than Yahoo Photos, Google groups is better than Yahoo groups. Who beats Google search, Blogger, Google docs and Google Calendar?

I have already tried backing up all my mails from Gmail to a DVD through Microsoft Outlook, which Amit Agarwal explains in detail.

The motive of the hacker must have been the Credit-Card number which users have stored in their Yahoo Account. For any reasons, don’t store your card number online, be it Yahoo or Google (Checkout)

So if you have a Yahoo Account, and remember that you clicked on some link recently and it redirected you to Yahoo Photos Login page, rush to it and change your password and alternate email now. And do get a free Gmail ID with a 2GB inbox at

Tip: Whatever email service you are using, backup at least your contacts/address book. This will come handy in case of mishaps like these.

Developers among you know this: never, ever enter your passwords into sites where the domain doesn’t show or doesn’t seem to be correct. (This includes e.g. tools that sit on top of Google, like third-party gadgets for your Google homepage.) And it doesn’t matter if the link URL seems good – it’s important what’s in your browser address bar when the site finished loading.

Examples of hypothetical good Google domains are (domains like these are owned by Google):

Examples of hypothetical bad “Google” domains are (these may or may not be owned by Google):

The same domain issues are true for emails. If someone asks you to reply to e.g., it may well be an attempt to steal your account credentials.

[Thanks Fred!]


Blog  |  Forum     more >> Archive | Feed | Google's blogs | About


This site unofficially covers Google™ and more with some rights reserved. Join our forum!