It seems hackers are still successfully finding exploits with which to access Yahoo accounts and send spam. Yahoo patched some vulnerabilities on Jan 8th and 9th, and reportedly patched another related vulnerability most recently on the 31st. Emails are sent to entire contact lists from affected accounts. If the recipient of an email clicks the link they may then find themselves hacked in the same way.
If any of your friends have received strange emails from your Yahoo email address it is likely you have been hacked. Log in from your laptop or desktop computer and change your password immediately. Make sure you change it to something secure – use upper and lower case letters, numbers and special characters and make it at least 10 characters long (but preferably as long as possible).
Ideally you should consider setting up two-factor authentication (Yahoo calls it ‘second sign-in verification’) on your Yahoo account if you haven’t already. (I think everyone should seriously consider setting up two-factor authentication on ALL accounts that currently offer it). To set it up in Yahoo, from the mail page, find your username in the top left corner and click it to access the drop-down menu. Click on ‘Account Info’. Under the second heading ‘Sign-in and Security’, select ‘Set up your second sign-in verification’. Follow the instructions from here to add a mobile phone number to use as a your second-factor authentication.
Note that I had some issues getting my first verification code via SMS – it seems that you need to enter your mobile number without the leading ‘0’ ie. instead of ‘0410123456’, enter ‘410123456’. This is often the case in webforms based outside Australia, but it is not so obvious on the Yahoo page as the country is indicated by the word ‘Australia’ rather than by the ‘+61’ often seen.
Just as important, don’t click on every link you get sent via email, even if it appears to be from someone you know! Thankfully my partner was able to correctly identify a link she received from a Yahoo email address as being suspicious. There are usually a few clues: strange, long or obfuscated URL, URL clearly pretending to be something its not (ie. google.login.1234.com) and 100 other email addresses in the ‘To’ field are but a few. All it takes is a bit of extra caution when opening emails. If you’re not sure, contact the sender to verify that they really did send you the link. Alternatively you could just ignore it! Better to possibly miss out on seeing ‘The funniest vid EVER!! LOLLLL!!!!11’ than having your computer and your accounts compromised.
More info on the timeline of exploits and patches here at TNW: