Yahoo, still an awful company

9 points by goldenkey ↗ HN
Since Marissa Mayer took over as CEO, I thought Yahoo was heading in the right direction. Boy, I was wrong. Yahoo is as backwards as ever. No care in the world when it comes to customer support. They don't know how to run a business.

Today I had to speak to Yahoo Customer Support for my parents. They forgot their Yahoo mail password yet its saved on their iPad. Worst experience ever, with any customer support.

Firstly, I had to wait three hours to even speak to a rep. And the customer service line says 'your call may not be answered today.' Ridiculousness!

The rep wouldn't even give me her name or employee number to report her. She basically said if we don't know the answer to the secret questions, we can't get the account back. I told her that we would fax photo identification, social security card, etc if necessary to prove the ownership of the account. Additionally, I let her know that we still had access to the account via the iPad mail yet didn't know the password. She actually would not transfer me to a manager or even give a name. Her exact words were "I'm the only one here. Goodbye." and then hung up on me. For a company trying to beat Google, I cannot believe I had to put up with this shit. Seriously, Yahoo is an awful awful company.

I don't know what to do next. My parents run a business and the Yahoo email is necessary for their business. I cannot believe how unprofessional Yahoo is and furthermore uncaring.

Any ideas?

25 comments

[ 2.9 ms ] story [ 58.0 ms ] thread
My first thought: Since you have access to the account, you should probably try forwarding all mail somewhere (or saving it if it can) in the mean time in case things go very bad.
Unfortunately the access is only on the iPad mail. I cannot change any of the forwarding settings :-(
Pretty much agree with all you have to say about Yahoo! but from what I've seen they're on a par with Google. I've seen many folks battling to even get hold of a human being at Google to have account issues rectified.

I'd approach this in the following way:

- Sign up for an account with a company that specializes in email. I use Fastmail myself, but there are (many!) others.

- Purchase a domain relevant to their business and set up an email on that. joe@momandpop.com, that sort of thing.

- Update whatever refers to the old address (websites, flyers, business cards etc.) so if this happens again, you can switch providers but keep the same email address.

- Get a decent password manager application, and teach your parents to use it. I just use Emacs + ccrypt to store my secrets; they'll probably need a simpler solution but there are many available.

- Continue working on Yahoo! to regain control of the Yahoo! email address, assuming that's still important (e.g. customers will try to contact them on it). Try calling back at different times, email / online chat (if available) or even send a solicitor's letter. Realistically, though, I think that email address is gone for good.

If there's one important lesson to learn from this, it's that important email addresses should be on a domain you control, not .yahoo.com, .google.com, etc. etc.

I agree with all your points. I actually do mail via postfix regular expressions on my own Debian server. Im slightly pissed that my parents have me digging them out of this predicament but hell, Yahoo! shouldn't make it any harder than it is. I've seen friends in the past fax Google identity documents to get their accounts back. So I believe Google is quite a step above Yahoo. Plus I've never been told 'I won't give you my name. I'm the only one here. Goodbye' and hungup on by a customer service rep. Especially after waiting 3 hours. This was humiliating and infuriating. I threw my iPhone at the wall and shattered it to pieces out of rage.
I don't think you can necessarily say Yahoo is a bad company just because you had a bad experience with one of the customer service representatives.
You don't have the password, can't answer the secret questions, and want access to the account? Anybody can forge photo ID sent via fax, I'm glad Yahoo's doing a good job of protecting user accounts.
The questions were set years ago. Though documents can be forged, there have to be other methods to get your rightful account back if you are indeed the owner and there's something messed up with the secret questions. The account isn't on its own accord, it belongs to a _person_. What if a person is in an accident and has amnesia? They forfeit their online identities? Ridiculous....
> Though documents can be forged, there have to be other methods to get your rightful account back if you are indeed the owner and there's something messed up with the secret questions.

No there doesn't. Yahoo has no way of knowing that you are actually the owner. Nor are they obligated to go out of the way to verify ownership (which would pretty much require in-person verification, and be expensive, and even then that only works if the user signed up with personal information matching their real life identity).

> They forfeit their online identities?

Yes, that is how online accounts work. If you don't like it then use a more expensive email service with such features, or take better care of your passwords by writing them down. If things were ran your way, everybody's email would be accessible to every little Mitnick crawling around out there.

Just because social engineering exists, doesn't mean we should have to forfeit our online accounts because businesses can't support the costs of verification in extreme circumstances. I find your stance arcane.
So you are suggesting businesses should go bankrupt instead of telling you are SoL?
If the business is email, then yes.
There are ways to extract passwords from iOS backups, that might be a way to go? I believe the entire keychain could be accessed.
I tried Keychain Viewer package from a 3rd party repo on Cydia. It didn't get the Yahoo password unfortunately. If you know of any specific packages to try, please let me know. I got so angry when she said 'I will not give you my name. There is no manager here. Goodbye' that I threw my iPhone at the wall and shattered it to pieces. Now I'm also out $400. I really hate Yahoo .. :-/
Well that was a bit silly.
For real. Just cost myself $400. I have anger problems.
There is an app called Keychain Access on the mac which allows you to copy a password to the clipboard. If they're using iCloud keychain and they can login to their iCloud account, you might be able to pull it off that way.
That's what I did when the same happened to me. Enable iCloud Keychain on the iPad and the Mac, wait for the passwords to sync (might take a few minutes) and then open Keychain Access on the Mac and find the password on it.
This did not work because the Yahoo password is not stored on the device after being entered. Apparently Yahoo has something called XYMCOOKIE authentication for SMTP and IMAP which is basically just acceptance of a pre-sent hash/cookie. The iPad discards the actual password the first time you enter it and instead stores a XYMCOOKIE.

See here: https://www.google.com/search?q=XYMCOOKIE+authentication

Oh, I figured they had used Safari but it makes sense that they used the builtin Mail app.
This won't work. Yahoo credentials are stored for later use as "XYMCOOKIE" which is some kind of hashed authentication mechanism for SMTP and IMAP. And yes, I tried. I also attempted to monitor SSL communications through SMTP and saw the XYMCOOKIE exchange firsthand. This sucks :-/
Or at the very least set up forwarding in case you can't get back to your account!
Firstly, I agree, Yahoo is an awful company (like most). I also feel bad for your situation since of course your parents wouldn't know they need to use 1Pass or that business accounts should always be on their own hosted domain.

That being said, other than Yahoo taking a long time and being potentially rude, they did the right thing. If you don't have the password and can't answer the security questions and or don't have access to the recovery email address then yes you will lose full access. Otherwise, what would stop someone else from comprising someones account? Photo ids and other documents can be faked and or stolen. My 1Password holds all my passwords but if someone was able to do what you desire they could potentially gain access to my email account and then do password resets on my bank accounts and all other accounts and take over everything even without my 1Password accounts. (well I use 2 factor for most but you get the idea).

Now if Yahoo did give you access without providing a password or answer to security questions then yes that is a big security issue.

Once again, still sucks for your parents though. And if really important I imagine you can just jailbreak the iPad and their are ways to see save passwords assuming they saved it on their ipad in mail app or another app possibly. Or if they have a Mac it would be in Keychain.app.

You could use a proxy between the ipad and the server to strip the ssl and get the password.

I have used chralesproxy[1] to do something similar, but you might want to try proxy.app it was just mentioned here on HN a couple days ago[2]

1: http://www.charlesproxy.com/ 2: https://news.ycombinator.com/item?id=7777807

Charles proxy only does HTTPS, not SMTP via SSL. I tried it so I know.

Anyho, I did end up writing a Theos Mobile Substrate tweak to syslog SSL communications and it turns out Yahoo authenticates via a XYMCOOKIE only usable with SMTP and IMAP. So pretty useless for actually logging into yahoo.com

Here's the theos code if anyone else wants to log SSL on their jailbroken device: http://pastebin.com/K6nDG39Y

So after you've gone through all of this, your parents will continue to use Yahoo. They likely don't pay Yahoo anything, and Yahoo doesn't feel obligated to do anything other than provide an email address that works most of the time.

This is exactly the conversation I have with clients in this sort of situation: "You shouldn't be using Yahoo, or any other free email service, for your business email. Even if we could solve this problem now, you're going to have another problem later on. We need to set you up with a proper, professional email address, you will have to send out a short update to your contacts announcing the new email address, you'll have to update your website and any other business materials, and for a while, you'll have to forward all of your Yahoo mail to your new email address.

I know this sounds expensive and sounds like a lot to have to do right now, and it is, but I don't provide Yahoo support for free, and you're better off getting this fixed now rather than putting it off and having to do it another day anyway. I'll be happy to help you with all of this."

If somebody, whether family or client or otherwise, uses Yahoo or Gmail or Hotmail (or outlook.com or whatever the heck it is now), I'll make one good faith attempt to resolve their trouble, and then after that I simply don't care anymore. They're using a stupid service, and that's their problem, not mine, and I'm not going to grow another gray hair over it.