

Yahoo, still an awful company - goldenkey

Since Marissa Mayer took over as CEO, I thought Yahoo was heading in the right direction. Boy, I was wrong. Yahoo is as backwards as ever. No care in the world when it comes to customer support. They don&#x27;t know how to run a business.<p>Today I had to speak to Yahoo Customer Support for my parents. They forgot their Yahoo mail password yet its saved on their iPad. Worst experience ever, with any customer support.<p>Firstly, I had to wait three hours to even speak to a rep. And the customer service line says &#x27;your call may not be answered today.&#x27; Ridiculousness!<p>The rep wouldn&#x27;t even give me her name or employee number to report her. She basically said if we don&#x27;t know the answer to the secret questions, we can&#x27;t get the account back. I told her that we would fax photo identification, social security card, etc if necessary to prove the ownership of the account. Additionally, I let her know that we still had access to the account via the iPad mail yet didn&#x27;t know the password. She actually would not transfer me to a manager or even give a name. Her exact words were &quot;I&#x27;m the only one here. Goodbye.&quot; and then hung up on me. For a company trying to beat Google, I cannot believe I had to put up with this shit. Seriously, Yahoo is an awful awful company.<p>I don&#x27;t know what to do next. My parents run a business and the Yahoo email is necessary for their business. I cannot believe how unprofessional Yahoo is and furthermore uncaring.<p>Any ideas?
======
duncan_bayne
Pretty much agree with all you have to say about Yahoo! but from what I've
seen they're on a par with Google. I've seen many folks battling to even get
hold of a human being at Google to have account issues rectified.

I'd approach this in the following way:

\- Sign up for an account with a company that specializes in email. I use
Fastmail myself, but there are (many!) others.

\- Purchase a domain relevant to their business and set up an email on that.
joe@momandpop.com, that sort of thing.

\- Update whatever refers to the old address (websites, flyers, business cards
etc.) so if this happens again, you can switch providers but keep the same
email address.

\- Get a decent password manager application, and teach your parents to use
it. I just use Emacs + ccrypt to store my secrets; they'll probably need a
simpler solution but there are many available.

\- Continue working on Yahoo! to regain control of the Yahoo! email address,
assuming that's still important (e.g. customers will try to contact them on
it). Try calling back at different times, email / online chat (if available)
or even send a solicitor's letter. Realistically, though, I think that email
address is gone for good.

If there's one important lesson to learn from this, it's that important email
addresses should be on a domain you control, not .yahoo.com, .google.com, etc.
etc.

~~~
goldenkey
I agree with all your points. I actually do mail via postfix regular
expressions on my own Debian server. Im slightly pissed that my parents have
me digging them out of this predicament but hell, Yahoo! shouldn't make it any
harder than it is. I've seen friends in the past fax Google identity documents
to get their accounts back. So I believe Google is quite a step above Yahoo.
Plus I've never been told 'I won't give you my name. I'm the only one here.
Goodbye' and hungup on by a customer service rep. Especially after waiting 3
hours. This was humiliating and infuriating. I threw my iPhone at the wall and
shattered it to pieces out of rage.

------
heavymark
Firstly, I agree, Yahoo is an awful company (like most). I also feel bad for
your situation since of course your parents wouldn't know they need to use
1Pass or that business accounts should always be on their own hosted domain.

That being said, other than Yahoo taking a long time and being potentially
rude, they did the right thing. If you don't have the password and can't
answer the security questions and or don't have access to the recovery email
address then yes you will lose full access. Otherwise, what would stop someone
else from comprising someones account? Photo ids and other documents can be
faked and or stolen. My 1Password holds all my passwords but if someone was
able to do what you desire they could potentially gain access to my email
account and then do password resets on my bank accounts and all other accounts
and take over everything even without my 1Password accounts. (well I use 2
factor for most but you get the idea).

Now if Yahoo did give you access without providing a password or answer to
security questions then yes that is a big security issue.

Once again, still sucks for your parents though. And if really important I
imagine you can just jailbreak the iPad and their are ways to see save
passwords assuming they saved it on their ipad in mail app or another app
possibly. Or if they have a Mac it would be in Keychain.app.

------
compass-seeker
I don't think you can necessarily say Yahoo is a bad company just because you
had a bad experience with one of the customer service representatives.

------
SamReidHughes
You don't have the password, can't answer the secret questions, and want
access to the account? Anybody can forge photo ID sent via fax, I'm glad
Yahoo's doing a good job of protecting user accounts.

~~~
goldenkey
The questions were set years ago. Though documents can be forged, there have
to be other methods to get your rightful account back if you are indeed the
owner and there's something messed up with the secret questions. The account
isn't on its own accord, it belongs to a _person_. What if a person is in an
accident and has amnesia? They forfeit their online identities? Ridiculous....

~~~
SamReidHughes
> Though documents can be forged, there have to be other methods to get your
> rightful account back if you are indeed the owner and there's something
> messed up with the secret questions.

No there doesn't. Yahoo has no way of knowing that you are actually the owner.
Nor are they obligated to go out of the way to verify ownership (which would
pretty much require in-person verification, and be expensive, and even _then_
that only works if the user signed up with personal information matching their
real life identity).

> They forfeit their online identities?

Yes, that is how online accounts work. If you don't like it then use a more
expensive email service with such features, or take better care of your
passwords by writing them down. If things were ran your way, everybody's email
would be accessible to every little Mitnick crawling around out there.

~~~
goldenkey
Just because social engineering exists, doesn't mean we should have to forfeit
our online accounts because businesses can't support the costs of verification
in extreme circumstances. I find your stance arcane.

~~~
nemothekid
So you are suggesting businesses should go bankrupt instead of telling you are
SoL?

~~~
goldenkey
If the business is email, then yes.

------
thaumaturgy
So after you've gone through all of this, your parents will continue to use
Yahoo. They likely don't pay Yahoo anything, and Yahoo doesn't feel obligated
to do anything other than provide an email address that works most of the
time.

This is exactly the conversation I have with clients in this sort of
situation: "You shouldn't be using Yahoo, or any other free email service, for
your business email. Even if we could solve this problem now, you're going to
have another problem later on. We need to set you up with a proper,
professional email address, you will have to send out a short update to your
contacts announcing the new email address, you'll have to update your website
and any other business materials, and for a while, you'll have to forward all
of your Yahoo mail to your new email address.

I know this sounds expensive and sounds like a lot to have to do right now,
and it is, but I don't provide Yahoo support for free, and you're better off
getting this fixed now rather than putting it off and having to do it another
day anyway. I'll be happy to help you with all of this."

If somebody, whether family or client or otherwise, uses Yahoo or Gmail or
Hotmail (or outlook.com or whatever the heck it is now), I'll make one good
faith attempt to resolve their trouble, and then after that I simply don't
care anymore. They're using a stupid service, and that's their problem, not
mine, and I'm not going to grow another gray hair over it.

------
nemasu
My first thought: Since you have access to the account, you should probably
try forwarding all mail somewhere (or saving it if it can) in the mean time in
case things go very bad.

~~~
goldenkey
Unfortunately the access is only on the iPad mail. I cannot change any of the
forwarding settings :-(

------
blissofbeing
You could use a proxy between the ipad and the server to strip the ssl and get
the password.

I have used chralesproxy[1] to do something similar, but you might want to try
proxy.app it was just mentioned here on HN a couple days ago[2]

1: [http://www.charlesproxy.com/](http://www.charlesproxy.com/) 2:
[https://news.ycombinator.com/item?id=7777807](https://news.ycombinator.com/item?id=7777807)

~~~
goldenkey
Charles proxy only does HTTPS, not SMTP via SSL. I tried it so I know.

Anyho, I did end up writing a Theos Mobile Substrate tweak to syslog SSL
communications and it turns out Yahoo authenticates via a XYMCOOKIE only
usable with SMTP and IMAP. So pretty useless for actually logging into
yahoo.com

Here's the theos code if anyone else wants to log SSL on their jailbroken
device: [http://pastebin.com/K6nDG39Y](http://pastebin.com/K6nDG39Y)

------
johndandison
There are ways to extract passwords from iOS backups, that might be a way to
go? I believe the entire keychain could be accessed.

~~~
goldenkey
I tried Keychain Viewer package from a 3rd party repo on Cydia. It didn't get
the Yahoo password unfortunately. If you know of any specific packages to try,
please let me know. I got so angry when she said 'I will not give you my name.
There is no manager here. Goodbye' that I threw my iPhone at the wall and
shattered it to pieces. Now I'm also out $400. I really hate Yahoo .. :-/

~~~
niveus
There is an app called Keychain Access on the mac which allows you to copy a
password to the clipboard. If they're using iCloud keychain and they can login
to their iCloud account, you might be able to pull it off that way.

~~~
rnoises
That's what I did when the same happened to me. Enable iCloud Keychain on the
iPad and the Mac, wait for the passwords to sync (might take a few minutes)
and then open Keychain Access on the Mac and find the password on it.

~~~
goldenkey
This did not work because the Yahoo password is not stored on the device after
being entered. Apparently Yahoo has something called XYMCOOKIE authentication
for SMTP and IMAP which is basically just acceptance of a pre-sent
hash/cookie. The iPad discards the actual password the first time you enter it
and instead stores a XYMCOOKIE.

See here:
[https://www.google.com/search?q=XYMCOOKIE+authentication](https://www.google.com/search?q=XYMCOOKIE+authentication)

~~~
niveus
Oh, I figured they had used Safari but it makes sense that they used the
builtin Mail app.

