Back in, oh… I forget: sometime in around 2002 or so, probably, I had a fit of paranoia about not using one password for everything but needing to be able to remember them all by storing them in a single on-line repository of passwords. (Yup, you’re right: it sounds stupid already). I therefore signed up with Lastpass.

I entered a couple of my account/password details, including the one for ye ancient Yahoo! email account which I’d already not used in about 2 years (howardjr2000@yahoo.com.au …the name alone gives you an idea of how old it is).

I then never used it again and promptly forgot all about it.

Until a week or so ago, when I got an email warning me about this. Basically, the keeper of the keys just got hacked.

Now, they say they have no definitive proof that the security of their data has been compromised, but I think I have… my ancient Yahoo! account now tells me I’ve logged in from a few interesting places:

I don’t even actually know what ‘yahoo mobile’ is, and I’ve sadly never even been to Slovenia or Peru… so those last few logins are definitely not mine and definitely the result of someone having found my Yahoo password… which I’ve only ever stored once in Lastpass’s not-so-safe keeping.

Unfortunately, although I’ve not used the Yahoo account for about a decade, there were a lot of emails in it which I stored as a kind of online archive… and all of those have been mined for email addresses. I know this because a handful of people, some of whom I’ve not written to since the late 1990s, have been in touch to say they couldn’t quite understand why I was writing to them informing them that a support ticket I’d raised with “mochasupport.com” was waiting to be processed. There was no support ticket, of course, and I’d not written to them… but someone using my Yahoo account was doing so, presumably trying to find out which of the archived email addresses to which they now had access were still valid.

It means that quite a lot of spam has been sent out lately in my name (and, indeed, from my email account). The fact that it’s all originating from an old Yahoo email account is the giveaway: if it doesn’t come from dizwell.com or diznix.com, it’s not from me really.

If you’ve been receiving cryptic communications from howardjr2000@yahoo.com.au, I can only apologise and try to explain that it wasn’t really my fault! In the meantime, I’ve changed every password on every account I have or can remember having, including the Yahoo! one, and hopefully that will see things die down (or at least the spam will have to start coming from someone else’s hacked account).

And the lesson to be learnt, I think, is the one I really had already learnt all those years ago when I stopped using the Lastpass account almost as soon as I’d created it: storing all your account information on the web is a really dumb idea! These days, for what it’s worth, I use Truecrypt to create an encrypted file container and store a Keepass ’password safe’ (which is also encrypted) on that container when mounted as a virtual drive. If I have to, the volume can leave my house on a USB key, but otherwise, it’s only ever going to be me that has access to it. I’d recommend that sort of ‘keep it local’ approach… even if everyone else is going nuts about ‘the cloud’.