About a dozen of my friends and contacts got spam labeled “From Greg Connor” and I believe the contact addresses came from my Yahoo.com mail account.
Even though the spam was not sent out through Yahoo.com mail servers, the contacts were unique to my Yahoo address book. (I don’t use Yahoo mail but I had imported the contacts over a year ago in an attempt to sync them to my phone or something).
So, lessons learned:
- Change your password often and use a different one for each site, especially for your email account. I highly recommend LastPass to generate unique passwords and type them in for you.
- Use two-factor auth if available, either with an authenticator app on your phone, or mobile-phone login verification. (If you prefer not to give your real phone number, you can sign up for Google Voice and get a phone number that goes to voicemail until you decide to turn it on)
- If the site doesn’t offer Google Authenticator as an option, make sure your Security Questions are up to date and turn on login verification using the security questions. (Hint: security questions don’t have to have real answers as long as you can remember or record them. For example: Town where I grew up: Smallville – Childhood best friend: Lex)
- Don’t leave other people’s private info lying around if you don’t really need them. (I failed this one.) Unused mail accounts with contacts, or social network sites that ask you to import your contacts, can keep your friends’ contact details around and leak them if your account is compromised.