The letter will explain my entire situation and the steps I've taken so far.
Please note, I got to the point where I was asked to send this letter by a representative of one of the board of the company.
EDIT: Removed a name that hadn't been removed, resigned the text because the <strike> were pgp encoded but not shouwing in the text.
This letter has certain information edited out..
The public digitalsignature is available at:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear OMIT, Again, I'd like to thank you for listening to my situation. I am a Yahoo user. This is going to most likely be a fairly long letter and I thank your patience in reading through this situation. I'm going to outline information about who I am, my membership as a customer, the event that occurred, and the process that has occured or more properly not occured as a result. I first joined Yahoo (as far as I can tell) in December of 1997. At the time I took on the user ID "gtapolow". In 2000 partially due to spam and partially for privacy I established another Yahoo account. This one is "life_magick". I am a software engineer. I have been such since before leaving college in 1990. I have been involved with internet technologies since the days of BBS's in the 1980s. The idea of secure information and transmission of personal data is fairly important to me. If you take a moment to look at http://profiles.Yahoo.com/lordandrei_93 you will see me as I am today. (lordandrei_93 is a 'profile' of gtapolow) This is a recent creation. I had pretty much settled my Yahoo dependancy on 'life_magick'. You will note a relatively matching set of data at http://profiles.Yahoo.com/life_magick To give more references to who I am you can look at my personal web site: http://www.apolo.net/who.php which features the same picture (as well as the picture of my wife. Further reference can be found at http://www.livejournal.com/users/afreeman and most currently used: http://lordandrei.livejournal.com I write all of this to put a human face on this story and situation. Currently I work for a software company dealing with a problem known as Phishers. These are people who send false email purporting to be representing a company. They direct the user to a web site that mimics the site they are purporting to be. The false web site asks for the user to log in. The user has now (more often than naught) unwittingly compromised their log in information. On Monday evening at about midnight, I received a message from a trusted friend via Yahoo's Internet messaging technology. The message was a link to their site on Geocities. Geocities forwarded me to a secure Yahoo page. I logged in. The service was displayed as being unavailable. I am thoroughly embarassed to say that as an engineer fighting against mail fraud, I succumbed to the very style of fraud in question. Only this one came in from something other than email. Tuesday, while at the office I was logged off while in session on Yahoo IM. I logged back in. I was logged out again. By the time I got to the Web page to reset my password it was too late. The account password and credentials had been changed. I was locked out of my account. The crux of my problem is I no longer have any access to "life_magick". Most of my mailing lists are maintained by Yahoo. Some of my financial data may be accessible via this Yahoo account. I don't know for sure. Personal files are in my Yahoo account. And to make matters worse, a time critical project I am working on and managing is done thru that Yahoo account. The project and all access is gone. The process as it stands is to provide Yahoo with your date of birth and the current postal code on file. Then an email is generated to the end user with a special link to reaccess the account. This specific fraud captured emails and passwords and then logged on and changed the current zip code. The mechanism to report this as a problem is sent to a department known as "account-security" They do not have a phone number or a live person that the customer can reach. The customer fills out a form on the web, an automated system generates a form letter that the user must then reply to with a large array of personal information. (Sent via email without a secure channel) The lynch pin of this mechanism is the exact postal code you used when you initially registered with Yahoo. It doesn't matter how much information you provide, unless you provide that specific piece of data... the system will continue to send the same request repeatedly. To be completely honest. I am a software engineer. In my line of work you really don't stay with a company more than two years. I have in 5 years moved 4 times. I have changed addresses 5 times (I changed apartments in a complex after a promotion), to make matters worse... I have legally changed my name. In retrospect, I have to admit, I have honestly no idea what I entered initally for zip code when I applied for the life_magick account. It may have been a 5 digit or a 5 digit+zip4 with or without hyphen. It may have been my work address, home address, old address. I may have put in something that was a code phrase because I didn't trust giving my zip code to Yahoo at the time. It could have been 02134 (The zip code of child hood favourite "Zoom") The unfortunate thing is that I can provide a notarized copy of my drivers license with a picture matching the profile. I can even acquire OMIT because I have details about the photo that can't be acquired by most people. I can send in proof and affirmation from people that for all intents and purposes, I am "life_magick" However, the basic security process only acknowledges a zip code. A piece of information that is not only not secure, but easily discoverable by anyone with simple know-how. in my case, because I didn't trust that information, the system has locked me out. Since then, I have filled out the web form. I have received countless automated emails to which I have elabourated more personal data than I'm really comfortable sharing with colleagues, let alone a company that is hard to reach. Each email has included an increasingly desparate request to be contacted by a human being to offer alternate forms of proof. Each mail has beeen processed and replied with a form letter than seems to ignore everything I've written, simply asking for the same piece of information, I have to admit that I don't have. Most recently I have replied with every imaginable number I can come up with, but the truth of the matter is... it should never have come to this. I took the next step. I tried calling Yahoo. At first I was sent to account verification who could only take a postal code and enter it into a program that would compare it with the current data. This system becomes broken the moment someone changes that piece of data. The hacker knew this. There is no way I can verify my account in the current system because the hacker has put in false data. - From there I asked for a supervisor. My first foray into the phone banks of Yahoo customer support passed me off on OMIT and OMIT. Both were obviously in a foreign call center (our company uses them as well) Both are well versed in voicing empty sympathy, ("I really wish I could help you."), both made it clear that if I couldn't provide a zip code I'd have to send the email. (By this point I was up to 5 pieces of automated email) I asked OMIT for her supervisor who transfered me to OMIT in Canada. By this point I was prepared to ask for each supervisor until I could get my issue remedied. OMIT informed me that these issues were handled by Account-security and that they had no phone. They only have email. I had previously been told this. I was seeking to push through that black box since there was no resolution path. (I am an engineer, problem solving is what I do for a living) OMIT, who is a supervisor exceeded at the ability to voice compassion without actually supplying any resolution. OMIT also explained that her supervisor is in fact an administrator that wouldn't be able to understand the situation and would report it to his corporate supervisor. OMIT also informed me that she had no idea who her supervisor's supervisor was. For most companies, this means I hit the top of the outsource chain. OMIT reccommended that I call the corporate number. The corporate number had a plesant phone tree that would dotingly send me back down the line to customer service. I pressed zero and was greeted by another female voice with a very thick Indian accent. The operator would not identify herself beyond, "Operator #5." I told her that I'd been sent to the corporate line from account-verification to ask for a number for account-security. She told me that this wasn't who I wanted to talk to and she'd transfer me to account-verification. I tried to explain to her that it was that department that sent me to her. She told me quite simply I was wrong. I asked for her supervisor, she refused to do so. I explained one more time what the full situation was. She put me on hold. After a few minutes she returned to the line and reiterated that I was wrong and told me that she was going to transfer me to account-verification. Frustrated that I was about to repeat the process that had already eaten an hour out of my work day I asked for the president of the company. She curtly informed me that he doesn't handle customer issues and placed me on hold. I believed it was hold. Two minutes later the line disconnected. At this point I decided that the system was broken. To gain access to an account all you need is a password, a birthdate and a zip code. These are not secure pieces of data. And because I couldn't provide one of these pieces of data, I float 2 days later still waiting for my 12th automated response from Yahoo's security department. I went to the investor page. I started using the names to call anyone who seemed to be high on the food chain to alert them that there is a problem with this system. I don't work for Yahoo and it only took me two days to find the problem. To explain how I wound up at your desk I called corporate and punched in the names of people on the investor page for executives. OMIT is out of the office until April 18th OMIT actually resolves to OMIT who has a full mailbox OMIT resolves to a voice mail for OMIT who is now working out of Santa Monica. His forwarding number in Santa Monica is wrong but that number gives a forwarding number to the new phone number. The operator in Santa Monica was very nice albeit unable to help. It was her first day and she was having difficulty finding information. OMIT is not listed in the phone system at all. OMIT... I got a human being on the executive staff. To reiterate, I've lost an account that has five years of collected Yahoo resources in it. Private files, pictures, over 200 mailing lists of which I administrate several. I am obviously frustrated. My lack of progress has left me with a very unhappy taste in my mouth for the service. Now as a software engineer and manger I'd rather see the system fixed than abandon the technology. So, here is where I am. I represent one user who's taken the time to find a problem and try to work with the comapny to find a solution. I can list countless people who can attest to my identity. I can also list countless people who may not have the knowlege or will to get this far and have simply given up on Yahoo as a product. This is my story and situation. I hope it gets into hands that can make it right. I am more than willing to offer what experience and knowledge I have in the industry to aid Yahoo in making it right. Thank you - -Andrei Freeman (Legally changed from OMIT) -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.0 - not licensed for commercial use: www.pgp.com Comment: 93, 93/93 iQA/AwUBQl8HCnouKvXM/BhwEQI/JACeIFGhS1aXB7ItPoaYXktmtzLmQ3AAn3Ag nnh5fpZpSc9z+D3Z8LKUx85M =vIo2 -----END PGP SIGNATURE-----
Edit:2005.06.16: This post was friends only. It is now public as the Yahoo situation has been remedied.