Tuesday, May 30, 2023

Hackers might know your YES ID Password

Update 1: According to a friend of mine, www.yes.my is using a mixture of architecture including Microsoft at the moment.


There has been so many issues with YTL’s newly launched “world class” YES WiMAX aka self claimed “4G network” recently.

From registration, login, billing, network, support to marketing- there seems to be errors and problems since Day 1 of launch.

And YTL’s only excuse so far is that their website is being attacked by hackers. YTL claims that this “attack” is a DDOS attack, as many as 300,000 hits per second. However they did not back it up with solid proof. I’ve checked and they were a number of Malaysian domains attacked on 20th November 2010 but YTL’s www.yes.my wasn’t in the list.

Since Monday(22 November 2010), YTL’s world class YES network is up and running but users can’t access to their YES ID page on www.yes.my. I’m not a technical “web” person but it appears that YTL launched the www.yes.my portal using Windows platform and later it changed the platform to open source over the weekend(21-Nov-2010). No proper direction?

And this “change” was just in time where at least 3 people from Hack In the Box(HITB) was at YTL’s Network Operating Center to “help” YTL resolve their issue.

I’ve tried asking YTL via Twitter about what was exactly shared with these people from HITB who have the knowledge of “hacking”, but I did not get any response. However YTL confirmed that it worked with HITB. In the mean time, I was “attacked” on Twitter by these “hackers” who claims that the website has got nothing to do with customer database.

The reason why I am so worried about this is because YTL’s YES customer database is accessible via www.yes.my and these “hackers” from HITB “volunteered & helped us identify d attacks against yes.my“- in YTL’s own words on Twitter. Which also means that these folks had access to YTL’s servers/website or at least now they know the details of the servers and how it works/configured.

I’ve asked YTL if they did signed any agreement with HITB prior to this “volunteered help” to ensure customer confidentiality. I’m still waiting for that answer.

I have no problem with Hack In The Box(HITB) but the issue here is that sharing confidential data with them or anyone else out there without proper paper work is a serious privacy issue to me when this “confidential data” could directly or indirectly relate to YES customers.

And during the same time(19-Nov 21 2010), pre-registered YES customers had problems accessing the network after completing their registration and this created  a new problem. On November 21st, I found out that YTL started defaulting all YES passwords to customer’s date of birth. That’s right folks, the YES password is set to DATE OF BIRTH and since the YES ID page is down since day 1 of launch, plus internal staff couldn’t access the customer database at certain time, most password even until today remained the same.

As I’m still waiting response from YTL regarding what was shared with these “hackers”, I’m guessing for know that these hackers probably knows about this(date of birth password) since they have monitoring Twitter.

It is really scary to think that these “hackers” could easily find our username and try look for our date of birth on Facebook. And one of this HITB “hacker” even wrote this on his blog:

“The resulting smile on all our faces must have made our neighbours at Shook! think we were slightly insane. After that it was a race to see who could whip out an SSH client first and create a VPN tunnel to any one of our servers on the internet. And barely seconds later, all of us had full blown internet access on the YES network without even using a working account.”

I’m not sure about the number but I can’t imagine that probably UP TO 15,000 YES accounts can be accessed easily and YES customers can’t even access their own account page to monitor the usage. “Free Internet” for these hackers? Definitely.

This is a serious security issue and the question here is simple. YES customers have been charged for their usage between 19 November till 23 November 2010. What happens went customers finds out that someone has been using their account, and where can customers check their account? And who going’s to be responsible for customers data that could be easily accessed using date-of-birth, will it be HITB or YTL?

Note: I’m revealing this(Date-of-Birth password issue) because a few friends around me(YES users) started questioning about this and I hope YTL will do something to fix this NOW before it is too late.

If you are using your date-of-birth as your YES ID password, I suggest that you visit YES service center now and demand that your YES ID password to be changed manually.

P.s: I might get hacked anytime soon….Opps.

Also read:

Kugan is the co-founder of MalaysianWireless. He has been observing the mobile industry since 2003. Connect with him on Twitter: @scamboy

Related Articles


Stay Connected with Us


Hosted at AIMS Data Centre


Latest Articles