Home / Security / Hackers might know your YES ID Password

Hackers might know your YES ID Password

Update 1: According to a friend of mine, www.yes.my is using a mixture of architecture including Microsoft at the moment.

——————————————————————————————-

There has been so many issues with YTL’s newly launched “world class” YES WiMAX aka self claimed “4G network” recently.

From registration, login, billing, network, support to marketing- there seems to be errors and problems since Day 1 of launch.

And YTL’s only excuse so far is that their website is being attacked by hackers. YTL claims that this “attack” is a DDOS attack, as many as 300,000 hits per second. However they did not back it up with solid proof. I’ve checked and they were a number of Malaysian domains attacked on 20th November 2010 but YTL’s www.yes.my wasn’t in the list.

Since Monday(22 November 2010), YTL’s world class YES network is up and running but users can’t access to their YES ID page on www.yes.my. I’m not a technical “web” person but it appears that YTL launched the www.yes.my portal using Windows platform and later it changed the platform to open source over the weekend(21-Nov-2010). No proper direction?

And this “change” was just in time where at least 3 people from Hack In the Box(HITB) was at YTL’s Network Operating Center to “help” YTL resolve their issue.

I’ve tried asking YTL via Twitter about what was exactly shared with these people from HITB who have the knowledge of “hacking”, but I did not get any response. However YTL confirmed that it worked with HITB. In the mean time, I was “attacked” on Twitter by these “hackers” who claims that the website has got nothing to do with customer database.

The reason why I am so worried about this is because YTL’s YES customer database is accessible via www.yes.my and these “hackers” from HITB “volunteered & helped us identify d attacks against yes.my“- in YTL’s own words on Twitter. Which also means that these folks had access to YTL’s servers/website or at least now they know the details of the servers and how it works/configured.

I’ve asked YTL if they did signed any agreement with HITB prior to this “volunteered help” to ensure customer confidentiality. I’m still waiting for that answer.

I have no problem with Hack In The Box(HITB) but the issue here is that sharing confidential data with them or anyone else out there without proper paper work is a serious privacy issue to me when this “confidential data” could directly or indirectly relate to YES customers.

And during the same time(19-Nov 21 2010), pre-registered YES customers had problems accessing the network after completing their registration and this created  a new problem. On November 21st, I found out that YTL started defaulting all YES passwords to customer’s date of birth. That’s right folks, the YES password is set to DATE OF BIRTH and since the YES ID page is down since day 1 of launch, plus internal staff couldn’t access the customer database at certain time, most password even until today remained the same.

As I’m still waiting response from YTL regarding what was shared with these “hackers”, I’m guessing for know that these hackers probably knows about this(date of birth password) since they have monitoring Twitter.

It is really scary to think that these “hackers” could easily find our username and try look for our date of birth on Facebook. And one of this HITB “hacker” even wrote this on his blog:

“The resulting smile on all our faces must have made our neighbours at Shook! think we were slightly insane. After that it was a race to see who could whip out an SSH client first and create a VPN tunnel to any one of our servers on the internet. And barely seconds later, all of us had full blown internet access on the YES network without even using a working account.”

I’m not sure about the number but I can’t imagine that probably UP TO 15,000 YES accounts can be accessed easily and YES customers can’t even access their own account page to monitor the usage. “Free Internet” for these hackers? Definitely.

This is a serious security issue and the question here is simple. YES customers have been charged for their usage between 19 November till 23 November 2010. What happens went customers finds out that someone has been using their account, and where can customers check their account? And who going’s to be responsible for customers data that could be easily accessed using date-of-birth, will it be HITB or YTL?

Note: I’m revealing this(Date-of-Birth password issue) because a few friends around me(YES users) started questioning about this and I hope YTL will do something to fix this NOW before it is too late.

If you are using your date-of-birth as your YES ID password, I suggest that you visit YES service center now and demand that your YES ID password to be changed manually.

P.s: I might get hacked anytime soon….Opps.

Also read:

About Kugan

Kugan is the founder of MalaysianWireless. He has been observing the mobile industry since 2003. Connect with him on Twitter: @scamboy
  • hafiz

    This is so dodgy!

  • Jojo

    My password wasn’t changed.

  • Snappy

    How to change password?

  • wld

    nope… my password wasn’t defaulted to DOB.

    you’re quoting out-of-context when the original post meant for the loophole of not needing authentication at all to surf net (other than TCP port 80) rather than the access to other YES users’ ID & password in order to surf net.

    • agreed….the quote itself says that it uses no YES acct..

      BTW, I said DOB password for those who pre-registered n had problem logging in…

  • wld

    YES database should however store the password in encrypted or even better md5/sha1 hashed form that cannot be decrypted.

    • Papilon

      You must be the biggest moron to think Sha1 and MD5 hashes can’t be cracked.

      • make it double/trilple md5 hash then. 🙂

  • noguts

    stuopid

  • Hafizin2020

    Kugan.. can you check out http://www.citybroadband.net.my/ . A new operator offering BB over powerline. Not much of news on this company though. See if you can find out more and blog about it.

  • Kly

    When I log into my account I don’t see my Yes 018 phone No.
    Is this normal?

  • Wiilichan236

    I suggest you change the password regularly.
    Don’t save your password.
    It could be an inside job.

    I had 300 Mb stole from me.
    YTL Yes claimed I let know my password to a third party.
    The cheating liars.

    • Pakcik Blackdin

      23.5 GB was stolen from my account…and they said i uses FB a lot…imagine 23GB within 3 days..wowww what a big FB files.

  • willichan

    YES is damn expense too!

    I disbuted their chargemeter.
    I reckoned they are at least set 30% over the norm.
    Customers have no rights in Malaysia.

    What a fcuk country!