I’ll skip ahead to the moral of this story: don’t be a victim of hacking. If you are, your domain or e-mail provider might crush you. Particularly if it’s Yahoo.
For 10 days Yahoo has shut down my business, Media Predict, which is a fantasy market game for TV shows and movies. Nor will Yahoo let me access my personal e-mail and business e-mail. Here’s how it happened.
Three years ago I started using Yahoo Small Business to host my domain and my personal and business email. The products were lousy, but I always had higher priorities than switching. After all, I was growing a new research company. We launched and got great press (here, here). Our clients included Showtime, A&E, Meredith, and more.
Jump to last week, when I learned that a hacker broke into a portion of our site. We were puzzled because the site, driven by partner company Inkling, has always been iron-clad. But apparently a weakness in an old install of WordPress, which we use only for our blog, allowed the jerk to set up a phishing scam under my domain.
I learned all of this from Bluehost, which hosts the WordPress portion of my site. We worked together and fixed it within minutes. Two days passed with no problem.
Then came along the Yahoos.
Again, as far as anyone can see, my problem was resolved. But what Yahoo lacked in timeliness or intel, they made up for in brute force.
Citing our presence of a list of “abusive sites,” Yahoo yanked my entire domain, taking down every aspect of my site. Yahoo then yanked my business and personal e-mail addresses as well. I received no notice or instructions as to what to do. Heck – it took me a half-hour to figure out that the problem was just with me, and not Yahoo Small Business generally.
It took three more hours to locate a support number. Eventually I found one on my credit card bill.
With the consistency of a World Cup soccer wall, support referred me straight to Yahoo Abuse. They also made it clear that nobody talks to Yahoo Abuse:
- “Abuse doesn’t take calls. All you can do is e-mail them.”
- “We don’t even have a contact number for them.”
- “We have no idea what Abuse does once we hand tickets on to them. We never see the outcomes.”
- “No one here has had any contact with Abuse or can tell you how they normally operate.”
- “We don’t know their hours or if they work on the weekends.”
So I e-mailed. An auto-reply promised a response within 24 to 48 hours – I waited 90.
That was already an eternity of downtime. Every hour friends and family called me saying that my e-mail was dead. I couldn’t serve clients. At our site we maintain a small but specialized community of users – they had no idea what was going on. My business was toast.
I got a little stoked at this point, naturally. For what it’s worth, my LinkedIn profile shows that I received a PhD from Cambridge University. Yes, those Oxford guys might give you trouble, but we tend to be scam-free. As for my criminal record, I confess I was once cited for an illegal U-turn in Bloomington, Indiana, when I was a junior in high school.
At last I received a form letter stating that Yahoo would release my domain, but “for legal reasons it will not be possible to reactivate your Yahoo! account.” Thus apparently I will never get access again to personal or business e-mails still stored in the cloud. “We apologize for any inconvenience this may cause.”
I wrote back within minutes asking them to release the domain. The wait to hear back? Oh: another six days.
The point isn’t merely about Yahoo. Rather my story raises concerns for anyone who uses the cloud. After all, your biggest problem there might not be security. What do you do if your service provider goes vigilante on your ass?
It could happen. Few hackers parade under their own identities. Instead of considering this obvious truth, Yahoo felt free to crush a faithful customer, which is apparently much easier than sorting out who is really at fault.
In doing so Yahoo departed from most every legal and social precedent that could apply to my case. We don’t punish victims of credit card theft or identity theft. Indeed if I owned a house, and someone broke in and sold drugs from it — well, in Yahoo’s world, the cops should cuff me and let the dealer go free. That’s not right. My company could have had a better lock on the door, but a crime is a crime. We committed none.
Of course, getting cuffed by the cops would be better than what we’ve experienced, since at least we’d have a court of law in which to make our case. I still have yet to speak to a human at Yahoo, aside from the Support guys clearly instructed not to say anything. Nevertheless I hope that we are nearing resolution, and that at least my domain will be released soon.
In fairness, I would offer comment from the Abuse department. But they don’t take calls. I did try e-mailing. I expect a response in about six days.
[Editor's note: VentureBeat has contacted Yahoo for their comments on this story, but as of the time of this posting the company has not responded. We will update this story if/when we get a reply.]
Brent Stinski is founder and CEO of Media Predict, a fantasy market game where users bet on TV shows and movies. He has contributed to Venture Beat and Business Insider.