Discussion topic: Possible Hacking - would like to remove app password

Hello all.

I sould have recorded the call so I could transcribe the contents.

So, bottom line;

WE HAVE REMOVED YOUR ACCESS TO MANAGE YOUR EXISTING PASSWORDS, AND THATS THAT.

I have left the CSR with the following in regards to how this is unnacceptable:

 "What if I lose my laptop / it is stolen, andhas Outlook on it, which has an app password? Am I going to give this thief unfettered full access to my email forevermore? Changing my password won't kick them out; how do I remove access?"

The operator was a good bloke, he said he will feed this back again, and request that someone posts a statement here, by a SuperUser regarding this.

Anyone have any thoughts? I'm too steaming at the moment, not with the CSR, but with the higher ups who declared that this is the way its going to be now.

---

@GoukiMaster wrote:

Link to a new post regarding this being a deliberate action.

---

Looks like someone has joined your new thread (if that is what you started ) back into this one.

What you are being told doesn't, as you say, make sense.

Not being able to remove app password is a security risk.

I can't see how being able to remove/rescind an app password is a security risk.

A previous poster complained that they hit a limit on the number of app passwords they could create, but they seemed to be creating new ones frequently.

As previously mentioned, you can see your existing app passwords through the Yahoo portal, however you still cannot delete them from there. It is currently Sky's responsibilty to allow access to manage App Passwords.

The 'delete app password' button does NOTHING on the Yahoo portal, it just refreshes the Recent Activity page into the Security page.

Did anyone find out the best way to deal with this? I just rang sky and they said they can't do anything with this as it has to be done on our end, but I explained I can't delete the app password. They then advised to ring yahoo. I have changed the password on the email account and logged all devices out, I'm assuming they can log in still with this app password? 

Unfortunately it would appear Sky have deliberately removed the only way to manage previously issued app passwords.

Personally I think it does the exact opposite of what they were trying to achieve, it makes our accounts less secure rather than more.

Why they insist on telling people to call Yahoo, I really don't understand. It has nothing to do with them.

I can't believe this is the case! Is there anything else that we could do to make the account more secure against this/can the hacker still log in? I can't see any activity on the account and I've removed a send only email address they had added.

---

@jayach wrote:

 

Why they insist on telling people to call Yahoo, I really don't understand. It has nothing to do with them.

---

I imagine it's because they have no idea how to help. As you say, it's pointless contacting Yahoo.

I tweeted Rory Cellan-Jones a link to this post and a brief description, but nothing came of it. He's not with the Beeb anymore; I spent too much time trying to make a list of tech people to contact about this.

I still cannot believe that someone who does not understand the security implications of not being able to remove a near-enough-permanent password, would be in a position where they would have a final say on the matter.

@Cat37 Yeh, theres nothing that can be done, without being able to delete the app password issued. If a hacker got hold of that, as it stands right now, they have your email account.

Right all,

I just had to access an email quickly, so I opened Outlook on my phone. Asked me to sign in again.

So I moved to my computer. Outlook there is asking me to re-enter my password...

So I had a crazy thought.... Have they deleted everyones existing app passwords? 🤔

(Luckily I have these two pages bookmarked)

Do you think, maybe, just maybe someone has listened to us, and they're slowly sorting out this mess?

Sky email still works on the web. I'm guessing it'll be an inconvenience for people who mostly email on their phones - I dont think the webpage is optimized for a mobile screen.

@GoukiMaster 

It might just be a temporary issue as this link is working for me:

https://www.sky.com/sky-yahoo-mail/manage-apps?client=email

Yeh. Blast!! I was hoping they were doing something about the app password issue - just checked, my Outli are working again, as well as the app password generator.

Sorry to everyone if I got your hopes up. 🙁

---

@GoukiMaster wrote:

So I had a crazy thought.... Have they deleted everyones existing app passwords? 🤔

---

No, still working for me, and I have 3 Sky accounts using app password in Outlook on desktop.

Outlook on mobile also working, but that is using OAuth.

Edit: Sorry hadn't noticed that you said it is now working for you also.

Seems like it was just a boring outage. I tried again maybe 30 mins afterwards and it all was still borked, but no idea how long the outage was for in total.

I actually thought that maybe they were trying to rectify it, and we'd all just have to create new app passwords and we could remove the newly-created from this point on. 😓

I think when I have some time tonight I might send an email to tech mags, like Stuff, and Trusted Reviews. Hopefully they can demonstrate to the Sky bigwigs how stupid this policy is.

The problem is, if we push Sky too hard, they may just shut the email down, despite the original promise of "Sky email is for life".