Yandex blocks accounts to which a phone number is not attached

    I’m probably like those mice that “cried, injected, but continued to eat the cactus.” Once again I try to use the services of Yandex patriotically - and which time it leaves me sideways.

    At this time, blocked access to mail under the pretext of "suspicion of hacking." But in reality - because the registration did not include a phone number, which is generally not forbidden, but as always there is BUT ...

    A small analysis of the situation under the cut.

    I created the mailbox on June 14th of this year. It was necessary to collect phone numbers from the residents of our apartment building in order to bring them into the GSM-controlled barrier. I decided to create a mailbox on Yandex and posted an ad with an E-mail at the entrance.

    When registering, you can not specify a mobile phone number


    In general, I think it is correct that you can not specify a phone number when registering mail. What is most amusing is that when you connect to a mobile operator, they are now also asking for a mobile phone number. That is, it is considered unreal that I need the first and only Simka?

    Well, if you can not specify a phone number, then we will not indicate it. True, you need to specify the control question, come up with an answer. And enter the captcha. Good, he did.


    The password, as always, was generated in KeePass by about 20 letters.

    At first, everything was fine, people sent letters with numbers, I entered them into the database. Then the stream of letters dried up. In order not to miss the new letters, I set up a notification about a new letter in my personal mailbox. The last letter was July 14th.

    Today, August 7, the notice “You will receive a letter at xxxx@ya.ru. Read: ya.cc/ZZZZ / Yandex. Mail ". I think - well, ok, you need to read.

    And here I was in for a surprise. After entering the login and password, I received a notification:



    Wow! Account hacked? We picked up a password of 20 characters, and then it was NOT changed? Well, I enter the answer to the control question and get this form:



    So, wait! During registration I indicated “I have no phone”! And now I am offered to introduce it, and further it is impossible to advance in any way. And how to enter it, if I do not have it? Or is there, but not mobile, but stationary?

    Okay, before the holes I read Help on how to restore the account. Yes, and even without entering a phone number. There are mainly answers like “I do not remember the login”, “I do not remember the password”. And I remember them (or rather KeePass remembers).

    There is an option to restore access by filling out a questionnaire, but it's still funnier. For example, you need to enter a date of birth. Which I certainly did not fill out.



    For some reason, Yandex believes that if I did not fill in the date at registration (and this is possible), I will fill it in later. If you specify a date incorrectly (I tried this option) it is reported that the data is entered incorrectly and access recovery is impossible. And if you do not specify - the form is not sent.

    In the end, I was a little tired of this impudence of Yandex with poking the phone, and entered my number. The first time something went wrong



    But the second time everything turned out and I got into the mail.

    The number I entered automatically “attached” to the account, although I did not ask for it. Found that it can be untied from the account. And here again the surprise: in order to untie the number, you need to enter the password from the account and the code from the SMS , which will come to the untiednumber. That is, if the attackers really hacked into the attackers and tied their number, you will not untie it yourself. Well, or if a phone is attached to the mailbox, to which you no longer have access (say, you have terminated the contract with the cellular operator) - you will not untie it either. And this number after a while will be given to another person.

    Since I didn’t exclude the possibility that “my account was hacked or I have viruses”, I of course scanned the computer with one of the recommended antiviruses (I chose KVRT). And of course I did not find any viruses.

    Suppose picked up a password. Or "hijacked" cookie. Then there should be logs of logins from a different address, or at least some activity in the account (probably, sent letters)

    Let's look at logs of logins:



    June 14th is my last entry. August 7th is my entry after regaining access. In the interval between these dates, no one entered the account. And in general, no one logged into the account from an address different from my home IP. No letters in the mail, except those that I sent, either. There are no files on the Ya.Disk, Ya.Money has not activated (the wallet has not been created).

    Let's look at the activity logs in the account (read from the bottom up):



    And here it is interesting

    • There are no stories of actions before July 15, although the history of entries is
    • July 15 produced "output on all devices." And I did not do it. And the logs do not display detailed information (for example, there is no IP from which the operation was performed)
    • But on August 7, for verification, I independently made an “exit on all devices” and information about my browser, OS and IP address was fixed
    • Separately delivered about "recovery through: undefined"

    From which I concluded that Yandex took advantage of clause 2.3 of the user agreement and blocked my access to my account by starting to solicit a phone number
    2.3. Yandex reserves the right at any time to require the User to confirm the data specified during registration, and request in this connection supporting documents (in particular, identity documents), the failure to provide which, at Yandex’s discretion, may be equated to providing false information and entail the consequences stipulated by clause 2.2 of the Agreement. If the User data specified in the documents provided to them do not correspond to the data specified during registration, and also in the case when the data specified during registration do not allow the user to be identified , Yandex has the right to refuse the User access to the account and use of Yandex services .

    The blocking occurred exactly one month after registration (registration on June 14, blocking on the night of July 15), surely automatic.

    All anything, but why mislead users about "hacking attempts"? And to give the opportunity to register without a phone number, if it is so necessary for identification? I would have written it directly: the phone is needed in order to link your posts on the forums where you registered with the use of e-mail to your phone. And then, through the mobile operator, to your passport data.

    It is interesting to note that when registering, they ask for the "Last Name and First Name", and the agreement then refers to the cases "when the data provided during registration do not allow the user to be identified." We can say that the Last Name and First Name never allow you to uniquely identify the user, and therefore “Yandex has the right to deny the User access to the account and the use of Yandex services”.

    The situation with the automatic linking of the phone number of the unconfirmed phone number to the account and the impossibility of unlinking it later also seemed interesting.

    UPD: Chukchi is not a reader, Chukchi is a writer. This is not the first time such a problem, and I still got off easily - Another juggling from Yandex-mail

    UPD2: a response from a Yandex employee:

    Of course, to use Yandex.Mail does not require a phone number without fail. Many of our users have been using Mail for years without an associated number and are not faced with requests for additional information.

    In your case, most likely, our anti-fraud system worked. It has been working for more than a year and was created specifically to identify new accounts that spam and fraud farms are made of.

    The system analyzes more than one hundred different factors. Having a tethered phone is one of them, but not decisive. Therefore, additional account identification was required.


    UPD3: I remembered that I have an account on Yandex without an associated number, registered back in 2011 and which is very rarely used. The last entry was probably at the end of 2017. I went into it now and got such a banner.
    Tie a phone number

    True [for now] there is an opportunity to refuse to enter the number. So what about the possibility of " using Mail over the years without an associated number " is probably true, but only for old users. From the comments it is obvious that almost all (and maybe all in general) new accounts are blocked and you need to enter a phone number.

    Also popular now: