It’s Time to Close Your Yahoo Accounts
Yahoo has been a failing company for more than a decade. They’re the foster child nobody seems to want. Yahoo’s ownership has changed hands several times over the years. It’s no secret that Yahoo has fallen on hard times.
With an aging infrastructure and a technical support team that seems to be constantly scrambling to patch one serious security problem after another, while still trying to recover from the data breech that compromised 500 million Yahoo user accounts, Yahoo more resembles a dying enterprise than the thriving Yahoo that once ruled the early days of the Web in the mid 1990’s.
Here are some interesting facts about Yahoo’s security… or lack thereof… that all Yahoo users need to know
January 19, 2016
Yaho Mail Stored XSS Vulnerability
https://klikki.fi/adv/yahoo.htmlA stored XSS vulnerability in Yahoo Mail was patched earlier this month. The flaw allowed malicious JavaScript code to be embedded in a specially formatted email message. The code would be automatically evaluated when the message was viewed. The JavaScript could be used to e.g. compromise the account, change its settings, and forward or send email without the user’s consent.
We provided Yahoo with a proof of concept email that would forward the victim user’s inbox to an external website, and an email virus which infects the Yahoo Mail account and attaches itself to all outgoing emails. The bug was fixed before any known exploits “in the wild”.
The bug has affected all versions of Yahoo’s webmail but not the mobile app…
September 16, 2016
Yahoo says 500 million accounts stolen
http://money.cnn.com/2016/09/22/technology/yahoo-data-breach/Yahoo confirmed on Thursday data “associated with at least 500 million user accounts” have been stolen in what may be one of the largest cybersecurity breaches ever.
The company said it believes a “state-sponsored actor” was behind the data breach, meaning an individual acting on behalf of a government. The breach is said to have occurred in late 2014.
“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” Yahoo said in a statement.
Yahoo urges users to change their password and security questions and to review their accounts for suspicious activity.
The silver lining for users — if there is one — is that sensitive financial data like bank account numbers and credit card data are not believed to be included in the stolen information, according to Yahoo.
Yahoo reportedly downplayed security for years
https://www.engadget.com/2016/09/28/yahoo-reportedly-downplayed-security/That massive Yahoo hack might have been less of a one-off disaster and more a symptom of larger, systemic problems with security at the internet pioneer. New York Times sources claim that Yahoo made security a relatively low priority for years, prioritizing convenience when possible and reacting only after serious incidents (such as bug bounties following an account breach in 2012). Reportedly, the company even skipped out on safeguards that are considered virtually mandatory in many places — CEO Marissa Mayer rejected a password reset out of concern that it would drive users away from Yahoo Mail.
December 8, 2016
Yahoo Mail Stored XSS Vulnerability #2
https://klikki.fi/adv/yahoo2.htmlA security vulnerability in Yahoo Mail was fixed last week. The flaw allowed an attacker to read a victim’s email or create a virus infecting Yahoo Mail accounts, among other things.
The attack required the victim to view an email sent by the attacker. No further interaction (such as clicking on a link or opening an attachment) was required.
The impact of this bug was the same as in the last year’s (January 2016) stored XSS case.
As a proof of concept I supplied Yahoo Security with an email that, when viewed, would use AJAX to read the user’s inbox contents and send it to the attacker’s server. Also the “signature virus” payload from last year would have worked.
The flaw was reported to Yahoo Security via HackerOne on November 12 and fixed on November 29, 2016. Yahoo awarded a bounty of $10,000 for the finding.
The vulnerability was found by Jouko Pynnönen of Klikki Oy, Finland.
Privacy
(From https://en.wikipedia.org/wiki/Yahoo! )… Protest against the mass surveillance by the NSA
In September 2013 The Indian Express reported that Yahoo received 29 thousand requests for information about users from governments in the first six months of 2013. Over 12 thousand of the requests came from the United States.[113]
In October 2013, The Washington Post reported that the U.S. National Security Agency intercepted communications between Yahoo’s data centers, as part of a program named MUSCULAR.[114][115]
In late January 2014, Yahoo announced on its company blog that it had detected a “coordinated effort” to hack into possibly millions of Yahoo Mail accounts. The company prompted users to reset their passwords, but did not elaborate on the scope of the possible breach, citing an ongoing federal investigation.[116]
On March 29, 2012, Yahoo announced that it would introduce a “Do Not Track” feature that summer, allowing users to opt out of Web-visit tracking and customized advertisements.[119] However, on April 30, 2014, Yahoo announced that it would no longer support the “Do Not Track” browser setting.[120]
According to a 2008 article in Computerworld, Yahoo has a 2-petabyte, specially built data warehouse that it uses to analyze the behavior of its half-billion Web visitors per month, processing 24 billion daily events.[121] In contrast, the United States Internal Revenue Service (IRS) database of all United States taxpayers weighs in at only 150 terabytes.[121]
On September 2016, it was reported that data from at least 500 million Yahoo accounts was stolen in 2014.[122]. In October 2016, Reuters reported that in 2015, Yahoo! created a software to search their customers e-mail at the request of NSA or FBI.[123] …
How much longer will Yahoo users tolerate Yahoo’s apparent disregard for its users privacy? How many more serious breeches of its users’ security is it going to take before Yahoo users abandon this sinking ship?
Yahoo’s spam filters block our newsletters and other legitimate emails, while allowing spam, email from hackers and the infected emails that have already seriously compromised user privacy and security.
How many people have had their personal lives violated and/or sustained financial losses due to Yahoo’s inability to protect its users?
The breeches of Yahoo users’ security we cited above, are not minor breeches. Indeed they are very serious breeches, and they all went undetected for an unacceptable period of time.
Is Yahoo’s lack of concern for its users’ security due to a lack of financial resources… or just a lack of corporate concern?
If you use Yahoo, how much longer are you going to take a chance with Yahoo? How much are you going to bet that Yahoo will finally shore things up and protect its users at least as well at its competitors, Gmail and Outlook.com. We urge you to delete your Yahoo accounts and replace them with Gmail or Outlook.com.
See this page for help with deleting your Yahoo account. On this page you’ll see that Yahoo tries to convince you that there are other ways to deal with Yahoo’s continuing security issues, even going to far as to intimate that all these problems can be solved if users would only use a strong password. While we totally agree that everyone should use a strong passwords, many of Yahoo’s security problems have anything to do with users’ passwords.
What is your opinion of the potential Microsoft/Yahoo merger?
I think it’s possibly an attempt by Microsoft to get every webmail service
they can get their hands on, to form a webmail monopoly under Outlook.com
What else at Yahoo could Microsoft be interested in controlling?
thanks! i deleted my Y account, minutes after reading your post.
does this affect Yahoo Groups?
Thanks
All of this Yahoo business scares me. AT&T/U-verse uses Yahoo and I am rather stuck having AT&T as my Internet provider. My email goes through Yahoo and is forwarded to my Outlook program … I do also have a gmail address but it’s still AT&T who provides my internet. Do I have that right? Yikes!
It’s not AT&T that has security problems, it’s Yahoo Mail. If you get Gmail via an AT&T connection, the security is Gmail not AT&T.
T.C. – My purpose in posting is not to dispute all or any part of your article but merely to relate my personal experience. I have been with ATT (formerly BellSouth), who uses Yahoo web mail, for over twenty years. I’ve had so very few problems with it that the exact number escapes me. Since ATT uses them as their default carrier they are obligated to support it as part of the service for which I pay. This is, of course, contrary to GMail and I assume others. Yes, I have GMail accounts and have had very good service from them. The point that I am making here is that one is supported by the ISP and the other is self-help only. It would be interesting to know the approximate percentage of your total viewers that have had a problem with Yahoo, problem defined as not an end user initiated difficulty.
Muriel, in her post, mentioned Outlook.Com. Many years ago when I was still using Windows as my OS, I used MS Outlook as my e-mail client. I, and many of my colleagues, experienced ongoing problems with Outlook. Some were genuine problems, others were end-user oriented. I sincerely hope that, no matter which direction Yahoo goes, that it does not end up in the Microsoft portfolio. If so, it would be my opinion that it would be yet another — how can I say this —– ‘Microsoft experience.’ Hope that you have a nice day.
Lee, you would not know if your account was hacked and your personal emails were read. The hackers don’t announce they’ve hacked you. Earlier this year, hackers did post a list of hacked passwords — about 500 million of them. So I’m not sure how you can say you have no problems. We can tell you for a fact that AT&T users don’t get all of their email.
Muriel was referring to Outlook.com not Microsoft Outlook the email client.
Thanks,
TC
T.C. – Thanks for your timely response. There are a number of warning signs that any user can easily detect to let them know if their account has been violated. As you said, I do not have proof at this time that my account has been hacked. However, there are no warning signs at this time. As for what the future holds, well, I suppose that we will all have to deal with it as we see fit, as it should be.
And, yes, I did understand that Muriel was referring to Outlook.Com, not Outlook. There is a vast difference between the two but for the benefit of your viewers I’m glad that you mentioned that difference. I’m sure that it was helpful to them.
Well, Lee, let me put it another way… 500 million Yahoo accounts were hacked in 2014 and for 2 years Yahoo kept it secret and most users were not aware that their passwords were stolen. So if 500 million users didn’t know their passwords were stolen two years ago, that’s pretty good proof that most users would never know their accounts were compromised.
I’m not aware of any “easy” warning signs that would tip a user off that their password had been stolen. I mean, you would think if it it were that easy to know if you’d been hacked, surely more than a handful of these half a billion Yahoo users would have been up in arms for the last two years, yet I’m not aware of any mass complaints from Yahoo users that were hacked in 2014 and didn’t know it until 2016.
If you have easy ways to tell if you’ve been hacked, please pass them along to our readers and to companies like Yahoo and Microsoft – I’m sure they’d be fascinated for easily detecting when accounts have been hacked. Maybe you’re on to something here. Also, most of the half billion Yahoo users whose accounts were compromised could have benefited from your easy detection methods -as could many companies, and us too! Please do share with us.
I followed instructions, however, Yahoo would not terminate. Any suggestions?
Thank you so much. I tried a while back to terminate, but got such a run around I gave up. Your instructions worked easily and perfectly. My sincere gratitude for this info.
How does this affect sbcglogal.com, att.com? Aren’t these affiliated with Yahoo?
I had closed my Yahoo account after I read your articles about all the bad things there quite a while ago and I am not sorry!
My ISP is Rogers. Rogers uses Yahoo for its web mail. Not sure what to do about Yahoo. I think I’ve been getting all my mail except InfoAvePremium. Had not received your weekly newsletter since mid-Oct until yesterday when surprisingly it arrived. I had been reading it on the web.
Not getting your mail is just one of the problems with Yahoo. One billion Yahoo accounts were hacked. You’re not bound, anymore, to using your ISP’s email system. You have choices. You can use Gmail and get mail in your email program, or get it on the web. If you don’t like Gmail for some reason, you can use Outlook.com (Hotmail, Live.Com, MSN.com, etc). Doesn’t make any sense to continue using company that is either incapable of providing security for their users – or just don’t care. I’m not sure why you’d continue to use them. If you’re not getting our newsletter, you’re also not getting other important mail. Not only is Yahoo just plain not secure, it’s the worst of the email providers – by far.
The daily newsletter is not the problem. I changed address for it some time ago. It comes faithfully. It is the weekly newsletter I have a problem with. Have tried twice to switch over to gmail. It still comes via Rogers when it comes.
How can I switch my important saved emails over to somewhere else?? I just do not like all the advertisements on Google. I do not know where to go?? And how do I move my emails?? This is very important to me.
Google has less ads than Yahoo – by far. Plus, you can set up your Gmail account to work with your email program (like Thunderbird) with no ads at all. If you have important mails you can download them using an email program, or forwarded them to your new email account.