It’s Time to Close Your Yahoo Accounts
Yahoo has been a failing company for more than a decade. They’re the foster child nobody seems to want. Yahoo’s ownership has changed hands several times over the years. It’s no secret that Yahoo has fallen on hard times.
With an aging infrastructure and a technical support team that seems to be constantly scrambling to patch one serious security problem after another, while still trying to recover from the data breech that compromised 500 million Yahoo user accounts, Yahoo more resembles a dying enterprise than the thriving Yahoo that once ruled the early days of the Web in the mid 1990’s.
Here are some interesting facts about Yahoo’s security… or lack thereof… that all Yahoo users need to know
January 19, 2016
Yaho Mail Stored XSS Vulnerability
We provided Yahoo with a proof of concept email that would forward the victim user’s inbox to an external website, and an email virus which infects the Yahoo Mail account and attaches itself to all outgoing emails. The bug was fixed before any known exploits “in the wild”.
The bug has affected all versions of Yahoo’s webmail but not the mobile app…
September 16, 2016
Yahoo says 500 million accounts stolen
Yahoo confirmed on Thursday data “associated with at least 500 million user accounts” have been stolen in what may be one of the largest cybersecurity breaches ever.
The company said it believes a “state-sponsored actor” was behind the data breach, meaning an individual acting on behalf of a government. The breach is said to have occurred in late 2014.
“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” Yahoo said in a statement.
Yahoo urges users to change their password and security questions and to review their accounts for suspicious activity.
The silver lining for users — if there is one — is that sensitive financial data like bank account numbers and credit card data are not believed to be included in the stolen information, according to Yahoo.
Yahoo reportedly downplayed security for years
That massive Yahoo hack might have been less of a one-off disaster and more a symptom of larger, systemic problems with security at the internet pioneer. New York Times sources claim that Yahoo made security a relatively low priority for years, prioritizing convenience when possible and reacting only after serious incidents (such as bug bounties following an account breach in 2012). Reportedly, the company even skipped out on safeguards that are considered virtually mandatory in many places — CEO Marissa Mayer rejected a password reset out of concern that it would drive users away from Yahoo Mail.
December 8, 2016
Yahoo Mail Stored XSS Vulnerability #2
A security vulnerability in Yahoo Mail was fixed last week. The flaw allowed an attacker to read a victim’s email or create a virus infecting Yahoo Mail accounts, among other things.
The attack required the victim to view an email sent by the attacker. No further interaction (such as clicking on a link or opening an attachment) was required.
The impact of this bug was the same as in the last year’s (January 2016) stored XSS case.
As a proof of concept I supplied Yahoo Security with an email that, when viewed, would use AJAX to read the user’s inbox contents and send it to the attacker’s server. Also the “signature virus” payload from last year would have worked.
The flaw was reported to Yahoo Security via HackerOne on November 12 and fixed on November 29, 2016. Yahoo awarded a bounty of $10,000 for the finding.
The vulnerability was found by Jouko Pynnönen of Klikki Oy, Finland.
(From https://en.wikipedia.org/wiki/Yahoo! )
… Protest against the mass surveillance by the NSA
In September 2013 The Indian Express reported that Yahoo received 29 thousand requests for information about users from governments in the first six months of 2013. Over 12 thousand of the requests came from the United States.
In October 2013, The Washington Post reported that the U.S. National Security Agency intercepted communications between Yahoo’s data centers, as part of a program named MUSCULAR.
In late January 2014, Yahoo announced on its company blog that it had detected a “coordinated effort” to hack into possibly millions of Yahoo Mail accounts. The company prompted users to reset their passwords, but did not elaborate on the scope of the possible breach, citing an ongoing federal investigation.
On March 29, 2012, Yahoo announced that it would introduce a “Do Not Track” feature that summer, allowing users to opt out of Web-visit tracking and customized advertisements. However, on April 30, 2014, Yahoo announced that it would no longer support the “Do Not Track” browser setting.
According to a 2008 article in Computerworld, Yahoo has a 2-petabyte, specially built data warehouse that it uses to analyze the behavior of its half-billion Web visitors per month, processing 24 billion daily events. In contrast, the United States Internal Revenue Service (IRS) database of all United States taxpayers weighs in at only 150 terabytes.
On September 2016, it was reported that data from at least 500 million Yahoo accounts was stolen in 2014.. In October 2016, Reuters reported that in 2015, Yahoo! created a software to search their customers e-mail at the request of NSA or FBI. …
How much longer will Yahoo users tolerate Yahoo’s apparent disregard for its users privacy? How many more serious breeches of its users’ security is it going to take before Yahoo users abandon this sinking ship?
Yahoo’s spam filters block our newsletters and other legitimate emails, while allowing spam, email from hackers and the infected emails that have already seriously compromised user privacy and security.
How many people have had their personal lives violated and/or sustained financial losses due to Yahoo’s inability to protect its users?
The breeches of Yahoo users’ security we cited above, are not minor breeches. Indeed they are very serious breeches, and they all went undetected for an unacceptable period of time.
Is Yahoo’s lack of concern for its users’ security due to a lack of financial resources… or just a lack of corporate concern?
If you use Yahoo, how much longer are you going to take a chance with Yahoo? How much are you going to bet that Yahoo will finally shore things up and protect its users at least as well at its competitors, Gmail and Outlook.com. We urge you to delete your Yahoo accounts and replace them with Gmail or Outlook.com.
See this page for help with deleting your Yahoo account. On this page you’ll see that Yahoo tries to convince you that there are other ways to deal with Yahoo’s continuing security issues, even going to far as to intimate that all these problems can be solved if users would only use a strong password. While we totally agree that everyone should use a strong passwords, many of Yahoo’s security problems have anything to do with users’ passwords.