Here’s the article GSWS has submitted for the San Diego County Optometric Society November 2016 newsletter (The San Diego View) ‘The Tech Corner’.
DO/DID YOU YAHOO?
By Dave Tuckman from Golden State Web Solutions, Inc. (www.GSWS.com)
Back in August, Yahoo formally announced that their email service had been hacked. The disclosure was the responsible step to thing to do, but the list of details they DIDN’T disclose is pretty long – and makes the whole incident much more serious. This month’s article covers the details that haven’t been covered as much, and definitely are items to be aware of, especially if you use (or used) their email service at some point in time. Needless to say, we recommend switching to an email service provider other than Yahoo.
- THE HACK ORIGINALLY OCCURRED IN 2014
Yahoo! Publicly announced the breach in 2016. That alone sounds respectable, but not when you learn they were aware of the situation 2 years earlier. That means people continued to use (and trust) their service with potentially private information up to 2 years before they were made aware of the situation. That non-disclosure most likely led to other issues (bank account info, passwords, private info, etc.) in their account users lives. This makes the issue about more than just the email account itself.
- THE AMOUNT OF ACCOUNTS AFFECTED WAS GROSSLY UNDER-REPORTED
When Yahoo! disclosed the breach, it was initially reported as 200 million accounts compromised. That number was revised to 500 million accounts over the following couple days. 500 million alone is a huge number, but it was still a grossly under-reported count. By the time the dust settled, the accurate number was revised to be over 1 billion. 1 billion accounts makes this the largest hack in the Internet’s history.
- REQUESTS & RECOMMENDATIONS TO IMPROVE SECURITY WERE DENIED
Dating back to 2010, Yahoo! got hacked, along with other email providers at the time (one being Google). This was a separate incident, but Google was quick to make security a top priority. Yahoo! was much slower to act, if even acting at all. Over the years, Yahoo!’s security team repeatedly requested additional resources to improve the security of their services but were continually denied, fearing it might have ‘a negative effect on their users experience’. This led to sub-standard security, ultimately resulting in the breach we are covering in this article.
- YAHOO HAS BEEN SPYING ON YOU
It has now been disclosed that Yahoo! built a custom software programmed to secretly scan all of its users’ emails for specific information, and the results were provided to the US Government. The tool was built in 2015 after company complied with a secret court order to scan hundreds of millions of mail accounts at the behest of either the NSA or the FBI.The email search tool was so secretive that even Yahoo’s own security team was unaware of the program. When Yahoo’s CISO Alex Stamos (at the time) found out CEO Mayer had authorized the surveillance program, he resigned from the company, telling his subordinates that “he had been left out of a decision that hurt users’ security.” Stamos now works for Facebook.
- YAHOO! MAIL DISABLED AUTO-FORWARDING, MAKING IT HARDER TO LEAVE
Last month, Yahoo! disabled the ability to forward your email to a different account. No reason in particular was given other than the statement ‘this service is under development’. Keep in mind, forwarding isn’t complicated – it simply take a copy of an email and sends it to another account. In English this means they acknowledge their services are insecure, but have decided to make it that much more difficult for their users to switch to a different/secure service.* UPDATED 10/14/2016 – it was reported on 10/14/2016 that Yahoo has re-enabled email forwarding after ‘platform upgrades’. Updated info was posted on ZDNet.
Got questions, or would like additional information?
You can reach Dave directly at (619-905-4468) or email (SDCOS@GSWS.com).