To paraphrase Oscar Wilde; to have all of your user accounts hacked once may be regarded as a misfortune, but to have it happen again looks like gross carelessness. Yahoo not only announced that the details of one billion user accounts had been stolen by unknown hackers in August 2013, but it really didn’t know how they did it.
All of that data (including my own account details) has been for sale on the dark web where it may have been sold at least 3 times to spammers and cyber criminals for US $300,000 a time.
In Yahoo’s defence, they may now be taking security more seriously than they did do at the times of the hacks. Yahoo’s CEO Marissa Mayer allegedly did not place a high priority on security after she joined, favouring spending money on focusing the company on moving their platforms to mobile instead.
That lack of interest has come back to bite her as it is now jeopardising the sale of Yahoo’s major assets to Verizon. Verizon was already in the process of asking for the sale price to be reduced by US $1 billion after the news of the first hack was released. It is certain that it will go back and ask for substantially more to be taken off the price as a result of the second hack.
It is likely that Verizon will go ahead with the deal as it is more interested in the sites that Yahoo is selling including Yahoo News, Yahoo Sports and Yahoo Finance. Still, email users generate a large amount of the traffic to its sites and are therefore responsible for a large part of its advertising revenue. This is a good thing for Yahoo because, it will in all likelihood be losing email users rapidly after this latest hack. Verizon also potentially faces ongoing litigation from users and other companies suing the company for Yahoo’s past mistakes.
The exact number of active Yahoo email accounts is not public. There are estimates that the total number may be about 280 million accounts. Yahoo also provided email services to other companies like sky in the UK where ironically, sky’s FAQ assures users that Sky Yahoo! Mail is absolutely safe and secure.
Given Yahoo’s past security history, and the uncertainty surrounding what Verizon will do with the service if the sale goes ahead, Yahoo email users should really be looking to switch to another email provider like Google, Microsoft or Apple. Contrary to advice being given by some experts, it is relatively easy to migrate from Yahoo mail to another service. But as also detailed, some preparation is needed to check if the account is needed for services that the email address might have been used for. Contacts can be emailed and told of the change of address and an automatic reply put on the original Yahoo email address for a couple of weeks before deleting it.
Once users have followed instructions for deleting a Yahoo email account, the actual details of the account won’t be cleared from Yahoo’s database for 90 days and even then, Yahoo may retain some information. So even deleting an account doesn’t quite protect current users from future breaches. And if you followed the advice I gave in my last article about Yahoo and switched on Yahoo’s Account Key service, you will have to disable that before terminating the account.
Deleting an account won’t make any difference to the spammers or cyber criminals who already have those details. They will be able to use the recovery email and mobile phone to deliver spam and phishing attacks. This is the real cost of these sorts of mistakes or plain incompetence on the part of organisations like Yahoo. Given how central email is to the security of online lives, companies providing email need to held to a higher standard of security standards, especially if it can be shown that those standards were not particularly good. In the US, the Federal Trade Commission has prosecuted companies for data breaches in the past, something it perhaps should be looking to do with Yahoo now?