It’s been a tough year for Yahoo, but following news of another breach of customer accounts—the biggest ever—many consumers are asking if it’s time to stop using popular Yahoo services such as Yahoo Mail, Yahoo Finance, Flickr, and Tumblr.
In September, Yahoo confirmed rumors of a breach of 500 million user accounts in 2014, the largest breach up until then. News then broke in October that Yahoo assisted the U.S. government in searching another 500 million user accounts without the account owners’ permission. And on Wednesday, Yahoo acknowledged that credentials for more than 1 billion accounts had been stolen in 2013—topping its own record for the biggest breach ever. It’s not clear how many accounts or actual users were affected by a combination of these three events.
These revelations raise many concerns, including whether Yahoo could be trusted to keep its user information safe from hackers.
“‘What should users do?’ is the key” question to ask at this point, says Davi Ottenheimer, a leader on Yahoo’s security team known as the Paranoids from 2006 to 2007.
READ MORE ON YAHOO
Opinion: Massive Yahoo breach highlights why to hit ‘delete’
How to dump your Yahoo, Flickr, and Tumblr accounts
How to recover from a Tumblr hack
Why Yahoo should have fought the NSA like Apple fought the FBI
“Users should look for signals of trust. My role as a Paranoid was to give people trust and build those relationships,” says Ottenheimer, the founder and president of cybersecurity consultancy Flying Penguin. He publicly declared in 2014 that he was shutting down his Yahoo accounts, following what he describes as a turn away from transparency at the company.
“At a time when people want trust, they’re making it hard for people to feel comfortable about leaving,” he says. “I think [users] should get out until they feel comfortable to get back in.”
Yahoo did not return a request for comment.
In his blog post about the latest breach, Bob Lord, Yahoo’s chief information security officer, said company employees have been “notifying potentially affected users and have taken steps to secure their accounts,” and that the company is “working closely with law enforcement.” Affected information includes “names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.”
Unencrypted passwords, payment card data, and bank account information were not part of the stolen information, Lord wrote.
A big part of the problem that Ottenheimer and Avivah Litan, vice president and analyst at Gartner Research, describe is that Yahoo simply isn’t willing to invest in security.
“They’re not the only company with bad security, but honestly, this is at the level of a national emergency,” Litan says. “Between China and Russia and regular cybercriminals, unless you’re really focused on security, and you have a lot of resources to spend, you don’t stand a chance.”
Yahoo’s inability to keep its user data safe from hackers reflects a company struggling on multiple fronts. Talented engineers and executives have been fleeing the company. Verizon, which announced a $4.8 billion deal to purchase most of Yahoo’s assets in July, is now rumored to be reconsidering the arrangement—or at least renegotiating it. And at the center of it all is Yahoo’s treasure trove of user data, an appealing target for hackers who can turn log-in credentials and the data they protect into identity theft; credit card theft; corporate espionage, as in the case of Sony Pictures; and damaging email leaks, as occurred this year in the U.S. election.
“The bigger threats, the nation-state threats—they’re collecting as much information as they can on all Americans,” Litan says. “They may steal 80 million records just to get to three people.”
Yahoo’s external troubles reflect internal discord over prioritizing user security and privacy, according to a former Yahoo engineer familiar with how the company secures its products and services.
“Yahoo is not safe to use. Their innovation is gone, even from a nonsecurity standpoint. But from a security standpoint, do not touch Yahoo,” says the former engineer, who spoke to The Parallax on condition of anonymity. He is currently employed as a security software engineer.
Change coming to Yahoo? Not anytime soon
Because the breaches occurred in 2013 and 2014, there’s a possibility that Yahoo has improved its security since then. But that’s not likely because, when it comes to security, the company appears “basically the same as they looked 4 or 5 or 10 years ago,” says Robert Hansen, CEO of intelligence and analysis firm OutsideIntel.
“But in reality, there’s a lot of technical debt that’s piling up in that company, and more and more things are decaying, and not enough new innovation is focused on users’ data intermingling with their systems,” he says.
That sentiment reflects the security atmosphere at the company, according to the ex-Yahoo engineer. He says developers from other parts of the company routinely do an end-run around the security team—and with good reason, from a developer’s point of view.
“People were actively circumventing their policies because they were so slow,” he says. “There never were any active investigations or auditing.”
Ottenheimer says the Paranoids are supposed to be “roadblocks” who “abide by transparency and integrity.” When he joined the team, he says, the bar for entry was, “You had to understand users. You had to be a roadblock to protect user safety.”
Once integrity is gone, Ottenheimer adds, “it seems to be impossible to get it back.”
But until Yahoo users start leaving in larger numbers than they currently have been, Hansen doesn’t think that the company will significantly change its practices to protect its users.
“I think a few people are going to leave Yahoo, but they were going to leave, anyway,” Hansen says. “I bet not even 1 percent of users will leave Yahoo permanently because of this breach.”
Next steps for consumers
For users notified by Yahoo as being part of the latest breach, options are limited. Affected users can back up data, migrate it to another service, then delete the Yahoo account. Users who choose to stay with Yahoo can tighten their account security by activating two-factor authentication, as advised in an opinion by Jeremiah Grossman, chief of security strategy for SentinelOne. Experts also recommend keeping track of credentials with a password manager, with the understanding that, as cloud-based services, they can be hacked too.
Without more information, Litan says it’s “unfair” to blame Yahoo entirely for its security problems, and that we can expect more large-scale breaches in the foreseeable future.
“We have armed forces in air and sea and land, but not cyberspace,” she says. “I don’t know what we need before the country wakes up, but I don’t have hope that things are going to change soon.”