ProtonBlog
Subscribe by RSS

Proton Mail security advisory regarding Yahoo Hack

Proton Team

Share this page

Confirming what was long suspected by the security community(new window), Yahoo has confirmed a massive breach(new window) of over 500 million email accounts, including both credentials and security questions.

October 4, 2017 Update: Yahoo now confirms that the hack impacts 3 billion accounts(new window), and not the 1 billion or 500 million that was previously reported.

Email’s changing threat model

In the past couple years, the increasing number of high profile email hacks(new window) have clearly demonstrated that the threat model for email has changed dramatically. While previously there was a reasonable expectation of security and privacy with email communications, now it is becoming fairly evident that most email systems are simply not capable of protecting user data. However, email is still an essential part of our lives, an integral part of our digital identity.

At Proton Mail, we are addressing this problem by taking a completely different approach to email security compared to every other major email provider. We have a different threat model, where our starting assumption is that a security breach is inevitable, and we have designed our entire architecture around that premise. This is because in our view, the existing paradigm of cyberdefense, which is “keep the bad guys out,” is a failed approach.

There are a multitude of methods through which server security can be breached, and an attacker only needs to exploit a single vulnerability once, while a service provider on the other hand must constantly mount a successful defense against all attack vectors. In short, cybersecurity is a form of asymmetric warfare which decisively favors the attackers, and as we have seen time and time again, even sophisticated tech companies with competent security teams such as Linkedin(new window) and Yahoo have been breached. Thus, it is safe to assume that all services will eventually be breached. By definition, it simply isn’t possible to have 100% security.

This is the reason Proton Mail was designed from the ground up with end-to-end encryption. If the working assumption is that servers storing data will eventually be breached, the next best option is to not have data in the first place. By encrypting customer emails on the client side before they reach Proton Mail servers, Proton Mail does not have the ability to decrypt any of the emails stored on our systems. Thus, in the event of a compromise, it is not possible for attackers to steal something that we don’t have, that is, the mailbox password and contents of your messages.

We believe that in the current rapidly deteriorating cyber environment, with the rise of more numerous and capable state-backed actors(new window), end-to-end encryption is the only viable approach to data security. While we are confident in the approach we have taken, Proton Mail does not exist in a bubble, and in today’s interconnected world, the Yahoo breach does have significant consequences for a proportion of Proton Mail users.

What to do if you are an Yahoo user

If you have ever had an Yahoo account in the past, there are three steps that you should take immediately.

1. Change your password and security questions

It is prudent to assume that ALL Yahoo passwords are now compromised, especially since some Yahoo passwords were stored with the insecure MD5 hash. Furthermore, we know that the Yahoo breach also leaked security questions and answers. This means if you used the same passwords and security questions from your Yahoo account on other accounts, you should immediately change those passwords and security questions. We recommend never using the same password between services.

2. Unlink your other online accounts from Yahoo

Finally, because Yahoo is a major email provider, if you have signed up for any other service using your Yahoo account, your accounts at those other services may also be compromised. This is because the email address used to register for a service can usually also be used to recover a forgotten password. This means an attacker who has access to your Yahoo account also has access to all your other accounts which were registered using your Yahoo account.

Because Yahoo is most likely fully compromised, you should unlink all of your other online accounts from Yahoo. For example, if you signed up for Facebook using Yahoo, you should change the email address in your Facebook account to a different email address.

If you are Proton Mail user, be aware that we allow account recovery via email. If your recovery address is from Yahoo, then this means a compromise of your Yahoo address could also lead to a compromise of your Proton Mail account! We recommend changing your recovery email address to a non-Yahoo address, or removing the recovery address entirely.

Note, even if your Yahoo account is compromised, and was used to reset your Proton Mail login password, your Proton Mail messages are still protected. This is because Proton Mail uses end-to-end encryption, which means resetting your password is not sufficient to gain access to your already encrypted messages.

3. Delete your Yahoo account

Given Yahoo’s abysmal track record when it comes to security, and the fact that Yahoo has previously willingly abetted and assisted government mass surveillance efforts(new window), Yahoo is not a company that should be trusted with your personal data and communications.

To protect yourself from identity theft, the disclosure of sensitive personal communications, and other threats, you can simply remove this vulnerability by deleting your Yahoo account. This is something that we strongly recommend doing, especially since there exists other more secure Yahoo Mail alternatives such as Proton Mail which are also available for free.

With these steps, you can protect your private email communications and your entire digital life from suffering any ill effects as a result of the Yahoo hack. If you are a business owner, we also recommend checking out our guide on how to prevent email hacking(new window).

You can get a free secure email account from Proton Mail here(new window).

We also now provide a free VPN service(new window).

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan. Thank you for your support!

Protect your privacy with Proton
Create a free account

Related articles

Hackers use various methods to crack passwords, and one of them is the rainbow table attack. In certain cases, this method can be faster than dictionary attacks or credential stuffing. In this article, we explore how rainbow table attacks work and d
The more personal information we share on the internet, the greater the privacy risks that make us vulnerable to identity theft. This issue affects millions globally, impacting people financially and personally, with over 24 million victims in 2021 i
Ensuring HIPAA compliance is crucial for any healthcare business that handles sensitive patient information. Failing to use HIPAA-compliant services, such as email, can result in severe consequences, including hefty fines and legal repercussions. If
The email addresses and other sensitive information of 918 British MPs, members of the European Parliament, and French deputies and senators have been leaked to dark web marketplaces where data is illegally bought and sold. As part of our investigati
Email threads are so ubiquitous you might not realize what they are. An email thread is basically a series of related emails grouped together.  This article will tell you everything you need to know about what exactly an email thread is and when you
Identity theft is a major sector of criminal activity. About 24 million people fell victim in the United States alone in 2021, costing them over $16 billion. Credit card fraud is the most common type, but criminals target all kinds of personal data.