ProtonMail Security Advisory Regarding Yahoo Hack

Confirming what was long suspected by the security community, Yahoo today confirmed a massive breach of over 500 million email accounts, including both credentials and security questions. This is a major security incident that also has consequences for certain ProtonMail users so we are putting out this important security advisory.

At the time of writing, we have no signs that any ProtonMail accounts were compromised as a result of the Yahoo hack. By design, ProtonMail takes a completely different approach to email security when compared to every other major email provider. Our starting assumption is that a security breach is inevitable, and we have designed our entire architecture around that premise. This is because in our view, the existing paradigm of cyberdefense, which is “keep the bad guys out,” is a failed approach.

There are a multitude of methods through which server security can be breached, and an attacker only needs to exploit a single vulnerability once, while a service provider on the other hand must constantly mount a successful defense against all attack vectors. In short, cybersecurity is a form of asymmetric warfare which decisively favors the attackers, and as we have seen time and time again, even sophisticated tech companies with competent security teams such as Linkedin and Yahoo have been breached. Thus, it is safe to assume that all services will eventually be breached. By definition, it simply isn’t possible to have 100% security.

This is the reason ProtonMail was designed from the ground up with end-to-end encryption. If the working assumption is that servers storing data will eventually be breached, the next best option is to not have data in the first place. By encrypting customer emails on the client side before they reach ProtonMail servers, ProtonMail does not have the ability to decrypt any of the emails stored on our systems. Thus, in the event of a compromise, it is not possible for attackers to steal something that we don’t have, that is, the mailbox password and contents of your messages.

We believe that in the current rapidly deteriorating cyber environment, with the rise of more numerous and capable state-backed actors, end-to-end encryption is the only viable approach to data security. While we are confident in the approach we have taken, ProtonMail does not exist in a bubble, and in today’s interconnected world, the Yahoo breach does have significant consequences for a proportion of ProtonMail users.

In all ProtonMail accounts, it is possible to set a recovery email to recover your login password. In the majority of ProtonMail accounts, users have enabled this option. Furthermore, a significant proportion of the recovery email address are from Yahoo. If your recovery address is from Yahoo, then this means a compromise of your Yahoo address could also lead to a compromise of your ProtonMail account!

It is prudent to assume that ALL Yahoo accounts are now compromised. Therefore, if you are a ProtonMail user with a Yahoo recovery address, we recommend that you take the following step immediately:

Go to Yahoo Mail, change your account password, and disable security questions.

This will secure your Yahoo Mail account, hereby securing your ProtonMail account. Alternatively, you may also wish to change your recovery email address to a different email address, perhaps one that is not Yahoo.

Note, even if your Yahoo account is compromised, and was used to reset your ProtonMail login password, your ProtonMail messages are still protected. This is because ProtonMail uses a separate mailbox password to protect your inbox. Thus, even if the login password layer is breached, the contents of your messages are still protected by the mailbox password. This additional security layer cannot be breached, even if you used Yahoo as your recovery email address.

However, even if you do not use a Yahoo recovery address with your ProtonMail account, the Yahoo breach may still impact your ProtonMail account! You may be impacted if you have a Yahoo account, and your ProtonMail passwords are the same as your Yahoo password. This would apply to any other service you use where you share credentials with Yahoo. We recommend never using the same password between services. If you are using the same password as your Yahoo account with any other service, we recommend changing all those passwords immediately.

Finally, because Yahoo is a major email provider, if you have signed up for any other service using your Yahoo account, your accounts at those other services may also be compromised. This is because the email address used to register for a service can usually also be used to recover a forgotten password. This means an attacker who has access to your Yahoo account also has access to all your other accounts which were registered using your Yahoo account.

While the identity of the attackers who hit Yahoo is not known, keep in mind that Yahoo credentials have been offered for sale on the Darknet for at least 2 months now, so there is no saying how widely the leaked credentials might have been distributed. Thus, it is prudent to also change the passwords for all other services linked to your Yahoo address.

If you have any questions regarding this, you can reach us at support@protonmail.ch and we would be happy to assist. Our security team will continue to monitor developments and update all users as necessary. In the coming months, we will also continue to roll out more advanced technology to make ProtonMail’s email service even more secure.

Best Regards,

The ProtonMail Team

About the Author

Admin

We are scientists, engineers, and developers drawn together by a shared vision of protecting civil liberties online. Ensuring online privacy and security are core values for the ProtonMail team, and we strive daily to protect your rights online.

 

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

64 comments on “ProtonMail Security Advisory Regarding Yahoo Hack

    • Two step verification has many flaws especially if you use sms as often if you are targeted by a hacker they will call your phone company and get your SIM card changed to theirs so that they can get messages sent to them. Its best to use hardware for verification like a USB authentication key.

      Reply
      • USB authentication technologies, like those using the U2F standard, continue to rely on passwords as part of the authentication process, which is very dangerous and completely obsolete for data security. If you use a technology that still requires an ID and password combination for the login process—even with a required USB device as a second authentication factor—you are still inviting attacks on your login server, and your first authentication factor is still a prime target for attackers.

        https://www.secsign.com/usb-authentication-keys-tokens-bad-idea/

        Ups …

        Reply
      • That’s a slim chance to none. Doubt 99% of Yahoo worries need to worry about that.

        Better to still use Two-step verification even with its flaws. Nothing is perfect.

        I agree that SMS is not the preferred method, but it’s better than nothing. Authy and Google Authenticator seem to be the most popular choices.

        Reply
  • Incidents like this one really show how important it is to have two different passwords for a secure email account, one that logins and one that is used to decrypt the messages.

    It is more time consuming to manage but worthwhile if one cares about security, thanks for explaining.

    Reply
  • Glad to see ProtonMail taking the necessary steps to alert their users of a security breach, even if it took place with a completely separate provider but still impacts users at ProtonMail.

    Keep up the excellent work, guys! I don’t know where I’d store my email if it weren’t for ProtonMail.

    Reply
  • I suggest that you completely dunk yahoo for anything thats confidential and seured. Use protonmail for that. I use Yahoo for junk….expecially when stores and online services wants an email address before allowing a program download, or a store wants to sent their emails to entice buying more. All junk and its perfectly good for yahoo.
    YaoooooHoooooooooo…..

    Reply
  • Protonmail presently may not be compromised centrally, but until it enables 2 factor password loggers can completely compromise it, also, if we do not have a way to pin the Javascript code (versus re-download each time we logon or get an update) we can still be compromised.

    I hope protonmail ads a second factor like TrezorConnect, BitID, SQRL, or Authy SOON or soon you will have government and private Trojans targeting protonmail users.

    Reply
  • Just to clarify for everyone: This wasn’t info on a hack that happened recently, this was the info on a hack that compromised millions of account over 2 years ago. Yahoo is just releasing the information on it now. Verizon recently bought out Yahoo, so maybe that’s why they just released it now. Maybe the original development team was trying to keep this a secret or something. So this actually isn’t anything new and probably already too late to start changing passwords on a attack that happened 2 years ago.

    Anyways, I am glad I don’t use Yahoo anymore. I think they are the #1 search engine/mail service that gets hit by attacks all the time.

    Reply
  • ProtonMail should not trust recovery email alone but it should be followed with a recovery phone verification as well as part of the recovery procedure.
    this is ProtonMail week spot.
    it does not matter if you have yahoo gmail etc once one of those breached the road to break proton is shorten.

    Reply
  • Hi ! Since you mentionned «…the current rapidly deteriorating cyber environment», it may not be completely off-topic to inquire how, if in anything, the security and anonymity of Protonmail users is going to be affected by today’s approval by votation by the Swiss people of surveillance of electronic communication (inter alia) by the secret services of your country ? Are you going to issue a statement and analysis of the new regulations and how they affect you and your users ? Thank you !

    Reply
  • Many thanks for posting this alert. I dropped Yahoo over ten years ago due to all the spam that ended up in my in-box. Since then, I have tried two others before finally settling on another popular encrypted email service that has satisfied most of my email needs. However, recently one of my friends told me about ProtonMail which he uses 100% of the time……so I signed up for free ProtonMail as a test. I’m still learning the “Proton ropes” and now using it for my most private email needs as well as email between a few selected friends. Thanks again.

    Reply
  • So if I have 2 MSN EMail Accounts that send my msn mail to yahoo mail I am hacked????? I did read about this yesterday and made a password using numbers,letters-upper and lower case etc….. 22 length P/W. Will this work,also changed msn email P/W and made them real long…..Do you know how I can find out if there is a keylogger hiding on my system???? Thanks.

    Reply
  • I find it really cool that you guys take this so very seriously! Thank you very much for that.
    This makes me hope that you also have an answer to the question I’ve always had about protonmail on android: since there the app doesn’t ask for any password and everything Android is controlled/stored/backedup/vulnerable to Google, I was wondering if a Google account hack would mean a Protonmail account would be compromised via the Android app?

    Reply
  • Great response to what was all over the news…
    but, what is your response to the referendum on surveillance powers given to the security service of Switzerland by…’THE PEOPLE’…
    Your hosting location is Switzerland… any qualms about being snooped on ‘legally’ by the ‘State’…?

    In fact whatever your response… maybe time to move again…
    just when I thought I found a home…
    mali

    Reply
  • Wonderful, thank you for warning.

    By the way, I have one scenario in mind. For example, what If cracker creates browser addon which will inject some code when user is in protonmail and steal passwords? It can even have access to non encrypted mails.

    Reply
  • Perfect, you are perfect, thank you.
    As others, i use yahoo just for trash, its perfect for trash, when you think something is gonna send you marketing or other phishing stuff use yahoo cause its very good for trash but do not put any real data there, for this exist protonmail!
    Thank you guys, you’re awesome, it dosen’t matter if it was two year or yeasterday! You matter and that counts a lot.

    Reply
  • I have recently switched to protonmail after using yahoo for quite some time as my primary.

    In the past i’ve used hushmail so i am familiar with encrypted email. I think it’s great you took the time to post this thorough advisory re: yahoo for users here. It makes me even happier to be here.

    No worries… I have 250+ bit passwords different everywhere.. But Protonmail is now my primary…

    Happily ~ Thanks Much!

    Reply
  • Wow. i really appreciate the thoughfulness and care which went into your description of the problem. It was also great that you decided to bring it to our attention since it could impact many ProtonMail users.

    i also like the possiblility of answering your survey. i wish i could be a paying user…

    Have a great day! 🙂

    Reply
  • Some other form of password recovery would be useful, as I would imagine getting locked out of your Protonmail account you would be stuffed.

    Perhaps an optional setting of a time-expire code that is sent via SMS?

    This of course could be compromised too, but would be trickier to hack, and they still would not get your message encryption password?

    Reply
  • Thanks guys for looking out for us all! I certainly commend you for your work. I wish we could trust our politicians the way we do. It means a lot to be able to know that, someone who has the same, if not more capabilities than governments and idiots with nothing better to do than to hack other’s info, has your back.
    Non timebo mala, if you guys protect us!

    Reply
  • I’m here because I’m a Yahoo email user, ironically I used it as my “Official” email address for business emails. When I first got BT
    Broadband, Yahoo was just an email program but now it’s like “OK Magazine” full of “Celebrity” gossip & associated rubbish.
    I’m definitely ProtonMail bound but not because I have anything to hide, it’s the principle that counts because one can still have confidential documents that should remain private & therefore who knows who may get cart blanch to private data because I just don’t trust the “Big Guns” because they all have vested interests. There seems to be no vested interests with yourselves outside of, building a better more secure internet for those that want it & starting with a secure email program. Lordy, you kind people have been a long time coming thanks for turning up 🙂

    Reply
  • Hi!
    This comment is not especially a comment regarding this Yahoo hack, but just a question of security.
    In Sweden we have something called a ‘Mobil BankID’ which is used on many sites. It is said to be very secure because it is in connection with you mobile phone.
    Is this anything you have looked into?

    Mobil BankID is mainly used when you contact your bank, but also in may other different applictions where security is vital to make sure you are you!

    Rgds LeifJ

    Reply
  • i never importet any thing and used yahoo adress for protonmail only to restore…is there any chance to check if protonmail got affectes?

    Reply