Confirming what was long suspected by the security community, Yahoo today confirmed a massive breach of over 500 million email accounts, including both credentials and security questions. This is a major security incident that also has consequences for certain ProtonMail users so we are putting out this important security advisory.
At the time of writing, we have no signs that any ProtonMail accounts were compromised as a result of the Yahoo hack. By design, ProtonMail takes a completely different approach to email security when compared to every other major email provider. Our starting assumption is that a security breach is inevitable, and we have designed our entire architecture around that premise. This is because in our view, the existing paradigm of cyberdefense, which is “keep the bad guys out,” is a failed approach.
There are a multitude of methods through which server security can be breached, and an attacker only needs to exploit a single vulnerability once, while a service provider on the other hand must constantly mount a successful defense against all attack vectors. In short, cybersecurity is a form of asymmetric warfare which decisively favors the attackers, and as we have seen time and time again, even sophisticated tech companies with competent security teams such as Linkedin and Yahoo have been breached. Thus, it is safe to assume that all services will eventually be breached. By definition, it simply isn’t possible to have 100% security.
This is the reason ProtonMail was designed from the ground up with end-to-end encryption. If the working assumption is that servers storing data will eventually be breached, the next best option is to not have data in the first place. By encrypting customer emails on the client side before they reach ProtonMail servers, ProtonMail does not have the ability to decrypt any of the emails stored on our systems. Thus, in the event of a compromise, it is not possible for attackers to steal something that we don’t have, that is, the mailbox password and contents of your messages.
We believe that in the current rapidly deteriorating cyber environment, with the rise of more numerous and capable state-backed actors, end-to-end encryption is the only viable approach to data security. While we are confident in the approach we have taken, ProtonMail does not exist in a bubble, and in today’s interconnected world, the Yahoo breach does have significant consequences for a proportion of ProtonMail users.
In all ProtonMail accounts, it is possible to set a recovery email to recover your login password. In the majority of ProtonMail accounts, users have enabled this option. Furthermore, a significant proportion of the recovery email address are from Yahoo. If your recovery address is from Yahoo, then this means a compromise of your Yahoo address could also lead to a compromise of your ProtonMail account!
It is prudent to assume that ALL Yahoo accounts are now compromised. Therefore, if you are a ProtonMail user with a Yahoo recovery address, we recommend that you take the following step immediately:
Go to Yahoo Mail, change your account password, and disable security questions.
This will secure your Yahoo Mail account, hereby securing your ProtonMail account. Alternatively, you may also wish to change your recovery email address to a different email address, perhaps one that is not Yahoo.
Note, even if your Yahoo account is compromised, and was used to reset your ProtonMail login password, your ProtonMail messages are still protected. This is because ProtonMail uses a separate mailbox password to protect your inbox. Thus, even if the login password layer is breached, the contents of your messages are still protected by the mailbox password. This additional security layer cannot be breached, even if you used Yahoo as your recovery email address.
However, even if you do not use a Yahoo recovery address with your ProtonMail account, the Yahoo breach may still impact your ProtonMail account! You may be impacted if you have a Yahoo account, and your ProtonMail passwords are the same as your Yahoo password. This would apply to any other service you use where you share credentials with Yahoo. We recommend never using the same password between services. If you are using the same password as your Yahoo account with any other service, we recommend changing all those passwords immediately.
Finally, because Yahoo is a major email provider, if you have signed up for any other service using your Yahoo account, your accounts at those other services may also be compromised. This is because the email address used to register for a service can usually also be used to recover a forgotten password. This means an attacker who has access to your Yahoo account also has access to all your other accounts which were registered using your Yahoo account.
While the identity of the attackers who hit Yahoo is not known, keep in mind that Yahoo credentials have been offered for sale on the Darknet for at least 2 months now, so there is no saying how widely the leaked credentials might have been distributed. Thus, it is prudent to also change the passwords for all other services linked to your Yahoo address.
If you have any questions regarding this, you can reach us at firstname.lastname@example.org and we would be happy to assist. Our security team will continue to monitor developments and update all users as necessary. In the coming months, we will also continue to roll out more advanced technology to make ProtonMail’s email service even more secure.
The ProtonMail Team