ProtonMail Security Advisory Regarding Yahoo Hack

Confirming what was long suspected by the security community, Yahoo has confirmed a massive breach of over 500 million email accounts, including both credentials and security questions.

October 4, 2017 Update: Yahoo now confirms that the hack impacts 3 billion accounts, and not the 1 billion or 500 million that was previously reported.

Email’s changing threat model

In the past couple years, the increasing number of high profile email hacks have clearly demonstrated that the threat model for email has changed dramatically. While previously there was a reasonable expectation of security and privacy with email communications, now it is becoming fairly evident that most email systems are simply not capable of protecting user data. However, email is still an essential part of our lives, an integral part of our digital identity.

At ProtonMail, we are addressing this problem by taking a completely different approach to email security compared to every other major email provider. We have a different threat model, where our starting assumption is that a security breach is inevitable, and we have designed our entire architecture around that premise. This is because in our view, the existing paradigm of cyberdefense, which is “keep the bad guys out,” is a failed approach.

There are a multitude of methods through which server security can be breached, and an attacker only needs to exploit a single vulnerability once, while a service provider on the other hand must constantly mount a successful defense against all attack vectors. In short, cybersecurity is a form of asymmetric warfare which decisively favors the attackers, and as we have seen time and time again, even sophisticated tech companies with competent security teams such as Linkedin and Yahoo have been breached. Thus, it is safe to assume that all services will eventually be breached. By definition, it simply isn’t possible to have 100% security.

This is the reason ProtonMail was designed from the ground up with end-to-end encryption. If the working assumption is that servers storing data will eventually be breached, the next best option is to not have data in the first place. By encrypting customer emails on the client side before they reach ProtonMail servers, ProtonMail does not have the ability to decrypt any of the emails stored on our systems. Thus, in the event of a compromise, it is not possible for attackers to steal something that we don’t have, that is, the mailbox password and contents of your messages.

We believe that in the current rapidly deteriorating cyber environment, with the rise of more numerous and capable state-backed actors, end-to-end encryption is the only viable approach to data security. While we are confident in the approach we have taken, ProtonMail does not exist in a bubble, and in today’s interconnected world, the Yahoo breach does have significant consequences for a proportion of ProtonMail users.

What to do if you are an Yahoo user

If you have ever had an Yahoo account in the past, there are three steps that you should take immediately.

1.  Change your password and security questions

It is prudent to assume that ALL Yahoo passwords are now compromised, especially since some Yahoo passwords were stored with the insecure MD5 hash. Furthermore, we know that the Yahoo breach also leaked security questions and answers. This means if you used the same passwords and security questions from your Yahoo account on other accounts, you should immediately change those passwords and security questions. We recommend never using the same password between services.

2.  Unlink your other online accounts from Yahoo

Finally, because Yahoo is a major email provider, if you have signed up for any other service using your Yahoo account, your accounts at those other services may also be compromised. This is because the email address used to register for a service can usually also be used to recover a forgotten password. This means an attacker who has access to your Yahoo account also has access to all your other accounts which were registered using your Yahoo account.

Because Yahoo is most likely fully compromised, you should unlink all of your other online accounts from Yahoo. For example, if you signed up for Facebook using Yahoo, you should change the email address in your Facebook account to a different email address.

If you are ProtonMail user, be aware that we allow account recovery via email. If your recovery address is from Yahoo, then this means a compromise of your Yahoo address could also lead to a compromise of your ProtonMail account! We recommend changing your recovery email address to a non-Yahoo address, or removing the recovery address entirely.

Note, even if your Yahoo account is compromised, and was used to reset your ProtonMail login password, your ProtonMail messages are still protected. This is because ProtonMail uses end-to-end encryption, which means resetting your password is not sufficient to gain access to your already encrypted messages.

3.  Delete your Yahoo account

Given Yahoo’s abysmal track record when it comes to security, and the fact that Yahoo has previously willingly abetted and assisted government mass surveillance efforts, Yahoo is not a company that should be trusted with your personal data and communications.

To protect yourself from identity theft, the disclosure of sensitive personal communications, and other threats, you can simply remove this vulnerability by deleting your Yahoo account. This is something that we strongly recommend doing, especially since there exists other more secure Yahoo Mail alternatives such as ProtonMail which are also available for free.

With these steps, you can protect your private email communications and your entire digital life from suffering any ill effects as a result of the Yahoo hack. If you are a business owner, we also recommend checking out our guide on how to prevent email hacking.

Best Regards,
The ProtonMail Team

You can get a free secure email account from ProtonMail here.

We also now provide a free VPN service.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support!

About the Author

Admin

We are scientists, engineers, and developers drawn together by a shared vision of protecting civil liberties online. Ensuring online privacy and security are core values for the ProtonMail team, and we strive daily to protect your rights online.

 

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

75 comments on “ProtonMail Security Advisory Regarding Yahoo Hack

    • Two step verification has many flaws especially if you use sms as often if you are targeted by a hacker they will call your phone company and get your SIM card changed to theirs so that they can get messages sent to them. Its best to use hardware for verification like a USB authentication key.

      Reply
      • USB authentication technologies, like those using the U2F standard, continue to rely on passwords as part of the authentication process, which is very dangerous and completely obsolete for data security. If you use a technology that still requires an ID and password combination for the login process—even with a required USB device as a second authentication factor—you are still inviting attacks on your login server, and your first authentication factor is still a prime target for attackers.

        https://www.secsign.com/usb-authentication-keys-tokens-bad-idea/

        Ups …

        Reply
      • That’s a slim chance to none. Doubt 99% of Yahoo worries need to worry about that.

        Better to still use Two-step verification even with its flaws. Nothing is perfect.

        I agree that SMS is not the preferred method, but it’s better than nothing. Authy and Google Authenticator seem to be the most popular choices.

        Reply
  • Incidents like this one really show how important it is to have two different passwords for a secure email account, one that logins and one that is used to decrypt the messages.

    It is more time consuming to manage but worthwhile if one cares about security, thanks for explaining.

    Reply
  • Glad to see ProtonMail taking the necessary steps to alert their users of a security breach, even if it took place with a completely separate provider but still impacts users at ProtonMail.

    Keep up the excellent work, guys! I don’t know where I’d store my email if it weren’t for ProtonMail.

    Reply
  • I suggest that you completely dunk yahoo for anything thats confidential and seured. Use protonmail for that. I use Yahoo for junk….expecially when stores and online services wants an email address before allowing a program download, or a store wants to sent their emails to entice buying more. All junk and its perfectly good for yahoo.
    YaoooooHoooooooooo…..

    Reply
  • Protonmail presently may not be compromised centrally, but until it enables 2 factor password loggers can completely compromise it, also, if we do not have a way to pin the Javascript code (versus re-download each time we logon or get an update) we can still be compromised.

    I hope protonmail ads a second factor like TrezorConnect, BitID, SQRL, or Authy SOON or soon you will have government and private Trojans targeting protonmail users.

    Reply
  • Just to clarify for everyone: This wasn’t info on a hack that happened recently, this was the info on a hack that compromised millions of account over 2 years ago. Yahoo is just releasing the information on it now. Verizon recently bought out Yahoo, so maybe that’s why they just released it now. Maybe the original development team was trying to keep this a secret or something. So this actually isn’t anything new and probably already too late to start changing passwords on a attack that happened 2 years ago.

    Anyways, I am glad I don’t use Yahoo anymore. I think they are the #1 search engine/mail service that gets hit by attacks all the time.

    Reply
  • ProtonMail should not trust recovery email alone but it should be followed with a recovery phone verification as well as part of the recovery procedure.
    this is ProtonMail week spot.
    it does not matter if you have yahoo gmail etc once one of those breached the road to break proton is shorten.

    Reply
  • Hi ! Since you mentionned «…the current rapidly deteriorating cyber environment», it may not be completely off-topic to inquire how, if in anything, the security and anonymity of Protonmail users is going to be affected by today’s approval by votation by the Swiss people of surveillance of electronic communication (inter alia) by the secret services of your country ? Are you going to issue a statement and analysis of the new regulations and how they affect you and your users ? Thank you !

    Reply
  • Many thanks for posting this alert. I dropped Yahoo over ten years ago due to all the spam that ended up in my in-box. Since then, I have tried two others before finally settling on another popular encrypted email service that has satisfied most of my email needs. However, recently one of my friends told me about ProtonMail which he uses 100% of the time……so I signed up for free ProtonMail as a test. I’m still learning the “Proton ropes” and now using it for my most private email needs as well as email between a few selected friends. Thanks again.

    Reply
  • So if I have 2 MSN EMail Accounts that send my msn mail to yahoo mail I am hacked????? I did read about this yesterday and made a password using numbers,letters-upper and lower case etc….. 22 length P/W. Will this work,also changed msn email P/W and made them real long…..Do you know how I can find out if there is a keylogger hiding on my system???? Thanks.

    Reply
  • I find it really cool that you guys take this so very seriously! Thank you very much for that.
    This makes me hope that you also have an answer to the question I’ve always had about protonmail on android: since there the app doesn’t ask for any password and everything Android is controlled/stored/backedup/vulnerable to Google, I was wondering if a Google account hack would mean a Protonmail account would be compromised via the Android app?

    Reply
  • Great response to what was all over the news…
    but, what is your response to the referendum on surveillance powers given to the security service of Switzerland by…’THE PEOPLE’…
    Your hosting location is Switzerland… any qualms about being snooped on ‘legally’ by the ‘State’…?

    In fact whatever your response… maybe time to move again…
    just when I thought I found a home…
    mali

    Reply
  • Wonderful, thank you for warning.

    By the way, I have one scenario in mind. For example, what If cracker creates browser addon which will inject some code when user is in protonmail and steal passwords? It can even have access to non encrypted mails.

    Reply
  • Perfect, you are perfect, thank you.
    As others, i use yahoo just for trash, its perfect for trash, when you think something is gonna send you marketing or other phishing stuff use yahoo cause its very good for trash but do not put any real data there, for this exist protonmail!
    Thank you guys, you’re awesome, it dosen’t matter if it was two year or yeasterday! You matter and that counts a lot.

    Reply
  • I have recently switched to protonmail after using yahoo for quite some time as my primary.

    In the past i’ve used hushmail so i am familiar with encrypted email. I think it’s great you took the time to post this thorough advisory re: yahoo for users here. It makes me even happier to be here.

    No worries… I have 250+ bit passwords different everywhere.. But Protonmail is now my primary…

    Happily ~ Thanks Much!

    Reply
  • Wow. i really appreciate the thoughfulness and care which went into your description of the problem. It was also great that you decided to bring it to our attention since it could impact many ProtonMail users.

    i also like the possiblility of answering your survey. i wish i could be a paying user…

    Have a great day! 🙂

    Reply
  • Some other form of password recovery would be useful, as I would imagine getting locked out of your Protonmail account you would be stuffed.

    Perhaps an optional setting of a time-expire code that is sent via SMS?

    This of course could be compromised too, but would be trickier to hack, and they still would not get your message encryption password?

    Reply
  • Thanks guys for looking out for us all! I certainly commend you for your work. I wish we could trust our politicians the way we do. It means a lot to be able to know that, someone who has the same, if not more capabilities than governments and idiots with nothing better to do than to hack other’s info, has your back.
    Non timebo mala, if you guys protect us!

    Reply
  • I’m here because I’m a Yahoo email user, ironically I used it as my “Official” email address for business emails. When I first got BT
    Broadband, Yahoo was just an email program but now it’s like “OK Magazine” full of “Celebrity” gossip & associated rubbish.
    I’m definitely ProtonMail bound but not because I have anything to hide, it’s the principle that counts because one can still have confidential documents that should remain private & therefore who knows who may get cart blanch to private data because I just don’t trust the “Big Guns” because they all have vested interests. There seems to be no vested interests with yourselves outside of, building a better more secure internet for those that want it & starting with a secure email program. Lordy, you kind people have been a long time coming thanks for turning up 🙂

    Reply
  • Hi!
    This comment is not especially a comment regarding this Yahoo hack, but just a question of security.
    In Sweden we have something called a ‘Mobil BankID’ which is used on many sites. It is said to be very secure because it is in connection with you mobile phone.
    Is this anything you have looked into?

    Mobil BankID is mainly used when you contact your bank, but also in may other different applictions where security is vital to make sure you are you!

    Rgds LeifJ

    Reply
  • i never importet any thing and used yahoo adress for protonmail only to restore…is there any chance to check if protonmail got affectes?

    Reply
  • Appreciate your write-ups and commitment to security!

    A question — I understand why changing a Yahoo! password and deleting security questions was important to do. However, why was their doing away with security questions entirely a good idea?! It seems Yahoo! did themselves in; it was weird to read to “Delete your security questions to enhance security” (Orwellian) instead of “Change your security questions to enhance security”

    Reply
    • Could happen to any service (look at Yahoo now). The reason ProtonMail will have better longevity however, is because the service is directly supported by the user community, and we aren’t dependent on third parties such as advertisers to keep the service running.

      Reply