Need a Yahoo Mail Replacement? Here’s How ProtonMail is Different

After last week’s announcement of an even larger Yahoo breach impacting 1 billion users, signups of ProtonMail have doubled again to hit an all time high due to users looking for a Yahoo Mail replacement.

Update February 16th, 2017 – Yahoo just announced another major breach, which took place in 2015 and 2016. We had added more details about what you should do if you have a Yahoo account at the end of this blog post.

The large number of new users coming from Yahoo Mail is not very surprising given that ProtonMail’s core focus is email security and privacy. We first noticed the trend on social media when a large number of Tweets began appearing mentioning ProtonMail as a Yahoo Mail replacement. Starting on December 15th, the day the Yahoo breach was announced, ProtonMail’s growth rate effectively doubled as can be seen in the above chart.

protonmail growth rate
ProtonMail’s growth doubled immediately after the Yahoo data breach was disclosed.

We also saw ProtonMail signups jump dramatically last month after the US presidential election. The number of ProtonMail users is increasing, but the composition is also changing. After the Yahoo hack was announced, the German Federal Office for Information Security (BSI) also advised German citizens to stop using Yahoo Mail. German citizens looking for a Yahoo replacement are now a much bigger proportion of ProtonMail’s userbase, making up 8.5% of visitors, up from around 4% historically, surpassing both France and the UK.

germany yahoo protonmail

Users coming from Yahoo will find at ProtonMail a very easy-to-use email experience, but underlying that is also an entirely different approach to security. As the Yahoo exodus continues, we have received more and more questions from Yahoo users in recent days, so in this post, we will try to answer the most common questions.

Why You Should Stop Using Yahoo Mail

This is the third major security incident to hit Yahoo Mail in 3 months. In the first incident, announced on September 22, a record 500 million accounts were breached, then the biggest breach in history. Then on October 4, it was revealed that Yahoo had willingly abetted the NSA in conducting indiscriminate mass surveillance on all Yahoo users. Finally, on December 15th, Yahoo shattered its own record by disclosing that over 1 billion accounts had been breached.

We have recently observed that, many people do not grasp the repercussions email breaches can have on their lives or on the lives of those around them. In the Yahoo breach, attackers gained access to users’ first and last names, telephone numbers, passwords, dates of birth and answers to their security questions. Let’s consider the case of Jane, a hypothetical Yahoo Mail user.

Because three years have elapsed between when the breach occurred (2013) and when it was discovered, attackers have had three years of time to stroll through her mail; read about any medical details she shared about her family, trips she took abroad, purchases she made, and any intimate details ever sent via her Yahoo account, not to mention compromise other accounts which share information such as security questions.

Email in particular is very sensitive because it is often the common thread that ties together our digital lives. Breaching an email account is equivalent to breaching all other accounts linked to that email, for example your Facebook, Amazon, or iTunes account, just to name a few.

The Yahoo breach is particularly bad because as recently as 2013, Yahoo was using the outdated md5 algorithm to hash passwords. md5 has been considered to be broken for over a decade and because Yahoo was using md5, the stolen credentials can be relatively easily cracked, magnifying the damage from the breach. Simply put, using md5 in 2013 was not only negligent, it shows an utter disregard for user safety.

Security by Design

Security is difficult. There’s no getting around this basic fact. Yet, there is still much that can be done to protect data. One of the best ways to protect data is to simply not have it. This is the approach that ProtonMail has taken with end-to-end encryption and why we are a more secure alternative to Yahoo Mail.

All ProtonMail inboxes are protected with end-to-end encryption, meaning that we don’t have the ability to read your messages. The benefit of this is that if ProtonMail is ever breached, attackers also will not be able to read your messages. In other words, an attacker cannot steal from us something that we do not have access to. We also utilize much stronger authentication that does not require password equivalent data to be transmitted over the network, greatly reducing the risk from an active Man-in-the-Middle attack.

This might seem like common sense, but end-to-end encryption is not utilized by Yahoo or Gmail. The reason is simple. End-to-end encryption makes it impossible to read user data, so it also makes it impossible to show advertisements effectively. The way Yahoo or Gmail figure out which advertisements to show you is by reading your email to learn about your interests and your life. Because Yahoo and Google derive the bulk of their revenue from showing ads, being able to read user data is more important than security. After all, you are the product that is being packaged and sold to advertisers.

We truly believe that the only chance to protect data in the digital age is to build systems that are secure by design. This means services should be built from the ground up with security as a central consideration, and not merely as an afterthought. Unfortunately, this concept just isn’t compatible with the ad-based business model of the majority of the Internet.

This is why ProtonMail is pioneering a different model as an alternative to Yahoo and Google. We cannot read your data, and we do not work with advertisers. Instead, ProtonMail is funded by the user community, either through donations or paid accounts. Because users and not advertisers are our priority, we are free to build an email service that puts security and privacy first.

Future Outlook

We believe that data breaches will become increasingly common in the future due to the asymmetric nature of fighting cyberattacks. As there is no such thing as 100% security, no service, not even ProtonMail, is immune to data breaches. If you cannot eliminate a risk, the next best thing is to mitigate it.

In such an environment, companies have an obligation to act responsibly and use end-to-end encryption on as much data as possible, in addition to collecting as little data as possible. Unfortunately, if the trend of sacrificing privacy and security for advertising revenue continues, so will the trend of devastating data breaches. However, thanks to your support, we are now ushering in a new era for the Internet where security and privacy come first.

Best Regards,
The ProtonMail Team

For questions and comment, you can reach us at media@protonmail.ch.

You can get a free secure email account from ProtonMail here.

ProtonMail is supported by community contributions. We don’t serve ads or abuse your privacy. You can support our mission by upgrading to a paid plan or donating.

Images in this blog post are provided under a free and unrestricted license.

Updated information regarding a third Yahoo breach announced on February 15th, 2017.

On February 15, 2017, Yahoo made an additional announcement following up on the previous hack disclosed in December. Yahoo announced that more user accounts (more than the original 1 billion that was originally reported), might have been compromised as a result of a technical trick that involves forging cookies. The attack works by tricking Yahoo that you have already been logged in, therefore an attacker doesn’t have to steal your password but can proceed directly to extracting data from your inbox. Yahoo did not specify how many more users were affected by it but mentioned that the attack might have happened sometime between 2015 and 2016.

If you have a Yahoo mail account, we recommend immediately taking the steps we outlined here to secure your Yahoo email address, or better yet, just delete your Yahoo account. This is the third major security incident involving Yahoo Mail and the fact that it occurred in 2016 means that Yahoo mail is likely still compromised. Thus, we recommend immediately switching to a more secure email provider.

Some users have written us with questions about whether or not ProtonMail is vulnerable to the flaw that caused Yahoo to get hacked. ProtonMail is not susceptible to the attack that hit Yahoo because our secure authentication scheme cannot be bypassed by forging cookies. We have published the technical details about our secure email authentication scheme.

About the Author

Andy Yen

Andy is the Co-Founder of ProtonMail. He is a long time advocate of privacy rights and has spoken around the world about online privacy issues. Previously, Andy was a research scientist at CERN and has a PhD in Particle Physics from Harvard University. You can watch his TED talk online to learn more about ProtonMail's mission.

 

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

28 comments on “Need a Yahoo Mail Replacement? Here’s How ProtonMail is Different

  • your signature is sent with my e-mail & i notifies my correspondent that their yahoo account is insecure so i promote ProtonMail (protonmail is not labeled as spam & obtains a good reputation) but i received more messages from gmail/gmx than yahoo and the 3 are tracking you.

    Reply
  • You would think that the horrible UI would be enough to make users flee from Yahoo Mail, let alone the apparent security holes.

    On this note, I think the key to changing peoples’ behavior about almost any issue is really to show them the advantages of a change rather than the disadvantages of the status quo. With that in mind, the best way to sustainably grow Protonmail’s user base will be to keep rolling out new and useful features that make the switch attractive.

    Thus far, at least for me, Protonmail has done an amazing job of providing an attractive and stable platform, and I really enjoy that I get to keep looking forward to ongoing improvements almost monthly. It’s exciting! Protonmail can now realistically compete with Gmail in terms of its UI, reliability, and basic email functionality that most users require. Anything else is tasty gravy. For me, that gravy would eventually include calendar, chat and cloud storage.

    But I”m patient because I know that good things take time, and that it’s simply more fun to use a service that I can watch evolve in real time. Keep it up. We’re with you.

    Reply
  • Can’t the lawyers get involved with this Yahoo matter?

    I have an encryption system. My encryption system is going one letter further in the alphabet than the original letter. For instance, all A’s are now B’s, and all B’s are C’s, etc. This scrambles the data.

    Isn’t easily breakable encryption really no encryption at all? md5 is such a chuckle that it may have been left in place as a favor to someone who wanted to read your emails.

    Can you sell me a boat and disguise the fact that there is no bottom in it?

    Reply
  • I have a yahoo mail account. Is there benefit to cancelling the Yahoo account rather than just discontinuing use of the account? In other words, if I were to cancel the account wouldn’t the emails still be on some yahoo server(s) somewhere capable of being hacked into?

    If it is best to cancel the account then I would want to retain old emails. Do you have any instructions on how to best save/transfer large volumes of folders and emails to ProtonMail?

    Thank you.

    Reply
    • As long as your other accounts are no longer linked to Yahoo, and your Yahoo password and security questions/answers are not being used anywhere else, you should be OK.

      Reply
    • I also have a Yahoo Mail-Account that I don’t use anymore as well and I personally think it would be better to simply not use it anymore, instead of cancelling it, if only to prevent Yahoo from eventually giving out the same adress to someone else. I also set up an automatic forward to my Protonmail in case someone still sends mail to it. That being said, I deleted every mail I still had saved, set up a strong password that I don’t use anywhere else and activated two factor authentication for good measure as well, so hopefully I should be safe…

      Make sure to remove the Yahoo adress everywhere (e.g. as login or password recovery mail adress on other websites)!

      Reply
  • Hi ProtonMail Team,

    I get ProtonMail two month ago. I have problem with my emails marked like Spam. I never use your service to spam. Just mailing to my friends. But specially Yahoo and Czech SeznamMail is marking my ProtonMail like Spam.

    Do other users have same problem? How do i fix that?

    Kind regards from Prague!

    Pavel

    Reply
    • Hi Pavel, Yahoo is not very smart, their spam filter is not very good actually. The best way is to ask your contacts to mark your email as not spam and that will resolve the problem as Yahoo will learn that your address is not spam.

      Reply
  • “The company disclosed today that it has discovered a breach of more than one billion user accounts that occurred in August 2013. The breach is believed to be separate and distinct from the theft of data from 500 million accounts that Yahoo reported this September.

    Today’s revelations add to Yahoo’s long string of security problems. Yahoo employees reportedly knew of the intrusion that led to the theft of data from 500 million users as early as 2014, but the company did not announce the breach until this September. What Yahoo executives knew about the breach, and when they knew it, have been crucial questions in Verizon’s ongoing acquisition of Yahoo. Yahoo did not disclose the first breach until several months after the deal was announced.”

    https://techcrunch.com/2016/12/14/yahoo-discloses-hack-of-1-billion-accounts/

    Clearly it’s worse than people thought. Obviously Yahoo can’t be trusted and I wonder if Verizon will eventually fix the problem. Yahoo is one big mess.

    Reply
    • I would personally not trust Verizon. I worked for the company and though it was a decade ago they were quite awful. Their systems and incentives were off. Incentivized fraud within the business to business channel of wireless sales. Kind of like the fraud at Wells Fargo opening fraudulent accounts. The simplest of tasks could not be accomplished very easily for customers even when the problem was clearly the fault of Verizon and its sales people. I spent six months cleaning up their self imposed problems even though I knew I would be losing my job. Most people who were in my position would just take the money and look for a new job. Google verizarape and get an idea of how consistently bad they are with customer service. Getting bought by Verizon will not improve Yahoo in my opinion.

      Also our company uses Yahoo for small business mail. They have already spun us off to another company.

      Reply
  • I have been using Hushmail for over 5 years it too has been hacked so that verification and password reset codes can be blocked by at least Damon Kalahele, alias the Russian Hacker he even reads my emails as I write via Script on which turns the screen blue…in 2009 he hacked the FBI and IC3 and still has not been aprehended with his russisn proxy he steals $millions every year phishing for passwords and wiring $ to Russia…in 2013 he hacked Adobe to steal server source codes pdf source codes LinkedIn uses one of these servers..he has Microsoft digital signature to invade any computer

    Reply
    • Few e-mail provider are taking your privacy seriously : hack & mass surveillance can’t do nothing if the door is not opened before (IME is far more dangerous than the microsoft keys lol).
      In fact , it is a matter of trust : yahoo failed like samsung like husmail like a lot of politic which are working without any morality & principles.
      Is it a business model ?
      No, it is a lost/rescue plan since the beginning.

      Reply
  • I’d love to switch to Protonmail from Yahoo… but it’d be REALLY handy to be able to import all my old emails. This thread suggests it’s a feature you’re working… but the thread has also existed 2 years, with zero pertinent updates, that I could see.

    Is there any estimate on when such a feature might be available? Would love to weigh the pros/cons of dumping Yahoo sooner, but not being able to import all my old emails from that account, vs holding out until importing might be an option.

    Reply
    • Same here. The ability to migrate my e-mails is the only thing that is keeping me from using ProtonMail. I have many years worth of e-mails I need to keep.

      Reply
  • I’m so sick of them always making me change my password and their cheesy way of trying to get everybody’s phone numbers.

    Reply
  • Okay, my Yahoo account was breached. Is it possible to close my Yahoo account, and bring my Yahoo email address to my Proton email account? I’m thinking not, but can somone confirm?

    Reply