It's time to close your Yahoo account

Enough is enough.

It's time to close your Yahoo account

Reuters reports:

Yahoo Inc last year secretly built a custom software program to search all of its customers' incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.

The company complied with a classified U.S. government directive, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said two former employees and a third person apprised of the events.

Some surveillance experts said this represents the first case to surface of a U.S. Internet company agreeing to a spy agency's demand by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.

If true, then the advice for the privacy-conscious is clear: close down your Yahoo account.

After all, how could you ever trust Yahoo again?

Remember this news report comes hot on the heels of Yahoo revealing that criminals hacked into its systems two years ago and stole the account details of at least half a billion users, and that it chose not to reset users' passwords when it had the chance.

And now we know why Alex Stamos quit as security chief at Yahoo to join Facebook:

Some Yahoo employees were upset about the decision not to contest the more recent directive and thought the company could have prevailed, the sources said.

They were also upset that Mayer and Yahoo General Counsel Ron Bell did not involve the company's security team in the process, instead asking Yahoo's email engineers to write a program to siphon off messages containing the character string the spies sought and store them for remote retrieval, according to the sources.

The sources said the program was discovered by Yahoo's security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in.

When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users' security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails.

Sheesh...

Of course, it's possible that the FBI or NSA asked other webmail companies to provide similar assistance, and that they simply haven't told us yet.

Maybe you would be wise, if you care about your privacy, to use an alternative service that believes in you keeping your email communications private - such as ProtonMail, Posteo or Tutanota.

Remember, if you use a free service for your email - your privacy is never going to be your email provider's highest priority.

PS. Here is how you delete your Yahoo account.

Tags: ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

,

35 Responses

  1. Jay

    October 4, 2016 at 10:03 pm #

    Yeah, that's my opinion too (dump Yahoo). I'm working on it. Like Graham wrote about before, it gets complicated if you've had Yahoo for a while and other accounts get linked through other services. But I'm making progress understanding how it all links up and I'm getting to the point where I'm ready to pull the plug soon.

    Does anyone else think that in the future, the only way to be reasonably safe is going to be to use a paid service? Free email means making too many compromises … where marketers can go, hackers and spies will follow.

    • coyote in reply to Jay.

      October 5, 2016 at 3:34 am #

      'Does anyone else think that in the future, the only way to be reasonably safe is going to be to use a paid service?'

      Unless you're knowledgeable, experienced and capable (including the network and hardware requirements) to run your own mail servers, probably yes. But I doubt paid will completely solve the problem because the law is on the side of the governments and therefore corporations have might eventually have no choice (the fact it seems Yahoo didn't fight this is another matter entirely). Even then you have the issue of is email encrypted? (That's a rhetorical question and the answer also applies to your own private mail server if you do indeed use it between others). It's unfortunately more complicated further so find the one with the best reputation and be ever cautious.

  2. Sarajh

    October 4, 2016 at 11:20 pm #

    So who benefits from this? Google? We all go to gmail where we are
    Monitored just as closely???

    • JUK in reply to Sarajh.

      October 5, 2016 at 2:23 am #

      Funny This, I have just been trying to do the exact same thing All Night before I'd even seen this, I cannot get it to delete my account it keeps coming back with "invalid password" all the time I have opted for Gmail as a replacement but not as my main account, it won't die with out a fight by the looks of it.:)

    • Ants in reply to Sarajh.

      October 10, 2016 at 4:18 pm #

      Have you got evidence that governments monitor gmail accounts>

  3. Bob

    October 5, 2016 at 2:10 am #

    Kind of ironic you say:

    "Remember, if you use a free service for your email – your privacy is never going to be your email provider's highest priority."

    But the very line above you link to three FREE email services.

    • cyberyinyang in reply to Bob.

      October 5, 2016 at 9:10 am #

      Free services for which you have the choice to pay. They won't survive long without paying users since they (claim they) don't sell your data nor use ads for making money…

    • Bob in reply to Bob.

      October 5, 2016 at 10:32 am #

      The services are somewhat limited unless you pay Bob.

      [I'm another Bob]

      • Graham Cluley in reply to Bob.

        October 5, 2016 at 10:43 am #

        One of the benefits of registering an account at grahamcluley.com is you can differentiate yourself from other Bobs. :)

        • Bob in reply to Graham Cluley.

          October 5, 2016 at 11:48 am #

          I'd like to but my employer disapproves strongly about any of us using social media, contributing towards blogs etc.

          Then again, there is always the option of an anonymous burner email to setup an account…

          Good choices by the way: "ProtonMail, Posteo or Tutanota"… they are the three most secure email services out there that I've come across.

  4. Techno

    October 5, 2016 at 9:57 am #

    The main reason for quitting Yahoo Mail is simply that their UI is rubbish. I have only kept mine the past few years because Freegle is based on it, but even Freegle seem to finally be moving off the Yahoo platform so I can finally dump Yahoo now.

    One of the advantages of paid for email services is you can set up loads of aliases that deliver to one Inbox, so you can have an email for each organisation you deal with, and then you can see who is selling (or leaking) your email address to spammers.

    • Malcolm in reply to Techno.

      October 5, 2016 at 11:01 am #

      It's not just paid accounts that allow aliases – gmail does too

      • Techno in reply to Malcolm.

        October 5, 2016 at 2:16 pm #

        Gmail doesn't do it properly. It allows you to add "+something" to an email address to differentiate it but this is not quite the same thing.

        A proper alias can be turned off so that any emails sent to it get bounced – very useful when it starts to get spammed – but you can't do that with Gmail, it's just your tough luck if it starts getting spammed (but you at least know who sold/leaked the email address).

        • Paddleless in reply to Techno.

          October 5, 2016 at 4:54 pm #

          The only reason I have a Yahoo account is that it offers 500 alias addresses, so I can have a different email address for each website log-in. You set up an alias name, and then create alias addresses as needed by adding a dash followed by whatever you want to the alias, and saving it. You can delete one later if it starts getting spammed. Even though I don't use Yahoo for real communications, and it would be a nuisance to change the email account on multiple sites, I'm considering whether I should migrate those log-ins elsewhere.
          Outlook and GMX allow ten aliases per account, which look like regular Outlook or GMX addresses but forward to the primary account. You can set Outlook so that only the primary account name can be used to log in. Spamgourmet is an option for unimportant stuff.

          • Techno in reply to Paddleless.

            October 5, 2016 at 6:58 pm #

            That's interesting. They keep that feature hidden, I had to search on "Yahoo 500 alias" to find it. I thought you could only create one extra email address which is what I've always been advised when I looked into it. They should promote the feature more.

            Fastmail allows 600 aliases even on their basic service.

        • Steph in reply to Techno.

          October 6, 2016 at 2:46 pm #

          There is this kind option with Yahoo… (even if I will dump it soon)

    • Joe McCormick in reply to Techno.

      October 5, 2016 at 4:23 pm #

      I use earthlink for my email service. I pay $4.95 a month for 2 email addresses. I have been an earthlink customer for over 15 years. They give me 7 extra Anonymous Email addresses. If you use one of them and start getting a lot of spam, you can just delete it and then create another new one. I have been pleased with their service.

  5. John Colbert

    October 5, 2016 at 10:16 am #

    Good God. Everything is monitored today. Google/gmail where all your data/history is known to them. Download apps to your mobile, and look at all the info they want before you can get the app. Facebook also stores lots of your personal info. There is stuff all that is private on the internet. If you are not involved in criminal activities, then you have nothing to worry about with Govt agencies snooping.

    • Plimley Sningimp in reply to John Colbert.

      October 5, 2016 at 11:52 am #

      "…you have nothing to worry about with Govt agencies snooping."

      Keep telling yourself that. That way, you'll continue to believe it…until you get caught in some massive Federal sweep because one of your messages happened to contain some variant of the "wrong" text string.

      But by then it won't matter. You will have sold out your right to privacy and freedom of speech (and everyone else's) by your anti-Constitutional belief. Then we'll all live miserably ever after in the Soviet States of America.

      • DavID in reply to Plimley Sningimp.

        October 6, 2016 at 5:12 am #

        The CCCP didn't call itself the Soviet States of Russia. So your analogy falls down unless the two continents … oh wait, you're one of those quaint national stereotypes who ASS-(yo)U-ME that everyone reading is in the USA!

  6. Rogue

    October 5, 2016 at 10:52 am #

    What about yahoogroup subscriptions? I am subscribed with nonYahoo email addresses.

    • Techno in reply to Rogue.

      October 5, 2016 at 2:30 pm #

      You will have to keep your Yahoo login if you want to contribute to Yahoo Groups. Try and encourage the group admin to move to another platform.

      • Ants in reply to Techno.

        October 10, 2016 at 4:17 pm #

        What other group platforms are recommended?

  7. Simon

    October 5, 2016 at 11:29 am #

    I had created a Yahoo! account over a decade ago, but quickly abandoned it for Gmail (which I've also ditched some time ago…)

    I no longer use any free email service and have moved all of my correspondences to my privately hosted mail server.

    It's a bit of a PITA running your own host, but I take comfort knowing that I'm not being profiled, analysed or data mined.

    FWIW, if you want to delete your Yahoo! account, open your browser, go to;

    edit.yahoo.com/config/delete_user

    and follow the prompts.

    You'll be informed that your termination request will be processed within 90 days or something to that affect…

    • DavID in reply to Simon.

      October 6, 2016 at 5:25 am #

      Unless you've built your own hardware from discrete (in a least one sense of the word) components I'd suggest you don't assume NO ONE can snoop on you.

      Have you read Ken Thompson's "On Trusting Trust" Turing Award presentation? Note he wrote that microcode would be harder to scrutinise. How many components in modern IT have enough processing ability to communicate behind your back?

      Perhaps you could monitor all the outputs from your devices. Don't forget to check RFI, ultrasound and modulation of the power supply!

      • Simon in reply to DavID.

        October 6, 2016 at 11:34 am #

        "Unless you've built your own hardware from discrete (in a least one sense of the word) components I'd suggest you don't assume NO ONE can snoop on you."

        That's true. But why stop there; can we trust anyone or anything?

        I'm paranoid to some extent, but draw the line at some point as paranoia will consume your life.

        Granted, hosting your own doesn't make you immune to surveillance if you've corresponded with externals without PGP or if you're obligated by law to surrender your equipment.

        At least one above others who trust their private correspondences in the hands of others.

        Echoing my earlier statement, I take comfort knowing that I'm no longer being profiled, analysed or data mined willy-nilly.

  8. David L

    October 5, 2016 at 1:27 pm #

    Well, before all this recent stuff, the sale to Verizon was good enough reason to leave Yahoo. Verizon is worse when it comes to resisting gov. snooping. And they are worse than Google in how they treat users personal data. At least Google gives you the options to delete, turn off, OPT-OUT of things. Remember those Verizon "Super Cookies" ? But, there's going to be a traffic jam leaving Yahoo now.

    • Jay in reply to David L.

      October 5, 2016 at 3:25 pm #

      Hopefully so, I would like to see paid email be a sustainable business model. And I'm afraid of just what I think you're alluding to, Verizon coming down and disallowing the option of deleting your Yahoo account/history/data, and congratulations, you've got a forever account for the criminals to hack whenever they get around to it. Verizon is just the sort of company to do that.

  9. Andy Lee Robinson

    October 5, 2016 at 9:35 pm #

    The only yahoo addresses I ever see are throwaway ones by Nigerian scammers et al, so the spamassassin scores get bumped up a few notches.

    Maybe the ease by which new anonymous users could sign up is a clue to the desire for intelligence.
    Remember, if it is free, then it is you that is the product.

  10. i&i

    October 5, 2016 at 10:47 pm #

    Hey, about unseen.is as an email option?

  11. Thomas D Dial

    October 6, 2016 at 1:56 am #

    Disclosure: As far as I know, I never have had a Yahoo mail account, so have no personal interest in it one way or the other.

    The thinly sourced article at the core of this moral panic may mean a good deal less than is claimed, for several reasons.

    The most obvious is that what is described may actually be less intrusive than alternatives like searching accounts, if only because it applies only to current and future messages. The answer would be in details about selectors that are unreported and unlikely to be.

    Second, acquiring message content almost certainly requires a search warrant if the target is a US citizen or other person legally in the US. Because the tool is controlled by Yahoo (or was, if it is discontinued), they have the opportunity to contest warrants they consider too broad, and are reported to have done so at least once in the past, albeit unsuccessfully.

    Third, despite a great deal of indignant puffing about privacy and security, the fact is that the fourth amendment of the US Constitution is far from absolute. It forbids unreasonable searches, not all searches, and requires review, often by a court, of law enforcement demands for data. These requirements, although not identical to those in other countries, are comparable.

    Fourth, the capability to search and seize specifically targeted data from a stream establishes a technical requirement to scan all of it to identify the targeted data. It is for establishing the capability that Yahoo is being condemned, despite the total lack of information about how (or whether) it has been asked to use it. And it is the use of such a capability, not its mere existence, that determines whether it is lawful, constitutional, or morally acceptable.

  12. Howard Smith

    October 6, 2016 at 1:54 pm #

    I have a son that is cleared to work at that level of Gov. security. He can just pop up on my screen whenever he wants. He says if Uncle Sam wants to scan your undies then you better check for skid marks. He also believes that the only way is to put it in your damn mailbox and wait or drive over there and talk face to face. Good luck with all your malware and AVG (which is what he put in mine) if somebody wants in, the're in. Ask Graham, he will tell you and he tries to every month. The best advice I can give is to hand carry it and learn to keep your big mouth shut.

  13. Simon RP

    October 6, 2016 at 3:04 pm #

    Hi guys

    I only use yahoo for my Flickr account. I have 22,000+ photos stored there (besides on hard-drives). I really don't want to lose that etc source of storage.

    I'm trying to figure out what the implications are security-wise if the only email traffic to that account are Flickr emails.

    Hoping it means it's still ok

  14. JUK

    October 10, 2016 at 8:52 pm #

    I have of today finally got rid of yahoo, there is a much quicker way to get rid of yahoo if you contact support directly, they then send you a few questions to answer about your account that's it, no waiting 90 days.

    How ever in there reply back, they sent me this………..

    I've gone ahead and deleted your ****** account for you. Just so you know:
    • A Yahoo ID that has been deleted may be recycled for reuse. It's impossible for Yahoo to reactivate a deleted account or retrieve any stored information in it.
    • You're always welcome to sign up for a new Yahoo account if you want to use Yahoo services again.

  15. Stanley

    October 24, 2016 at 12:33 am #

    Oh this is bad when the CSO quits.

Leave a Reply