Don’t have a Yahoo email address and think you’re safe from the hack?

Graham Cluley

Don't have a Yahoo email address and think you're safe from the hack?

Yahoo hack

As we should all know by now, Yahoo announced at the end of last week that it had been massively hacked – exposing details of half a billion accounts.

And, as I have mentioned in subsequent articles, some users of other email services (Sky, BT, etc…) could also be at risk because those companies chose to get Yahoo to handle their webmail service.

Yuck.

Well, it gets worse because – as the Bitcrack Computer Security blog points out – it turns out it’s not as simple as just checking whether you have a Yahoo, BT Yahoo Mail or Sky email address…

Similar to how Google allows you to host your domain with Google Apps, Yahoo! allows you to host your domain and thus email and other services with them. What this means of course, is that the login account Yahoo! kept in its database for your “custom” domain was also stolen in the leak.

My research shows that at least 572,162 domains are using Yahoo! as their email provider, and thus Yahoo!’s web-based account services and portals.

The Yahoo hack is believed to date from late 2014, and was only made public in the last few days. Which means that the hackers have had plenty of time to exploit the information they snaffled up: users’ names, email addresses, dates of birth, hashed passwords, and security questions and answers.

But here’s the kicker. It’s not just if you have a yahoo.com, yahoo.co.uk, or Sky email address. There are half a million domains set up to use Yahoo’s mail services – potentially exposing a frightening number of businesses and organisations around the world.

Bitcrack has created an online tool which will help you quickly verify if your domain is using Yahoo for its mail services.

If you have an email account at one of those 572,162 domains you may wish to follow the advice I previously gave to Yahoo users – because I’m afraid it seems it’s relevant to you too.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 Replies to “Don’t have a Yahoo email address and think you’re safe from the hack?”

  1. Well, that's just great! I had not thought about collateral damage, but, if accounts get exposed, and or hacked, then contacts lists could be collected and sold for Spam lists. That there are multitudes of other vulns with this, explains why lawsuits are flying already, as well as a government inquiry. And isn't the head of facebook security the former head of Yahoo's???
    Wonder if he will be named in the lawsuits, and called to testify in many venues.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.