This research article demonstrates that Yahoo! is a personal and global health risk. Yahoo! now holds the three time record for the largest cybersecurity breaches of all time and is the first confirmed company to willingly agree to let the U.S. government scan and collect information from all of their users. This article investigates what happened, and concludes with a simple solution for everyone that promotes personal and global wellness – use encryption.
The cyber attacks on Yahoo! occurred back in 2013 and 2014, but Yahoo! first informed the public of these attacks in September 2016 and December 2016.
Names, email addresses, telephone numbers, dates of birth, passwords and security questions and answers were accessed from all Yahoo! services, including Yahoo! Mail, Yahoo! Groups, Flickr and Tumblr.
All of their 3 billion users were affected, some of whom on two occasions, but in between these two announcements, another revelation occurred.
Incoming emails from all 3 billion Yahoo! users’ accounts were also systematically scanned by the U.S. government in 2015. This time with Yahoo!’s cooperation.
Some 43 consumer class-action lawsuits have since been filed against the company.
According to the World Health Organization:
Health is a state of complete physical, mental and social well-being and not merely the absence of disease or infirmity.
The potential stress Yahoo! may have caused to any number of their 3 billion users around the world, as well as any number of non-Yahoo! users who sent emails to Yahoo! users, make them a global public health hazard, but the mainstream narrative focused on Verizon consequently paying less to buy Yahoo!, and CEO Marissa Mayer having to forfeit her annual bonus and stock award.
Yahoo! announces the largest user data breach in history.
Sept 2016 and Yahoo! announced that “at least 500 million user accounts” had been hacked in 2014.
Having retrieved names, email addresses, telephone numbers, dates of birth, passwords and security questions and answers, it was hailed by the media as one of the largest cybersecurity breaches of all time.
The company said they believed a “state-sponsored actor” was behind the data breach, meaning an individual acting on behalf of a foreign government. They did not state which government. The FBI said that is was investigating.
Yahoo! collaborates with U.S. government to spy on user emails.
October 2016 and Reuters revealed that Yahoo! users once again were having their emails accessed without their knowledge. This time by the U.S. government.
The FBI and the National Security Agency (NSA) approached Yahoo! to build a custom software program to read all of their users’ incoming emails. Because all incoming email messages were targeted, this program spied on every person who emailed a Yahoo! Mail account, implying every Yahoo! Mail user is guilty and violating the privacy of people around the world.
The program was in operation by May 2015 and was designed to search all incoming emails for a specific string or digital ‘signature’. This could be a phrase in an email or an attachment. When that ‘signature’ was found, that email or attachment was then copied and sent to the relevant U.S. intelligence agency server.
Both Reuters and The New York Times stated that this is the first known case of a U.S. internet company agreeing to the systemic scanning of all arriving messages and real-time data collection at an intelligence agency’s request, as well as the first known time that a new program was created to do so.
The New York Times wrote:
News of the order has opened a new chapter in a public debate over the trade-offs between security needs and privacy rights that has cast a spotlight on the sometimes cooperative, sometimes antagonistic relationship between Silicon Valley companies and the United States government.
Yahoo! did not need to cooperate.
Yahoo! complied with a classified U.S. government edict. According to Liza Goitein, co-director of the National Security Program at New York University’s Brennan Center for Justice, “If Fisa is being used for mass surveillance that creates a whole other problem”.
FISA, the Foreign Intelligence Surveillance Act, can allow the secret national security court to issue such an edict, but a specific target should be identified, and section 702 of FISA exclusively applies to agents of a foreign power located outside the United States.
The NSA and FBI used FISA to justify the global top secret mass surveillance programmes tracking foreign nationals and U.S. citizens revealed by Edward Snowdon in 2013; yet these programmes remain unconstitutional.
“This is another example of how the government is pushing secretly novel or innovative interpretations of surveillance law” to conduct wiretapping in broader ways than the public realise, said Jennifer Granick, the director of civil liberties at the Stanford Law School Center for Internet and Society.
“It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court”, Patrick Toomey, an attorney with the American Civil Liberties Union, said in a statement.
Yahoo! announces the (2nd) largest user data breach in history.
Then just two months later, in December 2016, Yahoo! announced they had discovered another major cyber attack had taken place in 2013.
The Gaurdian explained that this second “state-sponsored” attack had affected more than 1 billion user accounts, making this one the “biggest data breach in history”.
Yahoo! announces the (3rd) largest user data breach in history.
October 2017 and Yahoo! revealed that every one of their 3 billion accounts had been affected by the 2013 data theft, tripling their earlier estimate and making this new number “the largest breach in history”.
This means that every Yahoo! user’s account information was retrieved, and that means all of their Yahoo! services could have been accessed, including Yahoo! Mail, Yahoo! Groups, Flickr and Tumblr.
Although Yahoo! claim neither of these attacks breached the system where user payment card and bank account details are stored, the fact that all Yahoo! services became vulnerable means that any account numbers, log in details or other private details found in every Yahoo! user’s personal emails could also have been retrieved.
“For years I have been urging friends and family to migrate off of Yahoo email, mainly because I watched for years as the company appeared to fall far behind its peers in blocking spam and other email-based attacks”, states security researcher Brian Krebs.
Yahoo! is responsible for jeopardising their own users’ safety.
March 2017 and Yahoo! disclosed the results of an internal investigation which found that CEO Marissa Mayer had reacted too slowly, other executives had “failed to act sufficiently” and the companies legal department had also been negligent.
It was revealed that the company’s security team had identified that a hacker had accessed the 500 million or more user accounts at the time of the attack back in 2014. Yet Yahoo! chose to notify only 26 users that their accounts had been breached. They informed the rest 2 years later.
The mistake was nevertheless repeated again. In October 2017, when Yahoo! announced that all 3 billion of their users were hacked in 2013, and not 1 billion users as previously stated, the company said they will begin alerting accounts that were not previously notified of the attack. They also stated that “in connection with Yahoo’s December 2016 announcement of the August 2013 theft, Yahoo took action to protect all accounts”.
The action that they took was to ask 1 billion users from the 3 billion affected to change their passwords. This does not protect users from being hacked. All users had passwords before.
Being the first of the big email providers to encrypt their services so that user information cannot be read by anyone would be protection.
But as security researcher Kurt Baumgartner from Kaspersky Lab explains:
The company has demonstrated that it isn’t quick to implement best practices and available security technologies, such as the delay in encrypting IM communications, implementing https for its web properties and more. These types of breaches highlight why all companies, need to be cybersecurity leaders, not followers.
Whoever hacked Yahoo!, whether state-sponsored or not, the facts are that the company did not inform all of their users in 2014, and they did not inform all of their users again in 2016, leaving the safety of millions then billions of users at jeopardy.
The revelation that all 3 billion Yahoo! users had been unknowingly hacked by an alleged “state-sponsor actor” caused media outrage, two FBI investigations, and some 43 consumer class-action lawsuits against the company.
The revelation that that all 3 billion Yahoo! users’ emails have also been unknowingly scanned systemically by the FBI and NSA warrants a similar reaction.
Journalists keep citing experts in U.S. law who state that these secret mass surveillance programmes are unconstitutional, and that means against the law.
Yahoo!’s cooperation was not necessary. The company could have contested the request to create a custom software program to spy on their own customers in court. Instead, Yahoo! users were not only spied on in 2013 and 2014, but again in 2015.
In 2018, Yahoo! still state “Once you register with Yahoo and sign in to our services, you are no longer anonymous”.
The only way any big email service like Yahoo! Mail, Gmail or Apple Mail can successfully protect your personal data and online privacy as an internet user is by encryption as standard.
The only reason big companies do not want to do this is because they want to have access to your personal information.
The solution is simple. Choose a different narrative to the ongoing infiltration of your personal and private information.