It wasn’t Yahoo that was hacked

I’ve been disappointed to see a lot of journalists get a recent story about security breaches and Yahoo Mail wrong. In particular, I worry that this kind of misleading reporting will contribute to worse security practices for both the companies that users trust with their data, and the users themselves.

First, here’s what happened: Yahoo reported on its Tumblr that it had detected “a coordinated effort”—basically, an attack—by somebody trying to gain access to user accounts. Yahoo deserves some credit here for reporting that information, and also for taking the good next steps of resetting passwords of affected users and “implement[ing] additional measures to block attacks.”

This is not an attack on Yahoo. It’s the predictable result of a leak of somebody else’s database. Let’s call the origin of that database Company X. Company X’s database contains both user email addresses and passwords to log into Company X’s site. But if Company X users had the same password to log in to both their email account and Company X’s site, it’s trivial to take the leaked information and try to log into email accounts with it.

That’s what it sounds like happened in this case. Yahoo detected somebody using this leaked database to try to get into many different user accounts and proactively changed passwords to mitigate the risk for people who reuse password.

But the press reported it instead as if Yahoo had screwed up. Slate’s barely-accurate headline is “Yahoo Email Usernames and Passwords Stolen in Cyberattack.” LA Times says Yahoo “fell victim” to an attack; Washington Post’s headline was “Yahoo mail hacked” and goes on to give Yahoo-specific security tips.

That’s where the real danger is: misunderstanding this kind of breach as the result of bad security by Yahoo, and not bad security by users. The right way to mitigate this problem is to never reuse passwords, and certainly never to reuse your email account password. Note that this entire attack fails completely if users’ Company X passwords are different from their Yahoo Mail passwords. The best way to use good and unique passwords is to use a password safe like KeePass X or LastPass and have that program generate a new one for each site.

This is good advice everywhere, but absolutely critical stop-reading-this-blog-post-and-do-it-now advice for email accounts. Email addresses are both uniquely vulnerable targets and valuable assets for attackers. A leaked database from some random site won’t include information about your credentials on other websites except your email. And compromising an email account can get an attacker master keys into other accounts. They can search for banking info, for example, and have your super-secret bank password reset with a “Forgot my password?” email reset option.

Given those heightened risks, you want your email provider to be especially vigilant. When they detect any kind of attack, you want them to take action. I worry that if the press reports this kind of sensible reaction as if it were a screw-up, it will discourage other companies from following suit.

Published by Parker Higgins

I'm the Director of Special Projects at the Freedom of the Press Foundation, and previously led copyright activism at the Electronic Frontier Foundation. I live and work in Brooklyn, New York. more »

Join the Conversation


  1. Refreshing to see an article that gets one crucial thing right: The ownership of information.
    My address, my birthday, my name is MY information. Even what device, OS or browser I use, what location I’m at and what language I use IS _MY_ DATA!. When I tell it to someone or write it into an online form or when it is sucked from my gadget it STILL is MY information. The receiver of that information has to respect that!
    My friends got my address to get in contact with me and so does any company I tell it. It is not their decision to pass that information on as long as I didn’t explicitly gave my permission to do so!
    Information which is generated by two partners consequently has two owners, for example logfiles when accessing a website. The user gives its IP and maybe further data (e.g. browserID), the siteowner provides the timestamp and their data transmitted. Even here I expect the logged data to be kept confidential, as far as its sharing it is not obvious within the intention of the respective partner.

Leave a comment

Your email address will not be published. Required fields are marked *