More bad news from Yahoo

We have more bad news from the Yahoo hack: Even without a account, you may be at risk.

Has the shock and awe of Yahoo’s 500 million user credential hack died down yet? Everyone breathing a bit easier? Passwords changed, dead accounts deleted?

For those of you chuckling and noting, “I never had a Yahoo Account,” or “Who uses Yahoo, anyway?” you may want to look into some of your accounts because you may have a Yahoo account and not even know it.

Wait, what?

You’ve probably heard of or use Google Apps for Work, tools including e-mail that some companies use to run their businesses. What you may not know, given Google’s ubiquitous presence, is that Yahoo offers a similar service (called Aabaco Small Business).

How many companies might that affect? Well, according to a recent blog post from Graham Cluley, more than 500,000 domains use Yahoo as their e-mail provider. Any of those domains could be part of the massive theft of data, which Yahoo stated was state sponsored.


According to Kurt Baumgartner, principal security researcher on Kaspersky Lab’s Global Research and Analysis Team (GReAT): “This situation reminds us of Google’s Aurora APT incident in 2009, announced in 2010. When we compare these two breaches, it is incredible that it’s 2016 and users are being notified years after a major breach, and only after another organization made the issue public. These types of breaches highlight why all companies need to be cybersecurity leaders, implementing industry best practices and available security technologies.”

So: What can you do?

The data breach happened in 2014, and we are learning the extent of it only now. Criminals have had some time to pore over this data. Key priorities now are to change passwords and use Have I Been Pwned? to check your current e-mail addresses as well ones that you may no longer use or that were from past employers. Then, even if the accounts haven’t been breached, it’s a good idea to delete accounts you no longer use. As we’ve seen with cases such as Myspace’s data breach, criminals care about data and login credentials — it doesn’t matter if you are actively using the site; they know we humans are lazy and reuse passwords.

Baumgartner also offers some words of caution to those caught up in the breach: “Do not fall for the social engineering schemes that will follow this incident. Everyone should be aware that any breach notice that Yahoo! emails out will go only to their email service users, and it will not provide links to click on or include any attachments, and it will not ask for personal information.”

 This is unlikely to be the final chapter of the Yahoo saga. Please stay tuned here and to Threatpost; we will surely have coverage of this moving forward.