Proton Mail security advisory regarding Yahoo Hack

Share this page

Confirming what was long suspected by the security community(new window), Yahoo has confirmed a massive breach(new window) of over 500 million email accounts, including both credentials and security questions.

October 4, 2017 Update: Yahoo now confirms that the hack impacts 3 billion accounts(new window), and not the 1 billion or 500 million that was previously reported.

Email’s changing threat model

In the past couple years, the increasing number of high profile email hacks(new window) have clearly demonstrated that the threat model for email has changed dramatically. While previously there was a reasonable expectation of security and privacy with email communications, now it is becoming fairly evident that most email systems are simply not capable of protecting user data. However, email is still an essential part of our lives, an integral part of our digital identity.

At Proton Mail, we are addressing this problem by taking a completely different approach to email security compared to every other major email provider. We have a different threat model, where our starting assumption is that a security breach is inevitable, and we have designed our entire architecture around that premise. This is because in our view, the existing paradigm of cyberdefense, which is “keep the bad guys out,” is a failed approach.

There are a multitude of methods through which server security can be breached, and an attacker only needs to exploit a single vulnerability once, while a service provider on the other hand must constantly mount a successful defense against all attack vectors. In short, cybersecurity is a form of asymmetric warfare which decisively favors the attackers, and as we have seen time and time again, even sophisticated tech companies with competent security teams such as Linkedin(new window) and Yahoo have been breached. Thus, it is safe to assume that all services will eventually be breached. By definition, it simply isn’t possible to have 100% security.

This is the reason Proton Mail was designed from the ground up with end-to-end encryption. If the working assumption is that servers storing data will eventually be breached, the next best option is to not have data in the first place. By encrypting customer emails on the client side before they reach Proton Mail servers, Proton Mail does not have the ability to decrypt any of the emails stored on our systems. Thus, in the event of a compromise, it is not possible for attackers to steal something that we don’t have, that is, the mailbox password and contents of your messages.

We believe that in the current rapidly deteriorating cyber environment, with the rise of more numerous and capable state-backed actors(new window), end-to-end encryption is the only viable approach to data security. While we are confident in the approach we have taken, Proton Mail does not exist in a bubble, and in today’s interconnected world, the Yahoo breach does have significant consequences for a proportion of Proton Mail users.

What to do if you are an Yahoo user

If you have ever had an Yahoo account in the past, there are three steps that you should take immediately.

1. Change your password and security questions

It is prudent to assume that ALL Yahoo passwords are now compromised, especially since some Yahoo passwords were stored with the insecure MD5 hash. Furthermore, we know that the Yahoo breach also leaked security questions and answers. This means if you used the same passwords and security questions from your Yahoo account on other accounts, you should immediately change those passwords and security questions. We recommend never using the same password between services.

2. Unlink your other online accounts from Yahoo

Finally, because Yahoo is a major email provider, if you have signed up for any other service using your Yahoo account, your accounts at those other services may also be compromised. This is because the email address used to register for a service can usually also be used to recover a forgotten password. This means an attacker who has access to your Yahoo account also has access to all your other accounts which were registered using your Yahoo account.

Because Yahoo is most likely fully compromised, you should unlink all of your other online accounts from Yahoo. For example, if you signed up for Facebook using Yahoo, you should change the email address in your Facebook account to a different email address.

If you are Proton Mail user, be aware that we allow account recovery via email. If your recovery address is from Yahoo, then this means a compromise of your Yahoo address could also lead to a compromise of your Proton Mail account! We recommend changing your recovery email address to a non-Yahoo address, or removing the recovery address entirely.

Note, even if your Yahoo account is compromised, and was used to reset your Proton Mail login password, your Proton Mail messages are still protected. This is because Proton Mail uses end-to-end encryption, which means resetting your password is not sufficient to gain access to your already encrypted messages.

3. Delete your Yahoo account

Given Yahoo’s abysmal track record when it comes to security, and the fact that Yahoo has previously willingly abetted and assisted government mass surveillance efforts(new window), Yahoo is not a company that should be trusted with your personal data and communications.

To protect yourself from identity theft, the disclosure of sensitive personal communications, and other threats, you can simply remove this vulnerability by deleting your Yahoo account. This is something that we strongly recommend doing, especially since there exists other more secure Yahoo Mail alternatives such as Proton Mail which are also available for free.

With these steps, you can protect your private email communications and your entire digital life from suffering any ill effects as a result of the Yahoo hack. If you are a business owner, we also recommend checking out our guide on how to prevent email hacking(new window).

You can get a free secure email account from Proton Mail here(new window).

We also now provide a free VPN service(new window).

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan. Thank you for your support!

Protect your privacy with Proton
Create a free account

Share this page

Proton Team

We are scientists, engineers, and specialists from around the world drawn together by a shared vision of protecting freedom and privacy online. Proton was born out of a desire to build an internet that puts people before profits, and we're working to create a world where everyone is in control of their digital lives.

Related articles

No email service is completely anonymous. Learn how to send an email as anonymously as possible using private email, aliases, and a VPN or Tor. Do you need to send an email without revealing who you are? Unfortunately, you can’t just sign up for a f
Today, we’re introducing Proton Family, our all-in-one plan to protect your family’s privacy.  When you’re a parent, you do everything you can to prepare for the unexpected and keep your family safe. But extending this protection online is difficult
Starting last year, Google began to increase the number of ads displayed in Gmail. It started with more ads in the Promotions tab on mobile. And now it has grown to include advertising messages between regular emails on Gmail’s desktop site. Gmail u
Fraudsters have many ways to steal your identity and money, but there are simple steps you can take to protect yourself. Given how much valuable personal data we store online, scammers have a strong incentive to try to steal it. With just a few pers
Almost everything on the internet is encrypted these days. And yet data breaches still frequently spill sensitive files into the hands of hackers, and identity theft is a multi-billion-dollar industry. Why? This article explains what’s broken about
The biggest tech companies in the world are quietly lobbying the governments of 14 countries to grant them legal protection from any regulatory oversight. Few people are aware of Big Tech’s plans, shrouded in the secrecy of trade negotiations for th