Using Yahoo Email? Should You Notify Customers that Your Email is Breached?

Everyone listening to the news should know by now that Yahoo’s email service has been hacked.   CBSNews story: {Yahoo Confirms Massive hack of 500 million accounts, blames “state actor”}

In Yahoo’s terms of services section DISCLAIMER OF WARRANTIES:

19. b.

YAHOO AND ITS SUBSIDIARIES, AFFILIATES, OFFICERS, EMPLOYEES, AGENTS, PARTNERS AND LICENSORS MAKE NO WARRANTY THAT (i) THE YAHOO SERVICES OR SOFTWARE WILL MEET YOUR REQUIREMENTS; (ii) THE YAHOO SERVICES OR SOFTWARE WILL BE UNINTERRUPTED, TIMELY, SECURE OR ERROR-FREE; (iii) THE RESULTS THAT MAY BE OBTAINED FROM THE USE OF THE YAHOO SERVICES OR SOFTWARE WILL BE ACCURATE OR RELIABLE; (iv) THE QUALITY OF ANY PRODUCTS, SERVICES, INFORMATION OR OTHER MATERIAL PURCHASED OR OBTAINED BY YOU THROUGH THE YAHOO SERVICES OR SOFTWARE WILL MEET YOUR EXPECTATIONS; AND (v) ANY ERRORS IN THE SOFTWARE WILL BE CORRECTED.

 

I’m no legal analyst, but this disclaimer of warranty is not promising they will keep your stuff secure. when it says so in their disclaimer of warranty!!!

 

Are you using Yahoo mail as a business email account? Since Yahoo Mail was hacked and your account likely was one of them, you have to think about this as if a hacker has your account information:

The hacker could look at your email – what can they figure out from your email flow?

Do you use of your Yahoo email account as primary account on logging into other services?

Where do you log in with your yahoo account information (it is the primary email)  wherever that is could cause problems for you.

 

Unfortunately Yahoo is also the email service for many Phone, Cable and Internet service companies, and that means your home email account is now compromised.  For example this story in The Telegraph mentions 8 million accounts now affected in the UK.

 

A hacker could log into your Yahoo account and notice emails which create other hacks.

 

 

So if you re using Yahoo email think about all the places it is being used as a login account name and consider what happens when the hacker has that as well.

 

How are your risk management assessments when the hackers have usernames and passwords in your network?   In fact risk assessment should be changed with that in mind? Does your IT security keep that scenaio in mind?

Should you be looking in your network for data to be retrieved by accounts looking like normal traffic?  Are you reviewing standard traffic for exfiltration of company data?

Now that you know your email has been hacked when do you notify customers? If it was me, I would notify them that my Yahoo account is potentially hacked and will be moving to another company ASAP.

 

Being a little paranoid is not a bad thing in Cybersecurity.

 

Contact Us to discuss the changing liabilities in your Cybersecurity risk management framework with this Yahoo hack or any potential liabilities that you may not have thought of yet.