Don’t have a Yahoo email address and think you’re safe from the hack?

You could have a Yahoo account without even knowing it.

Graham Cluley
Graham Cluley
@[email protected]

Yahoo hack

As we should all know by now, Yahoo announced at the end of last week that it had been massively hacked – exposing details of half a billion accounts.

And, as I have mentioned in subsequent articles, some users of other email services (Sky, BT, etc…) could also be at risk because those companies chose to get Yahoo to handle their webmail service.


Sign up to our free newsletter.
Security news, advice, and tips.

Well, it gets worse because – as the Bitcrack Computer Security blog points out – it turns out it’s not as simple as just checking whether you have a Yahoo, BT Yahoo Mail or Sky email address…

Similar to how Google allows you to host your domain with Google Apps, Yahoo! allows you to host your domain and thus email and other services with them. What this means of course, is that the login account Yahoo! kept in its database for your “custom” domain was also stolen in the leak.

My research shows that at least 572,162 domains are using Yahoo! as their email provider, and thus Yahoo!’s web-based account services and portals.

The Yahoo hack is believed to date from late 2014, and was only made public in the last few days. Which means that the hackers have had plenty of time to exploit the information they snaffled up: users’ names, email addresses, dates of birth, hashed passwords, and security questions and answers.

But here’s the kicker. It’s not just if you have a,, or Sky email address. There are half a million domains set up to use Yahoo’s mail services – potentially exposing a frightening number of businesses and organisations around the world.

Bitcrack has created an online tool which will help you quickly verify if your domain is using Yahoo for its mail services.

If you have an email account at one of those 572,162 domains you may wish to follow the advice I previously gave to Yahoo users – because I’m afraid it seems it’s relevant to you too.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “Don’t have a Yahoo email address and think you’re safe from the hack?”

  1. petal

    the bitcrack tool identifies that uses Yahoo! but not that uses Yahoo!

  2. David L

    Well, that's just great! I had not thought about collateral damage, but, if accounts get exposed, and or hacked, then contacts lists could be collected and sold for Spam lists. That there are multitudes of other vulns with this, explains why lawsuits are flying already, as well as a government inquiry. And isn't the head of facebook security the former head of Yahoo's???
    Wonder if he will be named in the lawsuits, and called to testify in many venues.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.