As we should all know by now, Yahoo announced at the end of last week that it had been massively hacked – exposing details of half a billion accounts.
And, as I have mentioned in subsequent articles, some users of other email services (Sky, BT, etc…) could also be at risk because those companies chose to get Yahoo to handle their webmail service.
Yuck.
Well, it gets worse because – as the Bitcrack Computer Security blog points out – it turns out it’s not as simple as just checking whether you have a Yahoo, BT Yahoo Mail or Sky email address…
Similar to how Google allows you to host your domain with Google Apps, Yahoo! allows you to host your domain and thus email and other services with them. What this means of course, is that the login account Yahoo! kept in its database for your “custom” domain was also stolen in the leak.
…
My research shows that at least 572,162 domains are using Yahoo! as their email provider, and thus Yahoo!’s web-based account services and portals.
The Yahoo hack is believed to date from late 2014, and was only made public in the last few days. Which means that the hackers have had plenty of time to exploit the information they snaffled up: users’ names, email addresses, dates of birth, hashed passwords, and security questions and answers.
But here’s the kicker. It’s not just if you have a yahoo.com, yahoo.co.uk, or Sky email address. There are half a million domains set up to use Yahoo’s mail services – potentially exposing a frightening number of businesses and organisations around the world.
Bitcrack has created an online tool which will help you quickly verify if your domain is using Yahoo for its mail services.
If you have an email account at one of those 572,162 domains you may wish to follow the advice I previously gave to Yahoo users – because I’m afraid it seems it’s relevant to you too.
the bitcrack tool identifies that sky.com uses Yahoo! but not that btinternet.com uses Yahoo!
Well, that's just great! I had not thought about collateral damage, but, if accounts get exposed, and or hacked, then contacts lists could be collected and sold for Spam lists. That there are multitudes of other vulns with this, explains why lawsuits are flying already, as well as a government inquiry. And isn't the head of facebook security the former head of Yahoo's???
Wonder if he will be named in the lawsuits, and called to testify in many venues.