Yahoo has really been in the firing line in the past few weeks.
First came the news that the company had confirmed a data breach of half a billion (5 × 108) records.
The age of the breach was as worrying as its size: the data was stolen back in 2014, but Yahoo only reported it recently.
The late publication of the report was not, apparently, out of any attempt to cover it up or to delay the news deliberately, but because the company only figured out something had gone wrong in August 2016.
That news was followed by claims that Marissa Mayer, Yahoo’s CEO, had previously put the kibosh on a policy requiring passwords to be reset in the event of a breach, apparently because password resets, no matter how desirable they might be in an emergency, are annoying to users.
(Mayer, you may remember, famously welcomed Apple’s iPhone fingerprint scanner by admitting she didn’t lock her phone, admitting that she “can’t do this passcode thing, like, 15 times a day.”)
Although adopting a mandatory password reset policy doesn’t prevent breaches, and is always a last resort, it didn’t reflect very well on Yahoo’s security attitude to hear that it apparently decided to put ongoing user convenience ahead of security, even after a catastrophe.
Next came allegations that Yahoo may have searched its email database for an unknown set of keywords at the official request of US authorities.
Actually, as we wrote at the time, the “official request” was more of a “classified demand,” which is not at all the same thing.
Nevertheless, Yahoo’s competitors wasted no time stating not only that they’d never received such a demand, but also that they’d have fought it publicly if ever they had received one.
The latest bad news for Yahoo surrounds the fact that its mail forwarding service has recently been suspended, at least for anyone who isn’t already using it.
Mail forwarding is pretty much what it says: email received by one server is automatically redirected to another, just as you might forward your PO Box in one town to a new box in another town if you moved house.
One popular use for mail forwarding is as a temporary measure to help you migrate from one email service to another, so that you don’t have to keep logging on to two different websites until you’ve told everyone your new email address.
In short, forwarding mail from service X to service Y often means that X pays, but Y benefits.
That’s led to suggestions that Yahoo has done this deliberately as a sort of “lock-in”, in the hope of discouraging users from leaving the service following the recent negative news stories.
We’ll give Yahoo the benefit of the doubt and assume that security is the cause.
Mail forwarding is a risky feature, because a crook who manages to turn it on unlawfully can effectively take over your account in a way that isn’t as obvious as changing your password.
Also, once a crook has forwarded your email, even if he does change your password to keep you out, he’s able to read it without logging back into your account.
This means he’ll leave a slightly less damaging (or at least a more convoluted) audit trail if anyone ever decides to investigate.
So, we’re prepared to assume that Yahoo’s new mail forwarding system has been temporarily suspended out of what the marketing folks like to call “an abundance of caution,” while the company conducts a security review on it.
We’re assuming this isn’t a commercial trick aimed at discouraging dissatisfied passengers from getting off the train at the next station.
What do you think?
Has Yahoo done this to improve security or to control commercial damage?
Frank Leonhardt
Hi Paul. I run a few mail servers, mostly for friends, and I’ve had to do exactly the same thing. It’s not a lock-in attempt – it’s caused by various idiot freemail providers and their panicked response to the fact that people and spammers make extensive use of their freebie service (who’d have seen that one coming?).
Frank Leonhardt
Hmm. This was originally linked to a blog article giving a practical example of the current problem here. Google “frank btinternet forwarding or suchlike and you’ll find it”. My comment doesn’t make much sense alone.
Blake
Mail forwarding is actually one of the bigger challenges that an email service provider faces. Essentially, mail being forwarded from a yahoo to a gmail account is seen as spoofed (e.g. from gmail’s perspective messages come from a random, non-yahoo sender address but is sourced from a yahoo server that doesn’t match the sender’s actual email server).
When the feature is used appropriately, forwarded email messages are difficult for the final recipient provider to scan (for spam filtering), difficult to report (to abuse contacts), and negatively affect the forwarding provider’s reputation. When used maliciously, forwarding can be a great way to fool spam filters, piggy backing on the good reputation of an email service provider’s servers.
A better solution than forwarding email is to use an IMAP or POP3 fetch on the user end (user has multiple mailboxes setup in his/her client) or at the final recipient’s email service provider. Most service providers support a fetch function and it avoids most of the pit-falls involved with an SMTP based forwarding approach.
James
What you describe in your first paragraph is a fundamental flaw in SPF (sender policy framework), not so much a problem with SMTP. It’s one of the reasons I take any information based on SPF with a bag of salt on the mail servers I manage. Make no mistake; SPF breaks mail forwarding and redirection.
Mahhn
I agree that it is to do damage control, giving people a chance to reclaim their accounts that may have been hijacked. Especially since forwarding configured in the past is still functional.
Marvin
Yahoo has gone the way of Java and Flash for me – too much trouble and risk for too little unique reward
Peter
After forwarding a couple of NS articles I finally convinced my wife to leave Yahoo
Frank
It is being done for commercial reasons. Yahoo is trying to imprison it’s user’s to help maintain value in the company. In todays Wall Street Journal, the CEO of Verizon basically said they are going to take another look at the price they are paying for Yahoo. At this point, it’s all about the money.
Jim
I’m amazed that a company (Yahoo) has so quickly burned through what I thought was unassailable: they have surpassed Adobe in terms of security incompetence. A year ago I would have said that just couldn’t happen. Little did I realize that it already had.
Wihan Herbst (@wihanherbst)
Doesn’t NIST now recommend to not force users to change passwords unless there is a reason?
https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/
I mean this is clearly a reason, but from the article it looks like you are saying that the CEO did something wrong for putting the password expiry policy on ice?
might have misread.
Paul Ducklin
As far as I can see, what was put on ice was not a generic password expiry policy (e.g. a forced change every three months) but a specific policy about expiring passwords for reasons NIST would approve of (e.g. after a breach).
In other words, even if Yahoo were to have a breach, as indeed it did, it seems the company figured that a forced password reset would not be used for fear of inconveniencing users. (Presumably the breach would be inconvenience enough on its own.)
Blue Static
I started forwarding my email to a Gmail account as soon as I found out about the Yahoo stuff. It worked for a day or so then quit. Yahoo’s statement that it only affected new forwarding requests is a flat-out lie. They may as well call it HillaryMail.
tomhawack@objectmail.com
Yahoo’s behavior regarding email forwarding blockage illustrates how certain companies (just certain individuals) understand the “fair play” idea : valuable as long as you’re not affected. It’s the same topology as with Microsoft, push and push when convincing doesn’t do it (anymore). It’s when we’re in trouble that we show our real faces. What could have been interpreted as a conjectural Yahoo’s mistake (zealous comply to illegitimate government requests) appears to be a structural dimension of the company’s policy.
M L Katzen
Anyone know how to contact a real person at Yahoo Customer Service? The “Help” links at Yahoo are of no use at all.
Claire Robinson
I pay for btyahoo so not a free service and there are huge problems with yahoo forwarding. Even on forwarding already set up ie one btyahoo email address to another btyahoo email address not all mail is being forwarded. Even worse some emails are being rejected – they don’t bounce back to the sender or show up in spam. You only find the problem when people contact you to ask why you are not replying. The customer service team are useless, invariably ends in “will have to refer to the level 2 team who will call you” – Do they ever call NO!
moni lewis
totally useless company. Time to get another email account with reliable service.
Forwarding has NEVER worked in the last 5 years. I am fed up.