2 min read

Spark: throw Yahoo mail overboard now

Yahoo can’t do anything right with email. It can’t do anything right by its customers.

The web company’s Yahoo Mail has also been a nightmare for partners like Spark NZ.

The sooner Yahoo wraps up and stops trading the better for everyone.

If you haven’t already severed your ties with Yahoo, stop reading this, go to the site and close your account now.

Divorcing Yahoo may be tricky. If you have an old Spark Xtra email account, the page where you close your Yahoo account asks you to ring a Spark support hotline. Do it anyway.

If you had a Yahoo account in the past, go and check it is dead. You don’t want it to come back from beyond the grave and haunt you.

Yahoo mail hacked… again

Last month Yahoo told the world that criminals had stolen data on 500 million users. The stash includes mail addresses and telephone numbers. There are dates of birth, encrypted passwords and security questions.

That’s bad, but to compound matters Yahoo failed to act in good faith. It only told customers their data was stolen after the press had the story.

If that wasn’t enough, details emerged today that Yahoo is scanning hundreds of millions of mail messages on behalf of US intelligence or law enforcement agencies.

Untrustworthy

Both the hack and the capitulation to US government snoops are massive breaches of trust. They are not the only problems with Yahoo mail, but they dwarf everything else.

While the crooks didn’t get credit card data in the attack, they had access to enough information to link users to bank accounts. The crooks could read mail messages. That way they could learn sensitive personal data about Yahoo users. It includes the kind of information that can hurt people and the kind of information that can cost money.

Two years

It took Yahoo two years to tell its customers about the attack.

When thieves get hold of personal data, people need to move fast to protect themselves, their online identities and their secrets. For two years Yahoo left its customers vulnerable.

Yahoo is not the only company to take years to report a serious security breach. LinkedIn didn’t disclose a major data theft for four years. It took MySpace, kids ask your parents about that name, three years to go public after a similar event.

It is possible these companies were not aware of the breaches. Or perhaps they were not aware how serious the the data thefts were before they were public. After all, the average time it takes for an attacked company to know its online security defences have been compromised runs to around six months.

But Yahoo didn’t admit to anything until the story was already in the media.

Immoral if not illegal

Scanning users’ mail messages on behalf of the US government Yahoo was almost certainly illegal. It’s one thing to snoop on US citizens, but to let US spooks poke their noses into innocent non-citizen’s business is playing with fire.

It’s unpleasant, outrageous and immoral. But there’s something far worse at stake here. If US government snoops have a backdoor into the Yahoo mail system, there’s a good chance other state intelligence services — unfriendly ones — also have access. And that means criminal gangs have access too.

The big question is that if the US government leant on Yahoo to give it customer mail, has it done the same with other mail providers. Are American spooks peering through your Facebook, Gmail, Microsoft Outlook.com mail or Apple Mail while you are reading this?

And does that bother you?