by Dave Moore, CISSP
04/17/2022
Wow, if there has ever been a story of Internet company craziness, the story of Yahoo! has to be in the top 10. Hacking, breaches, excuses, investigations, fines and CEO golden parachutes have shown Yahoo! to be one of the Internet’s biggest scams.
Wait a minute. What? Did I really say, “Scam?” Why, how dare I say such a thing! What the heck am I talking about? Please, allow me to elaborate.
Ah, Yahoo!. The only Internet company that has ever had a punctuation mark as part of its official name. Started in the 1990s, and named “Jerry and David’s Guide to the World Wide Web” the venture was renamed Yahoo in 1994.
The ups and down of Yahoo seem the same as Oklahoma weather: calm one minute, insane the next. Stock prices peaking at $188.75, and then diving to $8.11. An Internet titan one day, the next, laying off 2,000 employees. Rejecting a $44.6 billion buyout from Microsoft in 2008, and then being sold for $4.48 billion to Verizon in 2017. A darling to millions of unsuspecting Internet users, and then, the target of harsh government investigations.
What happened? How failed the promise of the jangly Yahoo logo, and the cheery one-word Yahoo jingle, that of the twangy yodeling cowboy voice encouraging us to join the herd and, “Yahoo-oo-ooo?”
Lousy security. Horrible safety precautions. Preying on the ignorance and exploiting the trust of Internet users, when they should and could have been safety champions. A company culture oriented towards security negligence. Rewarding ousted (oh, sorry, “retired”) incompetent former CEOs when they should have landed in jail.
The Yahoo history is not pretty. 2010: research by antivirus company Avast tags Yahoo as the number one deliverer of dangerous ads. 2012: Internet crooks steal usernames and passwords for over 450,000 Yahoo accounts. 2013: Yahoo allows phony virus-infected ads masquerading as Google’s Chrome browser to harm Yahoo customers. January 2014: Yahoo fails after allowing dangerous infected “malvertising” ads on its website, placing Yahoo users in harms way. August 2014: same story. August 2015: same story, Yahoo allows dangerous infected ads to prey upon its users.
But, wait: there’s more.
2016: Yahoo admits over 500 million Yahoo accounts were stolen in 2014, complete with names, addresses, passwords, etc. That’s right: 500 million Yahoo users had their account information stolen 2014, but Yahoo didn’t report it until 2016.
October 2017: Yahoo stuns the Internet world by admitting that, no, it wasn’t just 500 million accounts that were hacked in 2013 and 2014, it was all of them. All three billion. All of the accounts. All 3 billion Yahoo accounts were hacked.
Because of Yahoo’s shockingly bad security, all three billion Yahoo accounts were stolen by Internet criminals, and are actively being used to steal massive amounts of money from Yahoo users. That means your Yahoo email address, your Yahoo email password, and any other information you have ever given to Yahoo, is now in the hands of Internet crooks. That will continue years into the future.
Do you have a Yahoo account? Think about it very carefully. Have you ever used the same password for Yahoo email and also for any other Internet account, like shopping or banking?
After a class action lawsuit against Yahoo seeking damages for the devastating hack of three billion email accounts, Yahoo was fined $50 million. People with damages can seek compensation. Even so, after so many people had been hurt, Yahoo CEO Marissa Mayer was fired (oh, sorry, she “resigned”) got a $20 million payoff (oh, sorry, “severance package”). For most of the hapless Yahoo users vicimized by Mayer’s negligent oversight, their “severance package” equals zero. Meanwhile, in September 2018, Altaba settled three lawsuits relating to Yahoo’s data breaches for $47 million.
It appears there will be an entity named Yahoo providing email services and news for the forseeable future, but it’s not much to yell, “Ya-hooo” about. That’s my story of the Yahoo scam. Time to ditch Yahoo for good. How the mighty are fallen.
Dave Moore, CISSP, has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd, he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or internetsafetygroup.org