Yahoo's email hacking explanation raises questions

20:24, Feb 03 2014

United States' media have, by and large, taken at face value a statement that was issued by Yahoo on Friday, explaining how some of its customers' email may have been hacked.

But I am struggling with the account given by Yahoo's senior vice president Jay Rossiter.

Although it was reported around the world as "new news", the attacks Rossiter referred to appear to be the same ones that Telecom and Yahoo first reported on January 24, when the companies issued a joint statement saying some Xtra accounts had been compromised (Telecom outsourced its Xtra email service to Yahoo in 2007).

Telecom said that some non-Xtra Yahoo accounts had also been compromised.

Every day last week I asked Yahoo's corporate headquarters to provide more information about the cause, scale and implications of the attack.

Then came Rossiter's statement on Friday, which said hackers "appeared" to have obtained Yahoo customers' usernames and passwords from a "third party database".


Many online services store people's email addresses, for example to help them recover forgotten passwords. If people had used the same usernames and passwords for the third-party site as they used to access Yahoo, then stealing those credentials along with their email address would be enough to give hackers access to their email accounts.

If that explanation is the whole story, then it would be somewhat reassuring. It would mean Yahoo itself does not necessarily have any security weakness. Yahoo email users could have avoided this and any future attacks simply by ensuring they did not use the same usernames and passwords for their email accounts as they did when accessing other online services, which is a good idea anyway.

The problem is Rossiter's theory does not seem that convincing. What third-party database was hacked? It must have been a big one to explain the scale of attacks Xtra has seen, so why haven't we heard about the attack on the primary target?

Any why don't hackers seem to have been able to use the same information they gathered from the third party to compromise other email services such as Google's Gmail? Why pick on Yahoo? Why also does Yahoo only say it "appeared" as though a third-party database had been hacked? Surely if that had been the source of the problem, it would be easy to verify.

I asked Yahoo on Friday what evidence it had to support Rossiter's theory. Its response: "Because the investigation is ongoing and we are working closely with federal law enforcement, we are not able to share any additional information beyond what we've said publicly."

Immediately after suggesting a third party was to blame, Rossiter said there was no evidence Yahoo's own systems had been breached. So my question to Rossiter is: Is the fact that Yahoo has not found a hole in its own systems actually the only evidence Yahoo has that the hack of a third party might be to blame?

I also ask Telecom: Does it believe the theory put forward by Rossiter in his Friday blog?

It is possible the explanation Yahoo provided on Friday will prove to be correct. But the fundamental issue is one of trust and, now, brand association.

If Yahoo can't solve the problem and provide a far more definitive account of what happened within a month or two, I'd expect Telecom to unravel this partnership.