Yahoo has really been in the firing line in the past few weeks.
First came the news that the company had confirmed a data breach of half a billion (5 × 108) records.
The age of the breach was as worrying as its size: the data was stolen back in 2014, but Yahoo only reported it recently.
The late publication of the report was not, apparently, out of any attempt to cover it up or to delay the news deliberately, but because the company only figured out something had gone wrong in August 2016.
That news was followed by claims that Marissa Mayer, Yahoo’s CEO, had previously put the kibosh on a policy requiring passwords to be reset in the event of a breach, apparently because password resets, no matter how desirable they might be in an emergency, are annoying to users.
(Mayer, you may remember, famously welcomed Apple’s iPhone fingerprint scanner by admitting she didn’t lock her phone, admitting that she “can’t do this passcode thing, like, 15 times a day.”)
Although adopting a mandatory password reset policy doesn’t prevent breaches, and is always a last resort, it didn’t reflect very well on Yahoo’s security attitude to hear that it apparently decided to put ongoing user convenience ahead of security, even after a catastrophe.
Next came allegations that Yahoo may have searched its email database for an unknown set of keywords at the official request of US authorities.
Actually, as we wrote at the time, the “official request” was more of a “classified demand,” which is not at all the same thing.
Nevertheless, Yahoo’s competitors wasted no time stating not only that they’d never received such a demand, but also that they’d have fought it publicly if ever they had received one.
The latest bad news for Yahoo surrounds the fact that its mail forwarding service has recently been suspended, at least for anyone who isn’t already using it.
Mail forwarding is pretty much what it says: email received by one server is automatically redirected to another, just as you might forward your PO Box in one town to a new box in another town if you moved house.
One popular use for mail forwarding is as a temporary measure to help you migrate from one email service to another, so that you don’t have to keep logging on to two different websites until you’ve told everyone your new email address.
In short, forwarding mail from service X to service Y often means that X pays, but Y benefits.
That’s led to suggestions that Yahoo has done this deliberately as a sort of “lock-in”, in the hope of discouraging users from leaving the service following the recent negative news stories.
We’ll give Yahoo the benefit of the doubt and assume that security is the cause.
Mail forwarding is a risky feature, because a crook who manages to turn it on unlawfully can effectively take over your account in a way that isn’t as obvious as changing your password.
Also, once a crook has forwarded your email, even if he does change your password to keep you out, he’s able to read it without logging back into your account.
This means he’ll leave a slightly less damaging (or at least a more convoluted) audit trail if anyone ever decides to investigate.
So, we’re prepared to assume that Yahoo’s new mail forwarding system has been temporarily suspended out of what the marketing folks like to call “an abundance of caution,” while the company conducts a security review on it.
We’re assuming this isn’t a commercial trick aimed at discouraging dissatisfied passengers from getting off the train at the next station.
What do you think?
Has Yahoo done this to improve security or to control commercial damage?