Skip to main content

If you’re a Yahoo user, you should be worried

The first thing you should do after getting your home or apartment robbed is, obviously, change the lock. Yahoo doesn’t seem to think so, as the same practices that were in place when it got breached are still in place, according to a new report by Venafi. 

What’s more, the practices it has have for years been known as unsecure. Venafi puts it simple – if you’re a Yahoo user, you should be worried about this. Here’s what it did (or, didn’t do): most importantly, 27 per cent of certificates on external Yahoo sites haven’t been changed since January 2015. “2015. 

Replacing certificates after a breach is a critical mitigation practice; unless certificates are replaced breached organizations cannot be certain that attackers do not have ongoing access to encrypted communications,” Venafi says in a press release. Yahoo issued 519 certificates, 2.5 per cent of which have been in the last 90 days. This leads Venafi to conclude that Yahoo “does not have the ability to find and replace digital certificates”, something it considers a common problem. 

Also, the company says that a “surprising” number of Yahoo digital certificates use MD5, a cryptographic hashing function which is known to be vulnerable to brute force attacks. Almost half (41 per cent) of external Yahoo certificates use a hashing algorithm deemed unsecure. 

“In our experience major breaches, such as the one suffered by Yahoo!, are often accompanied by relatively weak cryptographic controls,” said Alex Kaplunov, vice president of engineering for Venafi.  

“To confirm this assumption we took an in-depth look at external facing Yahoo! web properties and the details of how these sites are using cryptography. We found the encryption practices on these properties to be relatively weak. This is not surprising. In our experience most enterprises, even global brands with deep cyber security investments, have weak cryptographic controls.”  

Image Credit: Jejim / Shutterstock 

Edit: Previous version incorrectly stated that Yahoo replaced 519 certificates in the past 90 days, instead of 2.5 per cent of the 519.