back to article Snoop! stooge! Yahoo! handed! all! your! email! to! Uncle! Sam! – and! any! passing! hacker!

Internet has-been Yahoo! has stressed it broke no US laws when it apparently insecurely backdoored its email systems for the NSA or FBI. In 2015, the California-based biz hastily set up mechanisms that allowed American intelligence workers to scan all incoming Yahoo! Mail for particular strings of keywords, it is reported. It …

  1. This post has been deleted by its author

  2. Anonymous Coward
    Anonymous Coward

    A right bunch of Yahoos!

    1. asdf

      who are going to cash out just in time (those at the top anyway, isn't that always the case)

    2. TheVogon

      "Snoop! stooge! Yahoo! handed! all! your! email! to! Uncle! Sam!"

      So just like every other major US based service provider then.

    3. Version 1.0 Silver badge

      RE: A right bunch of Yahoos

      Maybe - but every other email provider is doing exactly the same thing.

  3. asdf

    LOL@Verizon

    Marissa Mayer is nothing but a used car salesman peddling mostly lemons. Have fun with your new white elephant Verizon. Looking forward to your massive goodwill write down in the next 12 months. Plus it will be the gift that keeps on taking quarter after quarter. I wonder how many other bodies are to be found in the Yahoo crawl space. Some HP style due diligence right there (seriously are they doing it for tax reasons?). Couldn't happen to a nicer megacorp.

    1. Anonymous Coward
      Anonymous Coward

      Re: LOL@Verizon

      Who rides the (Digital) Beast ?

    2. Anonymous Coward
      Anonymous Coward

      Re: LOL@Verizon

      Do 'goodwill' and 'Verizon' belong in the same sentence?

    3. Version 1.0 Silver badge

      Re: LOL@Verizon

      "Looking forward to your massive goodwill write down in the next 12 months."

      That raises the interesting possibility that Verizon are buying Yahoo with the intention of declaring them a tax loss and taking the deductions over the next few years. Verizon could make a nice profit on a well planned loss.

  4. Nate Amsden

    FBI contacted me one time

    Not sure why I remember this but for some reason it triggered this memory. A few years ago I was asleep in a hotel room and I got a phone call.. some guy was trying to get in touch with my former employer, after some discussion he revealed he was with the FBI and wanted to see if this company had some data they were tracking down someone(s). He asked whether or not the company had web access logs. I assume they were looking for something child porn related this company had a lot of user generated content and no controls whatsoever (said company has been out of business for some time now). I joked to my friends at the company at the time since they were hosted in amazon cloud hell just give them a splunk account, there is nothing useful in those logs anyway!

    But I did find it funny that even the FBI investigator could not figure out how to get in touch with someone at the company, so they resorted to the WHOIS information on the domain, which more than a year after I left for some reason still pointed to me. There was no phone number or general email address(or physical address) to contact on the website etc, the whole time I worked there it sort of felt like they could decide to close up shop on a friday afternoon and have the place be emptied in a matter of hours and it would look like they were never there.

    I could say the CEO of said company went over to Yahoo at one point but that's purely coincidence !

    Anyways I got this guy in touch with people at the company and they took it over from there. Only such request I've ever dealt with.

    1. asdf

      Re: FBI contacted me one time

      >But I did find it funny that even the FBI investigator could not figure out how to get in touch with someone at the company,

      It is pretty amazing how much better the press has been with the Panama papers than all the law enforcement that look the other way when they are dealing with rich folks.

      1. Anonymous Coward
        Anonymous Coward

        Re: FBI contacted me one time

        They contacted me once also! I was working at a book depository back in 1963 in Dallas, Texas. Some new books had just come out for programming an IBM 1620, which were pretty damn heavy and I told my boss " hey, you gotta get me some help in here to move these crates of books!" They hired some guy, lee or Harvey something.....can't remember.... Anyway, he was bragging about how great of a shot the Marine Corp was to everyone else and I told him " I'll bet you tickets to the local Texas theatre that you can't shoot out this window and hit that manhole cover down by that grassy knoll"

        He cracked off three shots, damned if the president of the united states didn't happen to be riding by at that exact time.....

        We felt bad about that.....

        1. Code For Broke

          Re: FBI contacted me one time

          Expect the FBI to investigate AC's JFK post a serious lead.

      2. Anonymous Coward
        Anonymous Coward

        Re: FBI contacted me one time

        It is pretty amazing how much better the press has been with the Panama papers than all the law enforcement that look the other way when they are dealing with rich folks.

        Are you really sure? I'm not, because at the time I remarked how astonishingly few Americans were named in those papers. The excuse "we have our own "offshore" places INSIDE the US, like Delaware" didn't ring true, for the exact same reason that Yahoo can legitimately claim it broke no laws: anyone can be ordered to collaborate with law enforcement and IRS.

        The inevitable conclusion was that the Panama papers were yet another US attack on any competition with Wall Street and its economy, and that makes more sense than the alleged repatriation of tax funds because there are FAR bigger fish to fry in that respect (companies, but also the rather wide span of billionaires - after all, the bulk of the global supply live in the US). The heroically recovered funds so far wouldn't repay more than 10 minutes Shock and Awe on Bagdad, so from that angle it's not worth the effort.

        The pattern is fairly easy to spot once you've seen it once: as soon as the US administration gets itself into any kind of bother, things happen "abroad" that are "bad" and the US "has to sort it all out" - yeah, right. It'll get a lot worse when they elect Trump, I reckon (no, I don't consider that an "if" - his position in the polls despite making more policy and position U-turns than a UK politician involved in a scandal makes it pretty clear that facts no longer matter).

        1. Tom Paine

          Re: FBI contacted me one time

          The excuse "we have our own "offshore" places INSIDE the US, like Delaware" didn't ring true, for the exact same reason that Yahoo can legitimately claim it broke no laws: anyone can be ordered to collaborate with law enforcement and IRS.

          I am not a lawyer or tax accountant, but Private Eye -- which has been doing superb investigative journalism on offshore tax avoidance for 15 years or more -- accepted this explanation, with detail about specific states that are in a race to the bottom with Delaware. What you've missed is that there's no reason for law enforcement or the IRS to take any interest in such matters because basing your company in a low-tax / low transparency jurisdiction is entirely legal .

    2. Phil O'Sophical Silver badge

      Re: FBI contacted me one time

      after some discussion he revealed he was with the FBI

      Well, that's what he said, anyway...

  5. Notas Badoff

    Make me proud, media

    I scanned through the article's links, and none to past articles in the Reg about Alex Stamos at time of leaving. What was said? What was known? Were the usual 'family' reasons satisfying enough that no one cared to check into it more? Anybody know of previous hints to this mischief?

    1. Anonymous Coward
      Anonymous Coward

      Re: Make me proud, media

      I can well imagine that at the time he was gagged by both Yahoo! and the feebs

  6. Mark 85

    Is there actually anyone using Yahoo! for anything other than a throwaway account anymore? I'm assuming there must be a few who are, but I'm thinking the bulk of them are either dead or throwaways.

    I do find this troubling, not just because they implemented a back door without informing IT Security but also for poorly implementing it and then ignoring the problem. I think this does border on the criminal and should impact the sale. No ethics, no principles... just bottom line oriented.

    Disclaimer.. I'm still using an AOL account that goes back to the dark ages as all friends and family have it and it's a PITA to get them to use a new addy. But... I do have a stash of throwaways just for safety.

    1. Anonymous Coward
      Anonymous Coward

      BT outsourced all their users email to Yahoo

      So all UK users with a BT email account got fucked too

      1. Version 1.0 Silver badge

        Re: BT outsourced all their users email to Yahoo

        AT&T did the same thing in the USA.

  7. Destroy All Monsters Silver badge
    Pint

    When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer

    Buy that man a large beer. The dusky shadow of CEO incompetence, if not malfeasance, and Hillary-style "La Reine, C'est Moi" behaviour should be avoided even there is personal cost involved.

    1. CrosscutSaw

      @D.A.M

      I also loved the Stamos story, until we find out he went to Facebook. Boooo.

    2. Hollerithevo

      Important to include Mrs Clinton!

      Never let an opportunity pass for a little dig.

  8. Anonymous Coward
    Anonymous Coward

    Make the bastards sweat

    Fortunately most of mine were in Welsh and very allusive ..

    1. Fred Flintstone Gold badge

      Re: Make the bastards sweat

      They probably think they're still encrypted :)

  9. Your alien overlord - fear me

    I hope el Reg is now going to refer to the NSA as NSA! in tribute to the soon to be deceased Yahoo!

    1. Anonymous Coward
      Anonymous Coward

      That should be : NSA!

      1. Ole Juul

        I'm hoping we'll be seeing Verison!

        (not sure if formal punctuation demands a period after the ! in that sentence)

        1. Fred Flintstone Gold badge

          (not sure if formal punctuation demands a period after the ! in that sentence)

          Interesting point (sorry :) ). Was there ever a rule developed for marketing idiots including punctuation in a name? As the exclamation mark is part of the company name it should formally not be considered punctuation, which would normally demand an extra full stop.

          However, as that would be playing along with something that I've always found rather stupid! (as does El Reg, hence the constant heckling! in! any! Yahoo! headline!), I personally am of the opinion that formal rules can go stuff themselves and I'll (a) call it Yahoo and (b) add any punctuation to suit, which is unlikely to include an exclamation mark, under the banner of not wanting to perpetuate another marketing crime against the English language, even if it's American. Puns and play on words, fine, punctuation, no.

          Period.

  10. FuzzyTheBear
    Mushroom

    Mandatory disclosure ..

    That is one case where the company should be forced to disclose to ALL it's email accounts holders that they done so and provide a link to delete their data and account in one click. Their mail service is to be avoided and as far as i am concerned , was deleted the moment Reuters broke the news.

    I highly encourage those who haven't done so yet to do it.

    Shame on America. They don't deserve neither our friendship ( what was left of it ) nor our business.

    1. Anonymous Coward
      Anonymous Coward

      Re: Mandatory disclosure ..

      Shame on America. They don't deserve neither our friendship ( what was left of it ) nor our business.

      Just to be clear, you equate Yahoo with the whole of the US?

      1. Anonymous Coward
        Anonymous Coward

        Re: Mandatory disclosure ..

        Well in this case as the federal authorities were deeply involve, I think you can certainly paint it quite convincingly as distrust of the 'official' US. Not that this surprises.

  11. Doctor Syntax Silver badge

    Yahoo! will live on...

    ...as a cautionary tale on how not to run a business, or maybe an entire national industry. It'll be much quoted in business courses.

    Meanwhile, if any evidence is needed to take down the Privacy Figleaf, there it is.

  12. Maty

    So, to summarize ...

    Yahoo left an insecure backdoor on their email servers for American intelligence to use. Later some un-named hackers - allegedly a foreign power - found some way to get into Yahoo's mail accounts and slurped the lot.

    Are we seeing cause and effect here?

    1. a_yank_lurker

      Re: So, to summarize ...

      What was Tim Cook's beef with the feral bureau of incompetence - backdoors will be found and exploited by others. And there is no such thing as a secure backdoor. So the Putrid Palace has the smell of putrescine and cadaverine.

    2. Anonymous Coward
      Anonymous Coward

      Re: So, to summarize ...

      Yes, the backdoor obviously wasn't big enough, otherwise they would have found those un-named hackers and made us all safe by protecting us from the very bad people.

  13. teacake

    What about BT?

    Since BT farmed out responsibility for their e-mail service to Yahoo some years ago, could this mean UK BT Internet customers also had their mail slurped?

    1. Syntax Error

      Re: What about BT?

      They probably have it slurped, monitored anyway because BT are a government agency who work hand in hand with GCHQ.

      This monitoring was searching for a string of certain words not reading e-mails so I don't see this as such a big deal. How Yahoo went about it is another story.

      1. Anonymous Coward
        Anonymous Coward

        Re: What about BT?

        They probably have it slurped, monitored anyway because BT are a government agency who work hand in hand with GCHQ.

        That may still not make it legal. Punting that one over the fence to the Information Commissioner should at least be fun to watch as they'd probably have to change some more laws to legalise that retrospectively. Bit of a shame that entertainment will stop post Brexit..

    2. MJI Silver badge

      Re: What about BT?

      Got my complaint in.

      Will escalate and see what happens.

      Need to let BT customers know they are being spied on.

      1. teacake

        Re: What about BT?

        Well done. Are you complaining to BT, the Information Commissioner, or both?

        1. MJI Silver badge

          Re: What about BT?

          BT

          ICO have no option for this

          1. Anonymous Coward
            Anonymous Coward

            Re: What about BT?

            ICO have no option for this

            Give their helpline a call and ask in which format they need it. They do take in general concerns, but you may need to email it to casework@.

  14. Likkie

    Hmm... feeling nostalgic...

    That was my oldest email address. Now deleted....

    1. The Travelling Dangleberries

      Re: Hmm... feeling nostalgic...

      Same here.

      More proof, as if we needed it, that you should not trust any cloud providers especially those based in the US of A.

      Yahoo gone. It's high time I nuked my LinkedIn account too...

  15. Neoc

    The idiots at Yahoo! are correct on one fact: installing the backdoor at the behest of the NSA (or whomever) did not indeed break any laws.

    Installing an *insecure* backdoor, on the other hand, may be criminally liable.

  16. MrDamage Silver badge

    Didn't break any American laws

    But unfortunately, they had a global presence by that time, so everyone outside of the US has fair grounds to sue them under the local data protection laws.

    1. Andy The Hat Silver badge

      Re: Didn't break any American laws

      So I'm guessing that would mean they contravened the safe harbour agreement on personal data? Time for an EU data protection complaint and a general public statement of how crap 'safe harbour' type agreements are?

  17. wolfetone Silver badge
    Holmes

    So it WAS a state sponsored hack after all.

    1. Anonymous Coward
      Pint

      Sigh.......

      Have an upvote and my email account. Exactly what I was thinking.

      1. wolfetone Silver badge

        Re: Sigh.......

        "Have an upvote and my email account."

        You can have an upvote for the beer, but I already have your email account.

        Herbal Viagra? Really?

        1. Anonymous Coward
          Anonymous Coward

          Re: Sigh.......

          Bugger, you caught me, but the one with essence of bamboo works best. Then the other half really does say Yahooo!!!

  18. MJI Silver badge

    I just emailed BBC

    To have a look.

    They MIGHT look at the BT connection.

    Might as well cause them hassle for outsourcing emails.

  19. Anonymous Coward
    Pirate

    What's the difference?

    > mechanisms that allowed American intelligence workers

    > to scan all incoming Yahoo! Mail

    -----

    > exposed to hackers in what Yahoo! had called a

    > "state sponsored" attack

    Sounds like two state-sponsored attacks to me. Really can't see the difference.

  20. PickledAardvark

    Mini spike in cpu usage

    Didn't anyone notice a load increase on some mail handling servers when the filters were in place? Or do Yahoo change things so often that a change in load per million messages is hard to spot?

  21. MJI Silver badge

    Looks like BT can be done for this

    Linked from BT website

    https://policies.yahoo.com/us/en/yahoo/privacy/topics/safeharbor/index.htm

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like