Ditch Yahoo. Use ProtonMail. [updated]

I’ve been a Yahoo Mail user for 19 years. My Yahoo user ID has only 4 characters in it. It’s been my public (read spam) email address since 1997. I’m sure it’s the longest actively-used email account I’ve ever had. But now it’s time for me to move on. You should, too. Here’s why, and how…

How NOT To Handle Security

Yahoo announced recently that there was a massive breach in 2014 of many of its users’ accounts. While initial reports estimated 500 million users were compromised, it could actually be much worse. (If you haven’t changed your Yahoo password in the last two years, you should do so now.)

Password database breaches are going to happen. Security is hard and nothing is ever 100% secure. But we can and should judge a company by how seriously they take their users’ security and how they react when bad things happen.

While we’re pretty sure the breach occurred two years ago, it’s not clear yet that Yahoo knew about it before July of this year. However, Yahoo didn’t tell anyone about it until after the story broke elsewhere, two months later. It’s also been reported that Yahoo execs had a policy of not forcing users to reset passwords after a data breach because they didn’t want to lose customers. It’s also obvious that Yahoo prioritized shiny new features over security and privacy.

The Last Straw

That’s all pretty bad, but it gets worse. In a separate report shortly after this breach was announced, it was revealed that Yahoo allowed and perhaps helped the NSA or FBI to build a real-time email search program for all its customers, enabling mass surveillance in a way that was previously unprecedented.

Either of these scandals alone would be unacceptable, and should give any Yahoo user a valid reason to abandon their services – but taken together, it almost mandates it. This is a clear case where we, as consumers, need to show Yahoo that this is not acceptable, and do it in a way they will understand: close your Yahoo account and move to another service.

Ditch Yahoo

I’m not going to lie…. if you actually use your Yahoo account (like I do), this is not going to be fun or easy. But if you really care about your security, and security in general, you need to let Yahoo (and the other service providers) know that you take these horrendous security failures seriously. To do that, you have to hit them where it hurts: money. In your case, that means abandoning their services. Ditching Yahoo will not only make yourself safer, it will hopefully drive other service providers to improve their own security – which helps everyone.

I would say that you have at least three levels of options here, in increasing order of effectiveness (in terms of protesting Yahoo’s behavior):

  1. Stop using Yahoo email and all its other services
  2. Archive your Yahoo email locally and delete everything from their servers
  3. Delete your Yahoo account entirely

To stop using your Yahoo email, you will need to change everywhere you used your Yahoo email account and migrate to a new email service. LifeHacker has some tips that will help, but read through the rest of this article before choosing your new email provider.

To really rid yourself of Yahoo completely, you also need to abandon all their services: Flikr, Tumblr, fantasy sports, Yahoo groups, Yahoo messenger, and any of the dozens of other services.

Your next step is to archive all your old Yahoo email. These emails may contain valuable info that you’ll some day need to find: important correspondence, account setup/recovery info for other web sites, records of purchases, etc. If you’ve used an email application on your computer to access Yahoo (like Outlook or the Mail app on Mac OS), you should already have all your emails downloaded to your computer. But you might also want to consider an email archiving application: Windows users should look at MailStore Home (free); Mac users might look at MailSteward (ranges from free to $99).

Once you’ve safely archived everything, you should delete all your emails from Yahoo’s servers. Why? Well, if nothing else, it should prevent successful hackers from perusing your emails for info they could use against you (identity theft, for example). Assuming Yahoo actually deletes these emails, it may also keep Yahoo (or the government) from digging through that info.

You should reset your Yahoo password to a really strong password (use a password manager like LastPass). I would highly recommend setting up two-factor authentication, as well.

As a final step, you can completely close your Yahoo account. Note that this may not actually delete all your data. Yahoo probably retains the right to save it all. But this is the best you can do.

If you find that you are just too invested in Yahoo to completely abandon your email account (and I’ll admit I may be in that camp), you can set up email forwarding. This will send all of your incoming Yahoo email to a different account. (It’s worth mentioning that it looks like Yahoo tried to disable this feature recently, probably in an effort to prevent the loss of users.)

Use ProtonMail

While GMail and Outlook are two popular and free email providers, you should take a hard look at newer, more security- and privacy-conscious services. I would personally recommend ProtonMail. They have a nice free tier of service that includes web access and smartphones apps for iPhone and Android. If nothing else, grab your free account now to lock in a good user name before all the good ones are taken. Tell your friends to do the same. Just adding new free users will help the cause, even if the accounts aren’t used much.

But I’d like to ask you to go one step further: I encourage you strongly to sign up for one of their paid tiers of service, even if you don’t need the added features. The only way we’re going to force other service providers to take notice and to drive change is to put our money where our mouths are. Until it becomes clear that people are willing to pay for privacy and security, we’ll be stuck with all the ‘free’ services that are paid for with our personal info and where security is an afterthought.

Update Dec 14 2016:

Yahoo has just announced another breach, this time over 1 billion accounts hacked (maybe more). DITCH YAHOO!!


(This article is adapted from a few of my previous weekly security newsletter articles.)