Yahoo email users are at risk for identity theft.  Yahoo’s Developers Network website allows hackers to read emails, contacts, and other private data from Yahoo. Sergiu Dragos Bogdan, a Romanian web application bug hunter, exposed the security flaw at a conference last Sunday.  Bogdan explained how Yahoo Query Language (YQL) can be abused by attackers to execute commands on behalf of authenticated Yahoo users who visit malicious websites. Hackers can run YQL queries on Yahoo’s own databases. “Non-authenticated users can only run YQL queries against tables containing publicly visible Yahoo information, such as information from Yahoo Answers, Yahoo Weather and other services. However, when they are authenticated, users also gain access to tables containing their own Yahoo account data, including emails, contacts and private profile information.”

Symantec reported last year that spammers were using a very similar technique to steal anti-CSRF (cross-site request forgery) codes from Facebook users, which allowed them to post spam links on their behalf. In his PoC attack, Bogdan used a YQL command to change the user’s Yahoo profile status in Yahoo’s database, but the same method can be used to run a YQL query that returns a number of emails from the user’s Yahoo email account, or other private information.  Yahoo did not respond to’s request for comment.


Our firm represents the victims of data breaches and data losses. Personal identifying information is a commodity.  Your personal information can be sold just like illegal drugs on the street.  Companies and government agencies have a duty to protect your personal identifying information. If your personal information is taken or lost, you may be at risk for identity theft for the rest of your life.

What is a data breach?  A data breach occurs when electronic information is taken without authorization, or an otherwise legal purpose.  For example, a data breach occurs when a hacker accesses a computer network and downloads personal identifying information. Another example of a data breach is when an employee, without authorization, accesses customers/patients’ personal identifying information or financial information for an unlawful purpose.

Under the Fair Credit Reporting Act (FCRA), consumers have the right to get their credit reports from consumer reporting agencies due to fraud or identity theft.  Consumers also have the right to dispute, for free, any incorrect information on their credit reports.  The FCRA provides consumers with a private cause of action if the credit reporting agencies violate the law.

Before you sign any papers or sign up for credit monitoring, you should contact a data security attorney to discuss your rights.  Contact data security attorney Micah Adkins at 1-800-263-9091 24/7 for a free case review.  Or, use the contact form below.

[contact-form] [contact-field label=”Name” type=”name” required=”true” /] [contact-field label=”Address” type=”address” required=”true” /] [contact-field label=”Email” type=”email” required=”true” /] [contact-field label=”Telephone Number” type=”text” required=”true” /] [contact-field label=”How can we help you?” type=”textarea” required=”true” /] [/contact-form]