Privacy & Security, Random

Want to unsubscribe? Just confirm your email address first

Here’s a Public Service Announcement for your Monday: confirming your email should never be required to unsubscribe from a mailing list. I’m sure I’ll hear from someone who has an example of an edge case where it’s necessary, but the vast majority of cases should require no such thing. Possibly the most compelling reason not to require confirmation of the address? Spammers require confirmation of addresses in order to “unsubscribe” – with the exception they don’t actually unsubscribe you. Do you want your email to have something in common with most spam? We don’t recommend it. Add to that it’s likely a violation of CASL as well, and you have a recipe for disaster.

Inbox

I’ll have a full post coming up tomorrow but seeing this in my inbox (a dedicated email asking me to unsubscribe? They must be extra compliant!), along with recently speaking with senders who wanted to do something similar, prompted me to issue this brief admonition.

– BG

Industry Updates, Privacy & Security

500 million Yahoo users compromised in “worst hack in history”

tumblr_inline_nww8j3j32c1tnywua_1280On Thursday, Yahoo issued a statement confirming that at least 500 million users’ account data had been compromised in late 2014, supposedly by a “state sponsored actor,” or an individual hired by some governmental body to carry out the hack.

According to the statement, the data “may have included names, email addresses, telephone numbers, dates of birth, hashed passwords …and, in some cases, encrypted or unencrypted security questions and answers.” Yahoo indicates no financial data was breached.

Users who had or used Yahoo services, including Mail, Flickr, Fantasy Sports, and others, during that timeframe are being advised to change their passwords for Yahoo and any other services that may use the same login credentials, as well as changing security questions for other services.

Lots of questions surround this breach, with one of the most notable being why Yahoo waited so long to announce the hack. Many speculate information was concealed to prevent souring the sale of Yahoo to Verizon. CNN reports that Verizon learned of the hack for the first time this week.

As email senders and recipients, most of us care much less about Yahoo and Verizon’s financials than about potential fallout from the breach including identify theft, spam email, and even blackmail. Even if credit card data wasn’t stolen, the hackers now have personal information about millions of Yahoo users, including answers to some of the questions most commonly used to verify their identity.

Yahoo’s wait to announce the hack could mean the greatest damage has already been done: hackers often act quickly with stolen data, selling or sharing it quickly to outrun detection attempts. However, if the breach truly was initiated by a foreign government, the motivation may not be so clear.

Yahoo has said they are cooperating with Federal authorities to investigate, and it’s a safe bet we’ll hear more details as the investigation continues.

– BG