Modern field guide to security and privacy
The Yahoo logo is shown at the company's headquarters in Sunnyvale, Calif. April 16, 2013.
Robert Galbraith/Reuters | Caption

Yahoo hack raises fresh fraud concerns

Fraudsters are trying to trick victims of the massive Yahoo data breach into paying for bogus tech support.

Lawyers behind a class action lawsuit against Yahoo over its recently disclosed data breach say fraudsters are now looking to dupe victims with tech support scams.

In the weeks since Yahoo announced the digital attack, which initially occurred in 2014 and exposed information about 500 million accounts, scammers posing as company officials have attempted to trick users into paying hundreds of dollars for phony security upgrades. 

"As Yahoo put the knife in the backs of its customers by recklessly failing to secure their data, criminals are now twisting those knives by setting up fake Yahoo customer service phone numbers," said Stuart Davidson, an attorney at the law firm Robbins Geller Rudman & Dowd. "All of this would not have happened had Yahoo upheld its promise to protect its customers' data."

Mr. Davidson is part of the legal team representing Ronald Schwartz, who filed a class action suit against Yahoo over the breach. Davidson said he's spoken with at least six people who have been scammed by calling phony tech support hotlines that have surfaced online. Fraudsters are demanding up to $500 to "secure" victims' computers from further harm, he said.

In a letter to users, Yahoo recommended users promptly change passwords and security questions, and adopt a different means of verifying their accounts such as two-factor authentication. But the potential harm for users exposed in the breach could stretch beyond just their Yahoo accounts. 

While the breach did not include financial data, cybersecurity experts worry that victims in the breach could face problems with other digital accounts, too, especially if people reused their Yahoo passwords.

Yahoo said that "state-sponsored" hackers were responsible for stealing the data but did not name any specific country or group.

In an unrelated case, Reuters reported Tuesday that Yahoo built a custom tool last year for the US government to scan users' emails. That news, coupled with revelations of the breach, caused many tech reporters, journalists, and privacy advocates to urge users to delete their Yahoo accounts.

When asked about US intelligence efforts to search Yahoo emails, National Security Agency Director Adm. Michael Rogers on Wednesday refused to confirm or deny the Reuters story.

It's unclear if revelations of Yahoo's alleged willingness to allow the government to search emails without users consent will compel additional legal action against the company.

"It does certainly dovetail with our allegations," said Davidson, the lawyer in the class action case. "What I find most interesting is that, if the story is true that Yahoo has been giving the government access to user emails, Yahoo cannot blame criminals this time. This one is all on Yahoo."