29 Sep 2016
Yahoo!’s Security Breach And What It Means For Your Email Sending
29 Sep 2016
Last week, the Internet was shaken by another scandal on data security. Yahoo! announced that the credentials of 500 million of their user accounts had been stolen back in 2014. We know you heard about this and have a million questions. Worry not, Mailjet’s here to make sure you know exactly what’s going on, how it may impact you as a sender and to help you tackle the consequences.
Wait, what happened?
On September 22nd, Yahoo! published an important message on their user security. It revealed a massive security breach going back to 2014. The credentials of 500 million Yahoo account users were stolen and had been put up for sale by a hacker (allegedly, the same hacker who had been involved in the Linkedin and Tumblr’s security scandals).
According to Yahoo!’s announcement, the data that had been stolen included:
- Email addresses,
- Hashed passwords,
- Telephone numbers,
- Dates of birth,
- Security questions and answers.
Bank account data and protected passwords don’t seem to be among the stolen data, according to the investigation that is still ongoing.
Potentially affected users have been contacted by Yahoo! and all users are strongly recommended to change their passwords if they still use the same one as they had in 2014.
Does This Impact Me As A Sender?
Such a massive leak is likely to have a lot of consequences, and yes, it could have an impact on you. More precisely, it could have an impact on your deliverability.
Some Email Service Providers have already started reporting a high hard bounce rate linked to Yahoo! accounts. This may be related to Yahoo! deactivating accounts that would have been operated by the hackers who got access.
It is also likely that at least part of Yahoo! users might feel that their data isn’t secure anymore with that address. Imagine that your name, the keys to your place and your address had been out in the open for a year and a half. Some people will just change their lock, but others might even desert their house and move to a new one… Which means that a lot of people might give up their email IDs, close their accounts and move to new ones, resulting in a high number of hard bounces for your campaigns.
Nope, this isn’t the hard bounce we’re talking about.
Hard bounces are responses received from Yahoo! indicating the sender has sent to an invalid or inactive address. Hard bounce rates are part of the criteria Internet Service Providers use to gauge the quality of a sender’s list and reputation, so having a high hard bounce rate could potentially cause a negative effect on your deliverability.
Now you could be wondering: “If the issue is known, ISPs should be more flexible and raise their threshold when it comes to defining a bad level of hard bounce, right?”. Unfortunately, it’s not that easy. These filters are operated by complex algorithms hunting phish and fraud, not by real humans. They track your metrics as a sender against what they deem to be “normal” for most legitimate senders.
So here’s what’s likely to happen:
- If your hard bounce rate raises just a little, but the rest of your metrics are still OK and you’ve had good statistics, the impact will be minimal – perhaps just a few cases of emails landing in the junk folder.
- If your hard bounce rate raises a lot, it might result in a lot of messages going to the junk folder while it remains high, and maybe for a few days after your rates are back to normal;
- If you see a peak in your bounce rate, you may see some messages rejected, blocked temporarily by ISPs for several hours, or even several days.
What Can I Do To Limit The Damage?
In order to protect your sender’s reputation, we recommend that you monitor your bounce rate very closely. At Mailjet, we have a 8% bounce threshold within our sending policy. So make sure you keep an eye on it, as anything higher may result in a rate limitation.
We recommend that you remove all the bounce addresses from your contact list after each campaign that you send during the next few weeks. It might seem slightly painful, but it is definitely the quickest and safest way to get your bounce rate back to normal and limit the damage on your deliverability.
If you want to address the Yahoo users who could be tempted to close their account but haven’t done it yet, you could create a segmented list that targets those with Yahoo contacts that have been “active” during the the last three to six months (those who opened/clicked in your recent campaigns). Send a specific campaign to offer them to update their preferences and give them a chance to provide a new email address to proactively ensure that your mail follows them to their new address.
Have you noticed any impact on your latest email campaigns following the Yahoo! security breach announcement? How do you plan to tackle it? Tell us more on Twitter.