Who to entrust your e-mails with: security measures of popular e-mail services
24.02.2021
The most popular e-mail services provide users with good functionality. They periodically update it. But what about security measures? How Gmail, Microsoft Outlook, Zoho, and Yahoo! Mail store users’ data? To answer this question, the Analytical Department of Falcongaze has analyzed their security measures and reputation.
Gmail
In October 2018, Gmail’s userbase reached the number of more than 1,5 billion people.
During several years, Gmail had problems with phishing. There were also a lot of leaks and breaches. Once 5 million passwords were compromised. Then in 2016, it was revealed that malware detecting filters had not been working all the time. And in 2017, Google developed machine learning approach of phishing detection which randomly analyzes 0,05 % of messages.
Gmail is equipped with a data loss prevention tool: if a user sends a message to any other domain but the company’s, the system warns them. Google also uses DLP-system to prevent sensitive information from being revealed to those who should not have it. To protect messages while transferring, the company uses S/MIME certificate. Gmail also uses SSL-encryption.
It must be mentioned that some years ago Google used to scan e-mails to personalize advertisements. In 2017, the company was sued for that. In June 2017, Gmail stopped scanning users’ messages.
However, in 2018, The Wall Street Journal discovered that Google continued giving access to accounts for third parties. Any developer of an app related to Google could gain access. The company underlined that it would not expose data to enterprises which are not connected to Google.
In February 2021, was discovered the largest breach ever. 3,2 billion records leaked online. The breach is called the Compilation of Many Breaches, because it contained past data leaks, but the number of compromised accounts was about 70% of global internet users. The breach contained users’ credentials from Gmail, Hotmail, Yahoo, Netflix, LinkedIn, Exploit.in, and more.
Yahoo! Mail
The company released an e-mail service in 1997. In the beginning of 2000s, its userbase consisted of tens of millions of people. By December 2011, 281 million of people used the service. Yahoo! Mail’s userbase was the third biggest in the world.
But in 2016, the company discovered 2 enormous leaks that had happened in 2013 and 2014 accordingly. In the breach of 2014, 500 million accounts were compromised. Hackers stole usernames and e-mail addresses. However, financial data were not affected.
After discovering the breach of 2014, Yahoo! Mail revealed the breach of 2013. More than 1 billion of credentials were stolen. Later the company Verizon, part of which Yahoo became in 2017, announced that there were about 3 billion of compromised accounts. It means that all users of the service suffered.
Hackers stole users’ personal information, hashed passwords, secret questions, and answers to them. During several years, malicious actors could have had access to the compromised accounts. Hackers’ identities and their strategy remained unknown. By the way, it is said that the incidents are not connected to each other.
To mitigate consequences, the company promised to pay victims $50 million. Besides compensation payment, the company would provide monitoring of 200 million people who were the victims of the incident in 2013.
In 2019, Yahoo! Mail services broke down on more than 7 hours. Workflows of many companies were paralyzed. Customers who paid for premium accounts demanded for financial compensation. But Yahoo! did not respond to that.
The service uses secure protocol HTTPS and end-to-end encryption. In case you visit a website affected by malware, the tool SearchScan will notify you about it. Yahoo! Mail also notifies about spam and phishing messages. There is 2FA – a security method when you enter additional code to gain access to your account.
Outlook
Outlook is a Microsoft company’s product which previously was known as Hotmail. But Microsoft is sure that it is still the best free e-mail service.
Microsoft informs that Outlook guards users’ privacy 24/7. Messages are encrypted while in email box and after being sent. Premium accounts also have automatic banning of unsecure links feature and discovering of malware software feature.
Outlook uses HTTPS-connection. A user can ask for a single-use code if they sign in from a public computer. Also, you can enable 2FA – you will receive a verification code every time you sign in using untrusted device. If 2FA is off then you will confirm your identity just from time to time.
In April 2019, Microsoft disclosed a huge breach. As the company informed, from January 1, 2019, to March 29, 2019, hackers could gain access to some details related to Outlook accounts (e-mail addresses, folder names, the subject lines of e-mails, and the names of other e-mail addresses a user communicated with). The content of messages and attachments were secure. The fraudulent actors managed to do this with one of the accounts belonged to a company’s support agent.
In February 2021, the Cisco researchers discovered an updated version of trojan Masslogger which attacks users from different countries. It steals credentials of Microsoft Outlook and other apps users. It is distributed by phishing e-mails.
It must be mentioned that vulnerabilities in Outlook service are often used by hackers. For instance, in 2019, Iranian hackers exploited the vulnerability which surprisingly was fixed in 2017. The flaw allowed a malware to distribute on OS level. Moreover, in June, 2019, Microsoft fixed a vulnerability that could affect 100 million of Android users.
Zoho
The Zoho developers consider their product to be secure, privacy-guaranteed, and ad-free e-mail service.
Zoho Mail uses DMARC policy. There is a malware detection feature. It scans attachments received in e-mails. A user won’t be able to upload an attachment if a malware is discovered. As well, Zoho has a spam filtering function. If a message is detected as phishing or spoofing, then it is removed to an inbox or a spam folder.
Zoho informs that messages are stored on Zoho Mail services in encrypted format. The service also uses SSL-connection and S/MIME standard.
There is 2FA on the service. The second step of authentication may be Zoho OneAuth app, Touch ID, push notification, OTP, or QR code.
Zoho has got such security certificates as ISO/IEC 27001 and SOC 2 Type II. The company also follows GDPR rules.
But there is no app without any flaws. In 2018, there was an incident occurred to Zoho. Hackers created the keylogger malware which recorded victims’ passwords and sent it to the cybercriminals.
The Analytical Department of Falcongaze tried to provide you with objective information about popular e-mail services. You are to choose which service you are going to entrust with your data.