PhotoIf you visited or any of its subsidiary websites at any time between Dec. 31 and approximately five seconds ago, you might need to check to ensure your computer wasn't one of the countless millions infected by a massive malware attack against Yahoo's ad servers: the advertisements on certain pages took advantage of security weaknesses in Java to install “exploit kits” and multiple forms of malware on people's computers.

Though maybe this was only a problem for Yahoo users in Europe. Yahoo spokespeople said in a Sunday email that “On Friday, January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines, specifically they spread malware. We promptly removed these advertisements. … Users in North America, Asia Pacific and Latin America were not served these advertisements and were not affected … Additionally, users using Macs and mobile devices were not affected."

And of course, before listing all these Yahoo users who were not affected, the email first assured everybody that, “At Yahoo, we take the safety and privacy of our users seriously.”

Credibility gap

Unfortunately (from the perspective of embattled Yahoo public-relations folks), in the past couple of months, the company has developed a bit of a reputation for saying things customers don't necessarily believe—like last October, when Yahoo completely revamped its email system and then insisted that the changes were wonderful and well-beloved, even though the actual email customers (not to mention the majority of Yahoo's own employees) insisted that they hated the new email and pretty much everything about it.

And that was before big chunks of the Yahoo email system went kaput, so that some large but unknown number of emails sent between Nov. 25 and Dec. 9 vanished altogether.

So when Yahoo kicked off 2014 by admitting to the malware attack, the public responded with overwhelming cynicism. For example: on Jan. 5, five days after the initial attack, the Washington Post tech blog posted an updated story assuring its readers, “Worried about Yahoo malware outbreak? If you're in [the] U.S., you're probably safe.”

One commenter promptly questioned: “Does anyone really believe Americans were unaffected? Likely, they haven't caught it yet or are straight up lying to the public.” On the other hand, it is possible that Yahoo is telling the truth: online advertisements tend to be tailored to specific geographic locations, so that someone living in the US almost certainly isn't going to see (for example) the same local-business ads as would someone in London.

The news-aggregator Fark, meanwhile, linked to news of the malware attack under a sardonic one-word headline: “Yahoops.”

As of Monday morning, Jan. 6, Eastern time, Yahoo has released a couple of statements to the press, but (as a CNET security blogger pointed out) still has not mentioned anything about the malware attack on its public Tumblr blog. When we checked the blog, its most recent story was dated Jan. 3 and headlined “Boomshakalaka! The Yahoo sports app just got way more fun with loops,” but we couldn't find anything advising European Yahoos to check their computers for possible massive security failures. Yahoops.

Share your Comments