[badida]

No, because Persona mediates, and Yahoo only knows that you're using your Yahoo identity with Persona, nothing more. That's a key privacy property of Persona.

However, if you use the "login with Yahoo" button (or Google or Facebook), then yes, they can track all of your activity.

To your second point: great question! No, the attacker cannot. We still protect your other email addresses with a Persona password.

[badida]

Oh wait, I misread your point. Yes, the attacker can log into all Persona web sites if they know your Yahoo password. But that's the way the cookie crumbles with federated identity. It's the same thing if you pick a Yahoo email address as your recovery email. Pick your identity providers wisely!

[human_error]

> Yahoo only knows that you're using your Yahoo identity with Persona

But Yahoo still knows that I'm on that website.

[ozten]

How?