Notifying our users of attacks by suspected state-sponsored actors

We’re committed to protecting the security and safety of our users, and we strive to detect and prevent unauthorized access to user accounts by third parties. As part of this effort, Yahoo will now notify you if we strongly suspect that your account may have been targeted by a state-sponsored actor. We’ll provide these specific notifications so that our users can take appropriate measures to protect their accounts and devices in light of these sophisticated attacks.

Our notifications provide targeted users with specific actions they can take to help ensure that their Yahoo accounts are safe and secure. If you receive such a notification from us, here are some of the actions you should take immediately:

• Turn on Account Key or Two-Step Verification to approve or deny sign-in notifications, which grant or refuse access to your account.
• Choose a strong, unique Yahoo account password you’ve never shared or used before. Review our guidelines for creating a strong password and change your account’s password.
• Check that your account recovery information (phone number or alternate recovery email address) is up to date and that you still have access to them. Remove ones that you no longer have access to or don’t recognize.
• Check your mail forwarding and reply-to settings. Hackers could edit these settings to receive copies of emails you send or receive.
• Review your recent activity in your account settings for sessions you don’t recognize.

We also strongly encourage you to protect yourself outside of your Yahoo account:

• Don’t fall for phishing attacks! Don’t click links if you’re not sure about them. Yahoo will never ask you to provide your account information via email. If an email includes a link to Yahoo that asks for your password, close the window and sign in via https://login.yahoo.com directly.
• Install anti-virus software on your computer and ensure that your computer and other devices have all the latest security updates applied.
• Review the account security guidelines posted by other services you use. For example, social networks, financial institutions, and other email providers. Follow their guidelines to secure those accounts, too.

It’s important to note that if you receive one of these notifications, it does not necessarily mean that your account has been compromised. Rather, we strongly suspect that you may have been a target of an attack, and want to encourage you to take steps to secure your online presence. In addition, these warnings to our users do not indicate that Yahoo’s internal systems have been compromised in any way.

So how do we know if an attack is state-sponsored? In order to prevent the actors from learning our detection methods, we do not share any details publicly about these attacks. However, rest assured we only send these notifications of suspected attacks by state-sponsored actors when we have a high degree of confidence.

We will continue to refine our detection and notification of state-sponsored threats and remain committed keeping your account safe from unauthorized access.