In a move reminiscent of other prominent tech companies including Facebook and Twitter, Yahoo will now alert users who hold accounts that may have come under attack by suspected state-sponsored hackers.
While not revealing how it intends to go about the process to ascertain a state-sponsored hack, Yahoo confirmed that it will alert users if they’ve been targeted by such hackers.
In a blog post, Yahoo stated:
We’re committed to protecting the security and safety of our users and we strive to detect and prevent unauthorized access to user accounts by third parties. As (a) part of this effort, Yahoo will now notify you if we strongly suspect that your account may have been targeted by a state-sponsored hacker.
In addition to the statement, Yahoo recommended additional actions to users who received their alert of a possible state-sponsored hack. Users are advised to use an account key or two-step verification for advanced security.
Users are also advised to look at approving and denying sign-in notifications. The default suggestion of changing to a stronger password is also mentioned. So too is account recovery information details, so that the account may be recovered in the case of a compromise. Yahoo even recommends checking mail forwarding and reply-to settings to look for any shenanigans as well as combing through recent account activities to try and spot any suspicious activity.
Yahoo also provided a disclaimer that those users who receive such a notification need not jump to the conclusion that their account has been compromised.
“Rather, we strongly suspect that you may have been a target of an attack, and want to encourage you to take steps to secure your online presence,” the company stated.
Yahoo also states that the compromise of one or multiple user accounts does not mean that Yahoo’s own internal systems are compromised.
Yahoo also stated:
So how do we know if an attack is state-sponsored? In order to prevent the actors from learning our detection methods, we do not share any details publicly about these attacks.
As always, Lifars recommends a unique and strong password that’s different in each account you use online. Alternatively, investing in a good password manager or a vault is also a way to go.