Protect Yourself from Advanced Attackers

Yahoo always strives to protect your account from unauthorized access. In addition, we recommend that all account owners secure their Yahoo account using the steps below. However, if you've received a notification from Yahoo, or another provider, that you may have been the target of state-sponsored actors, we specifically urge you to take these steps.

The notification from Yahoo looks like this:

Screenshot of 'Important action required' message

This notification will appear for 10 days to give you time to secure your account, and so that we can be sure you've seen it.

Secure your Yahoo account

  1. Turn on Account Key or Two-Step Verification to approve or deny sign-in notifications, which grant or refuse access to your account.
  2. Choose a strong, unique Yahoo account password you've never shared or used before. Review our guidelines for creating a strong password and change your account's password.
  3. Check that your account recovery information (phone number or alternate recovery email address) is up to date and that you still have access to them. Remove ones that you no longer have access to or don't recognize.
  4. Check your mail forwarding and reply-to settings. Hackers could edit these settings to receive copies of emails you send or receive.
  5. Review your recent activity in your account settings for sessions you don't recognize.

Stay safe online

We strongly encourage you to protect yourself outside of your Yahoo account, as well.

  • Don't fall for phishing attacks! Don't click links if you're not sure about them. Yahoo will never ask you to provide your account information via email. If an email includes a link to Yahoo that asks for your password, close the window and sign in via directly.
  • Install anti-virus software on your computer and ensure that your computer and other devices have all the latest security updates applied.
  • Review the account security guidelines posted by other services you use. For example, social networks, financial institutions, and other email providers. Follow their guidelines to secure those accounts, too.