Yahoo! Mail Blog

The Yahoo! Mail team and I have used this blog many times to keep you informed about how you can stay safe and protect your personal information on the Internet and in Yahoo! Mail. We’ve posted on the best ways to recognize and avoid phishing scams and how to avoid falling victim to lottery attacks. We also use several measures to help you protect your account information including secure login pages, the ability to set up a sign-in seal, and scanning attachments for viruses.

There is another threat that exists called the ‘cookie replay’ attack, where attackers gain access to your account using public WiFi networks. It is an industry wide issue that can affect any Web site including Yahoo! Mail. While this threat does exist, I have not heard of any of our users complaining about being a victim.

I try to be as safe as I can when online. Here are some things you should do to help protect you against this type of exploit:

• Always be cautious when accessing your email account when using public WiFi networks. Consider accessing your account only on secure networks.
• If you need to use public WiFi networks to access your email, use a POP email client to access your mail via SSL. Yahoo! Mail UK users have the ability to send and receive mail via email clients like Microsoft Outlook, Mozilla Thunderbird and others (our friends on the other side of the ‘pond’ will need to sign up for Mail Plus). Make sure to set up your client with SSL security for the best account security.
• Sign up to a personal VPN service (or, if they offer it, use your work’s VPN)

We feel strongly about offering you protections to safeguard your account. We are committed to developing solutions to tackle this industry wide security issue. And we hope to have a solution in sometime in 2010.

I will to keep you up-to-date on the progress of that solution. Until then, be smart when accessing your account via public WiFi networks. If you must access your email on a public WiFi network, try to use POP via SSL or a personal VPN client.

More general information on security can be found at http://security.yahoo.com, and for security tips for mail visit http://uk.antispam.yahoo.com/. As always, please feel free to contact our Customer Care team.

You might have noticed that we unveiled our new global marketing campaign. It includes a new video ad – ‘Anthem’ – that features the many ways that Yahoo! connects our users to the people and things that matter most to them. At the heart of the campaign is YOU and how you use Yahoo! to make the Internet your own.

BeCause Yahoo! Mail is all about you too, it now offers the ability to:

• Have your picture on your “What’s New” page and a complete profile http://profiles.yahoo.com
• Select and add useful apps you want in Yahoo! Mail. Click on the “+” button next to “Application” in the bottom left of Yahoo! Mail)
• See messages and updates from people you really care about right on your “What’s New” page

And we will continue to innovate and enhance Yahoo! Mail to make sure that we provide you with the Smartest Mail experience on the Internet.

Gregory Talon – Product Manager Yahoo! Mail Europe

It didn’t take long did it? You’ve read the reports from yesterday about email account information being posted online and all the stress that goes with worrying about your online safety. Already there are people out there trying to take advantage of the fact that you might be concerned whether or not you were one of the few people affected by the phishing attack. Phishing, for those of you unfamiliar with the term, is the act of trying to trick you into revealing your account and login information via a fake email or fake Website.

Here are some tips to help you identify phishing emails:

• Make sure the Web page address doesn’t have any misspellings or extra words (e.g. http://www.yah000.com, http://www.yahoo-members.com, or http://www.yahoo.BadGuyEnterprises.com) in it. When it doubt, go straight to http://www.yahoo.co.uk and log in from there.
• Be vigilant about anything that doesn’t look right on the page, such as typos, outdated content, or broken or missing pictures.
• Best idea: be sure to set up a customized “Sign-In seal” picture — instructions are at https://protect.login.yahoo.com/ – and never enter your password unless you see that picture on the page.

Just this morning we’re getting reports of a particularly well prepared email attempting to make you think that we are contacting you to verify your account information. In fact, this is nothing new. I’ve posted about this before. But this particular version of a phishing email has been very well produced and appears to look very official. So if you have received something like the screenshot below, this is not an email from Yahoo.

This one pictured above is a prime example of a phishing email, which uses a scare tactic to try to solicit you to send your account details and password. The one above is using the news stories from yesterday to lure you into clicking a link (the link in the email actually goes to some website that is not part of Yahoo) and giving your account details. Always be mindful of any Web page that requests your Yahoo! password (or any password for that matter).

So if you receive an email like the one above, don’t fall for it. Just delete it, or better yet, click the “Spam” button. It’s the quickest and easiest way to let us know that it’s spam.

Andrew – Yahoo! Mail Team

You may have heard or read about email accounts and their passwords being posted online. While I’ve read different versions of how the person(s) responsible was able to get the email account information, it was not a result of any insecurity at Yahoo! It looks to be a result of phishing attacks. Should you feel that one of your email accounts was affected by the recent publication, whether it is a Yahoo!, Hotmail or Gmail account, I would suggest changing your password as well as other account security information like secret questions and alternate email addresses.

We are aware that a limited number of Yahoo! IDs have been made public, it’s uncertain if any of those email/password combinations have resulted in any accounts being compromised. Online scams and phishing attacks are an ongoing and industry-wide issue and Yahoo! takes great effort to protect our users’ security.

We also have the following online resources that provide information and guidelines on email safety:
Our anti-spam site: http://uk.antispam.yahoo.com/
With a phishing prevention sub-section: http://uk.antispam.yahoo.com/phishing
Our help pages: http://help.yahoo.com/l/uk/yahoo/mail/yahoomail/abuse/ (phishing section at the bottom)
And of course, I’ve posted a bunch of articles about online safety to this blog: http://ymailuk.com/2009/05/05/keeping-your-account-safe-we-will-never-ask-for-your-password/
http://ymailuk.com/2009/02/06/top-tips-for-spotting-online-scams/
http://ymailuk.com/2008/05/07/spring-into-safety/

Here are a couple FAQs that provide additional information:
Have accounts been compromised because of this?
We are unable to confirm whether accounts have been compromised at this time. However, we strongly suggest that consumers take caution in securing their email and other online accounts by regularly changing their passwords, and updating account security information.

What do I do if I think my account has been compromised?
You should change your password immediately. Also, if you are unable to enter your account, you can take steps to recover it here: https://edit.yahoo.com/forgotroot

We take online security seriously at Yahoo! We strive to make you and your Yahoo! account as safe as possible. Of course if you have any questions or issues with your account, please contact our Customer Care team.

Andrew – Yahoo! Mail Team