Notifying our users of government-backed activity

Announcing new security features in AOL Mail and Yahoo Mail

By: Chris Nims

Evolving online threats to account security require evolving defenses, so we’re continuously investing in our security team and security features in our products to help keep bad actors at bay.

One product feature that’s proven to be highly effective is our government-backed notification system in Yahoo Mail. Since 2015, this system has notified tens of thousands of users that they may have been targeted by a government-backed actor. These users might include journalists or activists, or may include government officials and others who may have access to sensitive information. And while these notices do not necessarily mean that their accounts have been accessed by unauthorized third parties, they remind users to remain ‘paranoid,’ as we like to say, about their account security.

Building off the success of this notification system, we’re announcing today some important updates:

• The system now serves all of our AOL Mail users, along with Yahoo Mail;
• Notifications will reach users on desktop and directly on their AOL and Yahoo mobile apps; and
• We’ve made the new system multi-lingual, with over 75 languages represented.

With the pervasiveness of government-backed threats on the rise, we see this system only becoming more relevant and useful to our users. So what do you do if you receive a notification and how do you know if it’s real?

Our email notices will never include attachments or ask you for your password. If you receive an email with a login link that you think looks suspicious, be safe and go directly to yahoo.com or aol.com by typing either URL into your browser's address bar.

Legitimate notices from us are personalized and will provide guidance on what steps you can take to secure your account. Importantly and again, a notification does not necessarily mean your account has been accessed, rather we have reason to believe it may have been targeted. Disclosing how we know if an account was targeted is challenging as we do not want to provide our adversaries a roadmap to circumvent our detections, but we only notify a user if we have a high-degree of confidence that they have been targeted.

If you receive such a notification from us, it will include security recommendations based on your specific account settings. Some general steps any user can take right now to improve their security include:

• Turn on Account Key (in Yahoo Mail) or Two-Step Verification (in AOL Mail) to approve or deny sign-in notifications, which grant or refuse access to your account.
• Choose a strong, unique account password you’ve never shared or used before. Review our guidelines for creating a strong password and change your account’s password.
• Check that your account recovery information (phone number or alternate recovery email address) is up to date and that you still have access to them. Remove ones that you no longer have access to or don’t recognize.
• Check your mail forwarding and reply-to settings. Hackers could edit these settings to receive copies of emails you send or receive.
• Review your recent activity in your account settings for sessions you don’t recognize.

For many of our users, knowledge itself is also a powerful tool in account security and can even have implications for a user’s physical security. A journalist reporting on corruption of an oppressive government regime may learn that they need to take steps to ensure their digital and physical security. The same could be true for a free expression advocate challenging government censorship.

We’re committed to protecting the security and safety of our users, and believe this expanded system demonstrates that commitment. As always, stay paranoid!