By Alex Stamos, VP of Information Security
The security of our users is a huge focus for us at Yahoo. We’re deploying encryption technologies across our platform, encouraging our partners to ensure that any data running on our network is secure, and improving the security of the overall web ecosystem.
We’re also focused on hiring the best talent to help us achieve our goals. That’s why I’m excited to introduce the two newest members of our security team: Chris Rohlf and Doug DePerry. Both Chris and Doug have incredible experience and are well-respected in the online security community. Chris and Doug will continue to be based out of New York, where they’ll further enhance our top notch security team, provide key trainings as we grow, and help us recruit the brightest minds in the software security space.
Chris and Doug come to us from Leaf Security Research, a security consulting firm known for its deep understanding of software security. The Leaf team has discovered and published critical vulnerabilities in every major web browser and other widely used applications. Chris and Doug have helped design and lead Leaf’s “Advanced C/C++ Source Code Analysis” training course, which educates participants on how to find exploitable vulnerabilities by manually auditing the source of large and complex programs. Chris and Doug have taught this unique course for public and private audiences, including at Black Hat USA 2013.
Chris and Doug will make a comeback to Black Hat USA this year — this time as Yahoos! — to teach their course on August 2nd & 3rd and again on August 4th & 5th. If you’re planning to be at Black Hat USA 2014, come connect with us at Mandalay Bay to learn techniques to find new vulnerabilities, and analyze code for exploitation primitives for target-specific exploitation.
We’re thrilled to welcome Chris and Doug to our team of talented security experts at Yahoo and look forward to seeing you at Black Hat USA 2014 this year!
Interested in learning more about opportunities on our security team? Check out Yahoo Careers.
By Alex Stamos, Chief Information Security Officer
When I joined Yahoo four weeks ago, we were in the middle of a massive project to protect our users and their data through the deployment of encryption technologies as we discussed in our November 2013 Tumblr.
So today, we’re updating you on our progress:
Traffic moving between Yahoo data centers is fully encrypted as of March 31.
In January, we made Yahoo Mail more secure by making browsing over HTTPS the default. In the last month, we enabled encryption of mail between our servers and other mail providers that support the SMTPTLS standard.
The Yahoo Homepage and all search queries that run on the Yahoo Homepage and most Yahoo properties also have HTTPS encryption enabled by default.
We implemented the latest in security best-practices, including supporting TLS 1.2, Perfect Forward Secrecy and a 2048-bit RSA key for many of our global properties such as Homepage, Mail and Digital Magazines. We are currently working to bring all Yahoo sites up to this standard.
Users can initiate an encrypted session for Yahoo News, Yahoo Sports, Yahoo Finance, and Good Morning America on Yahoo (gma.yahoo.com) by typing “https” before the site URL in their web browser.
A new, encrypted, version of Yahoo Messenger will be deployed in coming months.
Hundreds of Yahoos have been working around the clock over the last several months to provide a more secure experience for our users and we want to do even more moving forward. Our goal is to encrypt our entire platform for all users at all time, by default.
One of our biggest areas of focus in the coming months is to work with and encourage thousands of our partners across all of Yahoo’s hundreds of global properties to make sure that any data that is running on our network is secure. Our broader mission is to not only make Yahoo secure, but improve the security of the overall web ecosystem.
In addition to moving all of our properties to encryption by default, we will be implementing additional security measures such as HSTS, Perfect Forward Secrecy and Certificate Transparency over the coming months. This isn’t a project where we’ll ever check a box and be “finished.” Our fight to protect our users and their data is an on-going and critical effort. We will continue to work hard to deploy the best possible technology to combat attacks and surveillance that violate our users’ privacy.
Security attacks are unfortunately becoming a more regular occurrence. Recently, we identified a coordinated effort to gain unauthorized access to Yahoo Mail accounts. Upon discovery, we took immediate action to protect our users, prompting them to reset passwords on impacted accounts.
Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo’s systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails.
What we’re doing to protect our users
We are resetting passwords on impacted accounts and we are using second sign-in verification to allow users to re-secure their accounts. Impacted users will be prompted (if not, already) to change their password and may receive an email notification or an SMS text if they have added a mobile number to their account.
We are working with federal law enforcement to find and prosecute the perpetrators responsible for this attack.
We have implemented additional measures to block attacks against Yahoo’s systems.
What you can do to help keep your accounts secure
In addition to adopting better password practices by changing your password regularly and using different variations of symbols and characters, users should never use the same password on multiple sites or services. Using the same password on multiple sites or services makes users particularly vulnerable to these types of attacks.
We regret this has happened and want to assure our users that we take the security of their data very seriously.
For more information, please check our Customer Care help page.
By Jay Rossiter, SVP, Platforms and Personalization Products
by Marissa Mayer, Yahoo CEO
We’ve worked hard over the years to earn our users’ trust and we fight hard to preserve it.
As you know, there have been a number of reports over the last six months about the U.S. government secretly accessing user data without the knowledge of tech companies, including Yahoo. I want to reiterate what we have said in the past: Yahoo has never given access to our data centers to the NSA or to any other government agency. Ever.
There is nothing more important to us than protecting our users’ privacy. To that end, we recently announced that we will make Yahoo Mail even more secure by introducing https (SSL - Secure Sockets Layer) encryption with a 2048-bit key across our network by January 8, 2014.
Today we are announcing that we will extend that effort across all Yahoo products. More specifically this means we will:
- Encrypt all information that moves between our data centers by the end of Q1 2014;
- Offer users an option to encrypt all data flow to/from Yahoo by the end of Q1 2014;
- Work closely with our international Mail partners to ensure that Yahoo co-branded Mail accounts are https-enabled.
As we have said before, we will continue to evaluate how we can protect our users’ privacy and their data. We appreciate, and certainly do not take for granted, the trust our users place in us.
by Ramses Martinez, Director, Paranoids
At Yahoo, we’re constantly thinking about ways to protect our users and their data. In addition to second sign-in verification, we’re also launching today another way to make your account more secure: App Passwords.
An App Password is a temporary password that you can enter into our native iOS and Android apps for added protection. It’s a way that you can authorize a device to access your Yahoo apps.
Simply go into your account settings, turn on second sign-in verification, and then generate the one-time app password. Once you do, you can enter the password your mobile app, and it’s as simple as that. Your device will be logged-in, so you won’t have to go through this step again.
If you add another device, you’ll have to generate a new one-time App Password. Lost your phone? No problem, you can easily revoke access to each individual app and device from the settings page:
Check out the video below to learn more about how to turn on second-sign in and Application Passwords.
Our team continues to focus on improving the security of your account and is dedicated to keeping up with safety and security best practices.