Yahoo Account

Yahoo experienced two of the largest data breaches in history — the 2013 breach affected all three billion user accounts, and the 2014 breach affected over 500 million accounts. Both included names, email addresses, phone numbers, birth dates, and security questions. These breaches were not publicly disclosed until 2016. If you have ever had a Yahoo account, your information was almost certainly compromised.

Given this history, securing your Yahoo account — or migrating away from it — deserves serious attention.

Should You Keep Using Yahoo?

Before configuring security settings, consider whether you still need a Yahoo account. Yahoo Mail scans email content for advertising purposes (even for paid subscribers unless you opt out), and the platform’s privacy track record is poor compared to alternatives like Proton Mail or a properly secured Google or iCloud account.

If you use Yahoo Mail as your primary email, consider migrating to a more privacy-respecting provider. If you keep your Yahoo account, apply all the settings below.

If you no longer need the account, the safest option is to delete it entirely. Navigate to the Yahoo account termination page and follow the prompts. Note that deleting your account will permanently remove all associated data including emails, contacts, and any connected services.

Account Security

Use a Strong Password

Use a strong, unique passphrase of at least 21 characters for your Yahoo account. Store it in a dedicated password manager like Bitwarden or 1Password. See the Passwords guide for details.

Do not reuse your Yahoo password anywhere else. Given Yahoo’s breach history, credentials associated with Yahoo accounts have been widely circulated in leaked databases. Check Have I Been Pwned to see if your email address has appeared in known breaches.

Enable Two-Step Verification

Two-step verification requires a second factor in addition to your password every time you sign in from a new device or browser.

How to enable:

  1. Sign in to your Yahoo Account Security page
  2. Next to “2-Step Verification,” click “Turn on 2SV”
  3. Click “Get started”
  4. Select your preferred verification method and follow the prompts

Available methods (in order of preference):

  1. Security key (passkey) — Phishing-resistant FIDO2/WebAuthn. Navigate to the Account Security page → “Ways of signing in” → Passkeys to register a hardware security key (like YubiKey) or device biometrics. This is the strongest option.
  2. Authenticator app — Use Authy, Google Authenticator, or similar. You will scan a QR code to link the app. Note that Yahoo may require at least two recovery methods on your account before this option appears.
  3. Yahoo push notifications — A push notification sent to Yahoo mobile apps on your devices.
  4. SMS/Voice codes — Yahoo sends a code via text or voice call. This is the weakest option due to SIM swap vulnerability. Use only if the above methods are not available to you.

Yahoo Account Key (Passwordless Sign-In)

Yahoo offers “Account Key,” a passwordless sign-in method that sends a push notification to your phone instead of requiring a password. While this eliminates password-based attacks, it relies on your phone being secure and your mobile number not being compromised.

If you use Account Key, make sure your phone itself is secured with a strong passcode, biometrics, and device encryption. See the Mobile Phone guide for details.

Recovery Options

Recovery methods are a double-edged sword — they help you regain access but also provide an attack path for adversaries.

Recommendations:

  • Remove phone numbers from recovery options if possible. Phone-based recovery is vulnerable to SIM swap attacks. If you must keep a phone number, secure your carrier account with a strong PIN and port-freeze (see the Mobile Phone guide).
  • Recovery email: If you use a recovery email address, make sure that email account is itself secured with a strong passphrase and 2FA. An attacker who compromises your recovery email can reset your Yahoo password.
  • If you use passkeys or an authenticator app for 2FA, you are less dependent on recovery methods, which reduces your overall attack surface.

How to remove recovery options (web):

  1. Sign in to the Yahoo Account Security page
  2. Click “Edit” next to the verification option you want to remove
  3. Click the Edit icon next to the specific recovery method
  4. Click “Remove from my account”
  5. Follow the on-screen prompts to confirm

From Yahoo mobile apps:

  1. Tap your Profile icon (upper left)
  2. Tap Manage Accounts → Account Info → Security Settings
  3. Tap “Edit” next to the verification option
  4. Tap the Edit icon next to the recovery method
  5. Tap “Remove from my account”

Privacy and Advertising

Email Scanning

Yahoo scans email content to serve targeted advertising — even for paid Yahoo Mail Plus subscribers unless you explicitly opt out. This is a significant privacy concern, especially if your inbox contains sensitive personal, financial, or health information.

How to limit email scanning: Navigate to Yahoo’s Privacy Dashboard and review the data categories Yahoo collects. Adjust settings to minimize data sharing where possible.

Advertising Opt-Out

Yahoo uses your browsing behavior, email content, and other activity to target advertising both on Yahoo properties and across the web.

How to opt out:

  1. Visit the Yahoo Ad Interest Manager
  2. Sign in to your Yahoo account
  3. Under “Your Advertising Choices,” click the opt-out button for both:
    • On Yahoo — Stops personalized ads on Yahoo sites
    • Across the Web — Stops Yahoo from targeting you with personalized ads on other websites
  4. Associate the opt-out with your account so it persists when you sign in

Note that opting out does not remove ads — it just makes them less targeted. You will still see advertisements.

Data Controls

Visit the Yahoo Privacy Dashboard to review and manage your data:

  • View what personal data Yahoo holds about you
  • Delete specific categories of collected data (search history, browsing activity, etc.)
  • Manage communication preferences and marketing emails

Recognizing and Responding to Account Compromise

Given Yahoo’s breach history, it is important to know the warning signs of account compromise and what to check.

Signs Your Account May Be Compromised

  • You stop receiving emails (they may be silently forwarded or filtered)
  • Your contacts report receiving spam from your Yahoo address
  • You see logins from unexpected locations in your recent activity page
  • Your account settings or mail preferences were changed without your knowledge

Settings to Audit If You Suspect Compromise

If you suspect unauthorized access, immediately change your password and enable 2FA, then review the following Yahoo Mail settings — these are commonly manipulated by attackers to maintain access or intercept your emails:

  • Auto-forwarding address — Make sure your email is not being forwarded to an unfamiliar address. This is the most critical setting to check, as it allows an attacker to silently receive copies of all your incoming mail.
  • Email filters — Check for new filters that may be hiding, deleting, or redirecting specific emails.
  • Reply-to address — Confirm replies to your emails go to your inbox, not an attacker’s address.
  • Send-only address — Check if an unfamiliar send-only address has been added.
  • Sending name — Confirm your display name has not been changed.
  • Email signature — Check for added links or content in your signature.
  • Vacation response — Look for unfamiliar automatic replies.
  • Default sending address — Confirm the “From” field uses your correct address.
  • Blocked addresses — Make sure legitimate contacts have not been blocked.

Connected Applications

Review third-party apps connected to your Yahoo account. Each connected app has some level of access to your account data.

Navigate to your Yahoo Account Settings → Connected Apps and revoke access for any application you no longer use or do not recognize.

Additional Recommendations

  • Do not save passwords in your Yahoo account or use Yahoo as a password manager. Use a dedicated password manager like Bitwarden or 1Password.
  • Do not use “Sign in with Yahoo” on third-party websites unless absolutely necessary. Each connected service increases your attack surface.
  • Check Have I Been Pwned at haveibeenpwned.com to see if your Yahoo email has appeared in data breaches beyond Yahoo’s own incidents.
  • Consider email aliases if you want to keep your Yahoo account but reduce exposure. Some services and dedicated alias providers (like SimpleLogin or addy.io) let you create disposable addresses that forward to your real inbox.

Security Checklist

  1. Decide whether to keep or delete your Yahoo account
  2. If keeping: set a strong, unique passphrase (21+ characters) using a password manager
  3. Enable two-step verification with a security key or authenticator app
  4. Remove phone numbers from recovery options (or secure your carrier with a PIN and port-freeze)
  5. Opt out of personalized advertising via the Ad Interest Manager
  6. Review the Privacy Dashboard and delete unnecessary collected data
  7. Check all Yahoo Mail settings for signs of compromise (especially auto-forwarding and filters)
  8. Review and revoke access for unused connected third-party apps
  9. Check Have I Been Pwned for breach exposure
  10. Consider migrating to a more privacy-respecting email provider