Yahoo Mail and Heartbleed: How to Secure Your Account

The Internet is still reeling from the Heartbleed bug, a recently discovered flaw in the OpenSSL encryption library that many websites, including Yahoo, use to secure Internet data. Today (April 9), Yahoo confirmed to reporters that it had upgraded its OpenSSL to a safe version and fixed the flaw on most of its servers.

You should now change the password on your Yahoo account, as well as any other accounts that use the same username and/or password. You can also check to see whether your Yahoo account was compromised during the almost two years the Heartbleed bug was active, and what to do if the answer is yes.

MORE: Heartbleed: Who Was Affected, What to Do Now

How to change your Yahoo password

Here's how to change your Yahoo password. If you're already signed in, just skip to number 3.

1. Sign in to your Yahoo account. Go to the Yahoo homepage,, and click the "Sign In" button in the upper right.

2. Enter your Yahoo ID (usually your email address) and your password.

3. Click on "Account Settings." You can access this by hovering your mouse over the "Hello [Name]" button in the upper right of the screen. This will make a menu containing the "Account Settings" button appear.This should take you to

4. In the Yahoo Settings page, click on "Account info."

5. Re-enter your password.

6. Under "Sign-In and Security" click "Change your password."

7. Re-enter your old password, then create a new password and enter it where prompted. A good password should be over 20 characters long, contain no actual words and contain numbers, capital letters and punctuation marks. It's not enough to simply replace O's with zeroes and I's with ones, as all but the simplest password-cracking algorithms try these simple substitutions while performing "dictionary" attacks.

If you need help creating a strong but memorable password, try this tip from security expert Bruce Schneier: take a long sentence or phrase and turn it into a password by taking the first letter of each word and replacing some of the letters with numbers or special characters. You could also use a password manager, a piece of software that creates and manages strong, unique passwords for each online account you have. Our sister site Top Ten Reviews has an overview of the best available.

How to check your Yahoo activity log

1. Go back to your Account Info page, and under "Sign-In and Security" click "View your recent sign-in activity."

2. Look through your logs for the following information: Accesses from locations where you don't usually log into Yahoo, and unusual types of access. For example, if you see an access from a mobile device, but you don't use your Yahoo account on a mobile device, that's a warning sign. (Note: the below picture only has two access records because the Yahoo account depicted was created for the purposes of this article).

What to do if you think you've been compromised

If you see some suspicious activity on your access logs, there are a few things you can do.

1. Contact Yahoo's customer care by going to and clicking "Contact Customer Care" on the right side of the screen.

In the meantime, here are some things you can do to strengthen your account security.

2. Turn on two-step verification by going back to the Account Info page and clicking "Set up your second sign-in verification."

MORE: How to Turn On 2-Step Verification in Yahoo, Google, Apple and Dropbox

3. Change your security questions by going back to the Account Info page and clicking "Update password-reset info." If you have other backup info, such as a mobile number or alternate email address you might not have the option of choosing a security question.

3. Make sure you're saving your sent emails. That way you can see a record of any emails sent using your account.

You can also check Yahoo's guide for securing a hacked account for more tips and how-tos.

Email or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
    Your comment
  • Thank you for your article. I don't use Yahoo mail, but I do use YahooGroups. How does this affect it? I'm assuming the same, but is there a way to determine if it was part of the vulnerability or to assess if there was unauthorized access as with the Yahoo mail?
  • In your article, you state at the beginning "today (April 9), Yahoo confirmed to reporters that it had upgraded its OpenSSL to a safe version and fixed the flaw on most of its servers." Can you please site your source for this? I can't find confirmation of this, most reports on the internet still list Yahoo! as vulnerable...
  • A Yahoo representative emailed Tom's Guide to say that the company's servers had mostly been patched. As far as we can tell, Yahoo has released no public statement to that effect, nor advised its users to update their passwords. But we think all Yahoo users should update their passwords immediately, and also change those passwords if they were used for any other site or service.