Yahoo Security Alert: Resetting Password Isn't Enough
Even if you reset your Yahoo password, your phone -- and a hacker's phone -- stays logged in. Here's how to reset access for mobile devices.
If you're a Yahoo user, you already know that 500 million Yahoo accounts were compromised by malicious hackers, and that you should reset your Yahoo password. What Yahoo didn't tell you was that you may also need to unlink, and then relink, all the mobile devices that access your Yahoo account.
That's because if you check your Yahoo email or Yahoo calendar on a tablet or smartphone, that mobile device is permanently logged into your Yahoo account with a unique password that's different from your regular password.
As Dustin Childs and Simon Zuckerbraun of Trend Micro pointed out in a recent blog post, even if you've reset your regular password, malicious hackers may have already give their own mobile devices permanent access to your account. We'll walk you through the entire process.
MORE: Best Password Managers
How to Reset Your Yahoo Password
1. Sign into your Yahoo account in a web browser on a desktop or laptop computer.
2. Click the gear icon on the far right of the menu bar and select Account Info.
3. Click Account Security in the left navigation bar.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
4. Click Change Password.
5. Type in your new password twice and click Continue.
If you haven't already set up two-step verification, do it now.
How to Set Up Yahoo Two-Step Verification
6. Toggle the switch next to Two-Step Verification on the Account Security page.
7. Enter your mobile number in the pop-up window.
8. Select Send SMS or Call Me.
9. Follow the instructions on the text message or call you receive from Yahoo on your mobile phone.
That takes care of your regular Yahoo password. Now you'll need to check to see if any unauthorized devices have access to your Yahoo account.
How to Check for Unauthorized Access to Your Yahoo Account
10. Click Recent Activity in the left navigation bar.
11. Look over "Apps connected to your account" for any devices, apps or locations that you don't recognize.
12. If there's anything unfamiliar, click Remove next to its listing.
Now you have to decide whether to remove what you DO recognize, and then authorize those apps again. If you use your Yahoo account only to receive junk mail, you might not need to do this.
But if you've already seen or removed an unfamiliar device from your account, then you should reset all your mobile accounts.
You also should do this if you use Yahoo as your primary email provider, or if you use it to receive email from banks, credit-card providers or other financial institutions with which you have accounts. Here's how to proceed.
How to Reset Your Yahoo Mobile Passwords
13. Click Remove next to one of your legitimate devices.
14. In the pop-up that appears, click the trash-can icon next to each listed mobile app.
15. Make sure to keep the pop-up window upon. You'll need to generate new per-app passwords for each app.
16. Click the "Select your app" button at the top of the pop-up window.
17. Scroll down to an app that you use, and click Generate.
18. If one of your regular apps is not listed, scroll all the way down to "Other app." Type in the name of that app -- for example, Galaxy S7 Email -- in the "Enter custom name" field, and click Generate.
19. You'll see a text string of 16 lowercase letters. Keep this window open.
20. Open the corresponding app on your mobile device and find the Settings menu.
21. Find the setting that corresponds to Yahoo account access.
22. Find the server settings and look for Incoming and Outgoing settings.
23. Click either Incoming Settings or Outgoing Settings and find the form-field into which you input your Yahoo password.
24. Type in the 16-letter password you generated on the Yahoo website. For email apps, you will need to do this for both Incoming and Outgoing settings.
25. Save your changes and see whether you can still access Yahoo from that app. If not, run through steps 12 through 15 again.
26. For each app that accesses your Yahoo account on each mobile device you own, you will need to repeat steps 9 through 15 individually.
27. Good luck.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.