Protect yourself and your data when using Yahoo Services
Diperbarui 2021
Daftar Isi
…Memuat Daftar Isi…Setup
Know how hard it is to move what you have posted off social media
- Test how effective it is to use the "download my data" functions of each platform you use. Start the download process, then take a thorough look at what data it provides. You may find that what is downloaded is not in a format you find easy to use.
- Allow some time for this process. If you have had an account for a long time, there will be a lot of data to download, and the service may take a day or so to bundle it for your download.
- How to download your data
Learn why we recommend this
Avoid relying on a social networking site as a primary host for your content, contacts, or other information.
Consider what you would lose access to if your government blocked a site or app. It is easy for governments to block access to social media within their boundaries if they object to what people are sharing. Social media services may also decide to remove objectionable content themselves, rather than face censorship in a particular country.
Social media might also remove content that they believe violates their policies about, for example, violent images or harassment. It is often difficult for them to understand the local context of what users have posted, particularly if it is not in English.
Decide whether you will use a real or fake name, and maintain separate accounts
- Be aware that even if you provide a fake name to a social media site, you may still be identifiable by the network you connect from and the IP address it assigns to your device unless you use a VPN or Tor to hide this information.
- Use a VPN when setting up an account for the first time to make it harder for someone to associate your profile with your IP address.
- Consider using separate accounts or separate identities/pseudonyms for different campaigns and activities. You will likely want to keep your personal and work accounts separate, at the very least.
- Remember that the key to using a social network safely is being able to trust people in that network. You and the others in your network will want to know that the people behind the accounts are who they say they are, and have ways to validate this. That does not necessarily mean you have to use your real name, but it may be important to use consistent fake names.
Learn why we recommend this
Some people maintain social media accounts with fake names, or one account with their actual name and one with a fake name, to ensure they can organize and connect with others with less risk to their free speech, safety, or liberty.
Set up with a fresh email address
- Set up a new e-mail address while using the Tor Browser or a trusted VPN.
- Suggested privacy-friendly mail services:
- Proton Mail
- If you have a friend who can invite you, Riseup Mail
- Autistici
Learn why we recommend this
Email addresses provide one of the easiest ways to search for you: you need to provide one each time you set up a new account. If you really need to hide your identity, it is best to start over with a new social media account which you do not connect to your old accounts or to existing email addresses.
Don’t associate your phone number with your account
- Yahoo currently requires a phone number when you sign up, in case you lose access to your account. However, following the "Delete a mobile number or email address" instructions here, it appears to be possible to remove your number from your account. Click "remind me later" when you have removed the number. Use caution, though: it might still be possible for law enforcement to request your phone number from them.
Learn why we recommend this
Your phone number can be easily used to look you up and identify you. Consider whether your local law enforcement might make a legal request to social media companies to find the activity associated with your account, or whether someone seeking to harass or find you might make use of your number.
Designate someone to manage your account if you are unable to do it yourself
- Note that for legal reasons, Yahoo will not give a loved one or colleague access to your account. Rather, if you give them permission, they will make it possible to close and "memorialize" your account. If you expect someone else will need to access your account in the event of an emergency, arrange to share your login information with them using encrypted communication or the sharing function of your password manager.
- Learn how Yahoo handles the accounts of deceased users
- If a colleague has been arrested or detained, contact Access Now's Helpline or Front Line Defenders for assistance in working with Yahoo to secure access to their accounts.
Learn why we recommend this
This is something everyone should think about, regardless of their risk level. Social media sites have developed processes to handle situations where someone passes away or is seriously ill or jailed and others need to manage their account. Designating someone to care for your account can ensure others are notified of your situation, and prevent malicious people from defacing or hacking your account.
Account protection
Check recovery email and phone
- Look for recovery email and phone under "Verification methods: How we make sure it’s really you" here
- Change this information immediately if you lose access to your email address or phone number.
Learn why we recommend this
Your accounts use an email address and/or a phone number to help recover your account in case of authentication issue. The email address is also used to inform the user of any security related event. It is important to check this information to be sure that an attacker did not change them to gain control of your account later.
Use strong passwords
- Use strong passwords to protect your accounts. Anyone who gets into your social media account gains access to a lot of information about you and anyone you are connected to. See our guide on how to create and maintain secure passwords for more information.
Set up multifactor authentication (2FA)
- Use a security key, authenticator app, or security codes for multifactor authentication.. Also look for "two step verification" here
- Do not use SMS or a phone call if possible, so you do not have to associate your phone number with your account. This is particularly important if your name is not already associated with your account.
Learn why we recommend this
See our guide to passwords and other login protections for more on why and how to set up multifactor authentication, sometimes known as 2FA or MFA.
Get a verification code to get back into your account
- Set up two-step verification
- Store those codes in your password manager.
- Alternately, print these codes out before you are in a situation where you might need them. Keep them somewhere safe and hidden, like your wallet or a locked safe.
Learn why we recommend this
Having verification codes written down or printed out gives you another way to get back into your account if you lose access. If you are traveling, this can be especially useful when you need to get into your accounts and may not have access to wifi or cellular data to use other multifactor authentication.
If your device is lost or stolen
Compare emails you may have received about security to those the app or service says it sent you
Learn why we recommend this
Phishing messages might try to convince you they are coming from your social media, to trick you into giving someone else access to your account. If you get a security email or text from a social media site, don't click on any of its links. Also, do not provide your password. Instead, log in to your account and check the following links to confirm whether the message was legitimate.
Look for suspicious access
Check active sessions and authorized devices, review account activity and security events
- Look at these pages listing which devices have recently logged in to your account (including using browsers or apps). Does every login look familiar?
- Look for instructions on how to log out devices that are not yours.
- Note that if you are using a VPN or Tor Browser, which can conceal your location, you may see your own device, connected in unexpected locations.
- If you see suspicious activity on your account, immediately change your password to a new, long, random passphrase you do not use for any other accounts. Save this in your password manager.
- Learn how to find and remove unusual activity
Learn why we recommend this
Governments, police, domestic abusers, and other adversaries may find ways to watch your accounts by logging in from their devices. If they do so, it is possible you will be able to see it from these pages where social media services show which devices have been used to log into your accounts.
Get notified about logins
- Set notifications to be sent to the email address you associated with this account.
- Avoid using your phone number for notifications (see "avoid associating your phone number with accounts," above).
- Turn on notification prompts
Learn why we recommend this
If you suspect your account may be watched, or your adversaries may break into it, use this feature of social media accounts to be notified right away when it happens.
If you think your account has been hacked
Review other sites and apps that can access your account
- Avoid using your accounts to log in to other sites (like news sites, etc.) It is convenient, but that means it is convenient for attackers as well as for you, and may also leave more evidence of what you have viewed online. Use a different password for every site, and save it in your password manager.
- Be careful when connecting your social network accounts. You may be anonymous on one site, but exposed when using another.
- Look for "Revoke an app password" here
Learn why we recommend this
Most social networks allow you to integrate information with other social networks. For example, you can post an update on your Twitter account and have it automatically posted on your Facebook account as well. When other sites and apps have access, they can also be used by hackers to get into your social media accounts.
Download data for further analysis (advanced)
- Download your data
- Suggestions of what to look for
- Look for "Other ways to sign in > App password" here
Learn why we recommend this
If you suspect someone has intruded on your device, you might want to download all records of activity on your account, so you or your technical support person can look for unusual activity.
Decide what to post
The more information about yourself you reveal online, the easier it becomes for the authorities and others to identify you and monitor your activities. For example, if you share (or "like") a page that opposes some position taken by your government, agents of that government might very well take an interest and target you for additional surveillance or direct persecution. This can have consequences even for those not living under authoritarian regimes: the families of some activists who have left their home countries have been targeted by the authorities in their homelands because of things those activists have posted on social media.
Information that should never be sent on social media, even via direct message (DM)
- Passwords
- Personally identifying information, including
- your birthday
- your phone number (does it appear in screenshots of communications?)
- government or other ID numbers
- medical records
- education and employment history (these can be used by untrustworthy people who want to gain your confidence)
Information that you might not want to post on social media, depending on your assessment of the threats in your region:
- Your email address (at least consider having more- and less-sensitive accounts)
- Details about family members
- Your sexual orientation or activity
- Even if you trust the people in your networks, remember it is easy for someone to copy your information and spread it more widely than you want it to be.
- Agree with your network on what you do and do not want shared, for safety reasons.
- Think about what you may be revealing about your friends that they may not want other people to know; be sensitive about this, and ask them to be sensitive about what they reveal about you.
Don’t share location
Learn why we recommend this
If you are worried about someone finding you and doing you physical harm, stop your accounts from storing your location information. Turning off location services on your device also makes your mobile device's battery charge last longer.
Share photos and videos more safely
- Consider what is visible in photos you post. Never post images that include
- your vehicle license plates
- IDs, credit cards, or financial information
- Photographs of keys (it is possible to duplicate a key from a photo)
- Think hard before you post pictures that include or make it possible to identify
- your friends, colleagues, and loved ones (ask permission before posting)
- your home, your office, or other locations where you often spend time
- if you are hiding your location, other identifiable locations in the background (buildings, trees, natural landscape features, etc)
- Change your Flickr privacy settings so that who can view your photos is limited to yourself or friends and/or family
- Set your "geo privacy" so your photos do not reveal location
- Manage tagging of yourself and others in photos
- Hide your Flickr photos from public searches
- Remove EXIF data before you post photos
Learn why we recommend this
What you share could put yourself or others at risk. Get in the habit of seeking consent before posting about others, where possible. You may want to work with your colleagues to set guidelines for what you will and won't share publicly, under what conditions.
Photos and videos can reveal a lot of information unintentionally, particularly what is in the background. Many cameras also embed hidden data (metadata or EXIF tags) about the location, date, and time the photo was taken, the camera that took the photo, etc. Social media may publish this information when you upload photos or video.
Decide who can see
Think about group membership and who you connect with
Learn why we recommend this
When you join or start a community or group online it is revealing something about you to others. People may assume that you support or agree with what the group is saying or doing, which could make you vulnerable if you are seen to align yourself with particular political groups, for example. In some countries, connections on social media to individuals or groups have been used in court to make a case against someone, even when the two people were only loosely connected.
If you set up a group and people choose to join it, consider: what are they announcing to the world by doing so? For example, if it is a LGBTQI support group, will that affiliation bring dangers for members in your region? Consider the impact of visibility in your current moment. There may be times when it is valuable for your movement to be visible, and even at that moment people who want your support might need a way to connect with your group without being identified. Think strategically about the platforms where you create your groups, what you name them (would a coded name help, as it did the Mattachine Society or the Daughters of Bilitis gay and lesbian organizations in the 1950s?), and whether they are public or private.
If you join a large group with members that you don't know, be aware that adversaries might also join groups or make connections to identify you or your colleagues, get a better view of what you are doing, or even build false trust. If you suspect this is likely to happen, it is important to choose connections and post selectively when you make an account connected to your work.
Limit who can contact you
Learn why we recommend this
Limiting who can contact you can lessen the likelihood that you will be found when you are trying to be private, or targeted by people trying to falsely gain your trust or the trust of your network. This can also be useful if you are being harassed in non-public messages.
Manage advertising
- Turn everything in the "Personalize my experience" section to "off"
- Unsubscribe from all Yahoo marketing communications (you can use the single switch at the very bottom ) of this page instead of clicking all of these)
- Also tell Yahoo "Do not sell my personal data" under "Manage your information"
Learn why we recommend this
There is a possibility governments or police forces might buy advertising data from social media companies to target you and your network with disinformation, or try to find you.
Learn what social media will turn over to governments or law enforcement
- Search for "Yahoo" and the name of your country or jurisdiction on Lumen
- Yahoo is owned by Verizon Media. See their reports on:
Learn why we recommend this
Social media sites may give your information, including information you were trying to keep private, to governments or law enforcement if requested. Look through the following links to learn more about the conditions under which they will do so.
Leave no trace
Precautions when using a public or shared device
- Avoid accessing your social network account from shared devices (like an internet cafe or other people's devices).
- Delete your password and browsing history when you use a web browser on a public machine. Change the passwords of any accounts you accessed from shared devices as soon as you can, using your own device.
Delete search history
Learn why we recommend this
Some social media services keep track of things you have searched for within their sites and apps. If your account is compromised or your device is seized, your adversary could use this information against you, so it may be a good idea to clear this history out regularly, as well as clearing your browser history.
Handle abuse
Report abuse
Learn why we recommend this
Social media have unfortunately become a favorite method of harassment and disinformation worldwide. If you see malicious impersonation, hashtags being flooded, disinformation being spread, or you or your colleagues are being targeted and harassed, you are not alone and there may be help. Review the processes for reporting using the following links.
Report harassment that reveals information about you
Learn why we recommend this
Some abusers may try to target you by revealing information about where you live or work, your family or friends, or other personal details including images. In many cases you have a right to have this taken down, even if that information is true. Review the following links for information on how to get that information removed.
Identify and report coordinated inauthentic activity (botnets and spam)
Learn why we recommend this
Some harassment and disinformation is posted through automated means, rather than by individual people. If you suspect that you are seeing this "coordinated inauthentic activity," you can report it to the social media sites and they may ban those automated systems. While automation can be hard to prove, there are some cases in which reporting coordinated inauthentic activity might be more successful than reporting harassment, if you suspect the social media site will not understand the context of the harassment.
Report impersonation
Learn why we recommend this
Impersonation in the form of parody is usually accepted as free speech by most social media platforms, and will not be removed. However, impersonation for the purposes of defamation of character may not be, and you can report it.
Hide stressful content
Learn why we recommend this
Any of us may find some content more distressing than other people do, whether it be information on the death of a friend, public arguments which devalue us because of who we are, or frightening events in the news. If you need a break from this stress, here are some tools which can help hide content you do not wish to see, for as long as you wish.
Learn how to recover your account if it is disabled or suspended
Learn why we recommend this
For one reason or another, social media sites will sometimes disable an account. Human rights defenders have sometimes had their accounts shut down because they are documenting human rights abuses with violent scenes that violate the social media platforms's policies; because they have been reported by government, police, or other people who disagree with them; or even because the social media platform does not understand their context well enough to make sense of what they are posting. If this happens to you, you can appeal the decision and ask to have your account restored. Review the links below for information on how.
Take a break from your account
Learn why we recommend this
If you want to stop people from posting to your account because you will not be able to access it for a while-- you suspect you may be detained or jailed, or just because you need to take a break!--you may be able to temporarily deactivate your account on some social media. This can be useful if you face harassment or defamation. On other accounts, like email, you may not be able to stop incoming messages, but can set your account to automatically respond that you are away.
Learn how social media use your information
- For a useful add-on which clarifies the Terms of Service of many popular sites, see Terms of Service; Didn't Read.
- See Yahoo's policies here
Learn why we recommend this
It is often unclear what social media will do with your information when you share it. Are they combined with other data to guess things about you? Are they sold to other companies that may share that information even if you did not want it to be shared? Read the End User Licence Agreement and Privacy Policy or Data Use Policy for social media sites to find out.
Check forwarding settings
- Yahoo has discontinued forwarding for free accounts, but if you have a Pro or other account, go to your Inbox, click on Settings > More Settings > Mailboxes, and click on your mailbox name. On the bottom of the page, you can review the forwarding section with email addresses.
Learn why we recommend this
Auto-forwarding is an easy way for an attacker to access your email after compromising your account, by having it redirect all of your mail to them.
Portions of this guide were adapted from the Security Without Borders guide to account checkup, and are used under a Creative Commons Attribution-ShareAlike 4.0 International License.