Yahoo last week followed the lead of rivals Facebook and Google by telling users it would warn them when it believes they are in the crosshairs of state-backed cyber attackers.
"Yahoo will now notify you if we strongly suspect that your account may have been targeted by a state-sponsored actor. We'll provide these specific notifications so that our users can take appropriate measures to protect their accounts and devices in light of these sophisticated attacks," wrote Bob Lord, Yahoo's chief information officer, in a Dec. 21 post to a company blog.
Like Google and Facebook, Yahoo declined to go into specifics about how it separates the state-sponsored wheat from the run-of-the-mill hacker chaff, and used the same reasoning for not revealing its techniques -- essentially telling users of its Yahoo Mail to trust the company. "In order to prevent the actors from learning our detection methods, we do not share any details publicly about these attacks," said Lord. "However, rest assured we only send these notifications of suspected attacks by state-sponsored actors when we have a high degree of confidence."
Traditionally, nation-backed cyber attacks have a reputation as being more sophisticated, sneakier and aimed at individuals believed to be in possession of important information, in many cases, state or commercial secrets. Security companies invariably label an attack as "state sponsored" when it rises significantly above the usual level of competence.
It's rare, however, that culpability is clear-cut -- attackers of all stripes go to great lengths to disguise their identities, locales and code source -- and hacker gangs not associated with a nation state are often indistinguishable from those backed by a government. Information, of course, has an inherent value, whether obtained by a state-backed or strictly criminal group, making the line between the two blurry at best.
Lord also did not say what triggered Yahoo's move -- a spike in such attacks or a specific incident -- making it possible that it was as much "we do this, too" as a move related to actual attacks.
Lord recommended several actions notified users can take, ranging from verifying that account recovery and email forwarding settings have not been monkeyed with to enabling two-factor authentication.
Security professionals typically suggest those same moves whenever an email or Web service user suspects that an account has been hijacked.