Vulnerabilities / Threats
09:48 AM
Connect Directly

Yahoo Recycled Emails: Users Find Security Surprises

Some Yahoo users who took advantage of recycled IDs report they're getting emails intended for the old account holders -- including personal data.

10 Ways To Fight Email Overload
10 Ways To Fight Email Overload
(click image for larger view and for slideshow)
When Tom Jenkins, an IT security professional, learned in June that Yahoo planned to free up abandoned account IDs, he jumped on the opportunity to request a nickname he's had since high school. He was thrilled when Yahoo emailed him in August to say the ID was available.

"I had tried periodically to obtain this email address, but I was never able to do it," Jenkins said in an interview. "I was aware that these Yahoo IDs were once owned by someone else, but I was pretty surprised by the types of emails I immediately started getting."

In less than a day, emails intended for the original account owner hit his inbox. Among them were marketing emails from retailers and catalogs, which were a nuisance, he said. But then came the emails with sensitive personal information: messages from the former Yahoo account holder's Boost Mobile service, which included the account and pin numbers; emails from a Fidelity investment account; Facebook emails; Pandora account information; and more.

[ Need new ways to lock down your smartphone? See 9 Android Apps To Improve Security, Privacy. ]

Jenkins and other users who have obtained recycled Yahoo email IDs say, based on what they see in their inboxes, that identity theft concerns exist.

"I can gain access to their Pandora account, but I won't. I can gain access to their Facebook account, but I won't. I know their name, address and phone number. I know where their child goes to school, I know the last four digits of their social security number. I know they had an eye doctor's appointment last week and I was just invited to their friend's wedding," Jenkins said. "The identity theft potential here is kind of crazy."

Neil Harris, a software executive, also signed up for a recycled Yahoo ID. A Yahoo user for many years, Harris wanted a new username that was easier to remember than the one he currently had.

On the first day he logged into the account, he found that Yahoo merged his former account with the new one, giving him one inbox that funneled emails from both accounts. That wouldn't have been a problem, Harris said, if it weren't for the misdirected emails he suddenly started receiving.

"I immediately got email addressed to the [former] account owner and the nature of them made me uncomfortable," Harris said in an interview, noting that a number of emails were from men looking to meet up with a woman.

In the following weeks, Harris was sent emails from department stores, including emailed receipts from recent purchases at Nordstrom. He also received timecards that detailed mileage reimbursements and included the former account holder's name and address.

"It seemed odd to me that this email was coming from all over. It's clear that while the owner supposedly hadn't logged in in a while, she was still actively giving out that email address," Harris said.

They're not alone: Scott Newman, a Web developer, also signed up for one of Yahoo's recycled IDs. "I thought it was a cool idea because when you're standing at Williams-Sonoma and they ask for your email address it would be easier to give them something that made more sense than what I had," he said.

Personal emails intended for someone else began arriving within the first day of account usage, Newman said.

"It started off with some stuff from catalogs and clothing companies and I thought, 'That's fine, I'll just unsubscribe.' I figured I'd have to deal with a little of that," Newman said in an interview. "But then I started getting emails with court information, airline confirmations, a funeral announcement saying someone had just died -- it was nuts."

1 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/25/2013 | 5:03:29 PM
re: Yahoo Recycled Emails: Users Find Security Surprises
My immediate reaction to what Yahoo is done is that it's typical of the new Yahoo. If Yahoo were truly concerned about the privacy of their users, they would retire inactive email addresses and terminate the service for those accounts. The fact that they're trying to get people interested in Yahoo email in this way shows just how clueless they actually are.

They redesigned their Groups service with something called Neo. I have no problem or objection to recasting the look of a free service, or even a paid one for that matter, but to break the functionality that people have used for years for the sake of something merely new is unforgivable. Yahoo's terms of service are essentially that they can do whatever they want, whenever they want to do it, and you have no real recourse - except to either deal with the fallout of gimcrack implementation or take your business elsewhere. That is not the way to build up a trust relationship with people you want to court or maintain as customers.
User Rank: Apprentice
9/25/2013 | 3:11:42 PM
re: Yahoo Recycled Emails: Users Find Security Surprises
People make a lot of fuss over this, but how do you think plain old mail system works?

If you don't change your home address when you move, companies still send you sensitive information to your old address just as easy for the taking. You really think the new guy at your old place never opened your mail? You really think that little paper envelope will guard your information from those prying eyes? Really?

Wake up people, the Internet isn't some new place with a complete new set of rules, it's the freaking same thing as in real life...
User Rank: Apprentice
9/25/2013 | 12:50:31 AM
re: Yahoo Recycled Emails: Users Find Security Surprises
Makes me glad that I'm paying $20 a year for my account with Yahoo! I once sent a long message to an old friend, trying to catch up, and it came back from someone in the UK saying that he now possessed the address and realized my message wasn't intended for him. He was courteous and did the right thing. The opportunities for this process to go awry don't need to be delineated, beyond the story above.
User Rank: Apprentice
9/24/2013 | 6:02:27 PM
re: Yahoo Recycled Emails: Users Find Security Surprises
Mike Bracco @bracco tweeted that he forwards all email (even old accounts he doesn't use) because he doesn't ever want to lose past namespaces. Readers: How do you treat your email addresses differently?
User Rank: Apprentice
9/24/2013 | 4:33:58 PM
re: Yahoo Recycled Emails: Users Find Security Surprises
The notion that a free email address will be "yours for life" seems a tad optimistic. But these users saw the flip side of recycling IDs.

Readers, are you surprised by the "risk shift" approach? Have you had experiences like this with other providers? Let's hear from you.
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio