Yahoo Recycled Emails: Users Find Security SurprisesSome Yahoo users who took advantage of recycled IDs report they're getting emails intended for the old account holders -- including personal data.
Yahoo's initiative to free up dormant accounts began in mid-June when the company first announced its plan. "Today, I'm excited to share with you our next big push: We want to give our loyal users and new folks the opportunity to sign up for the Yahoo ID they've always wanted," wrote Jay Rossiter, senior VP of platforms, on the company's Tumblr. A Yahoo ID is a user name that lets you access all of the company's personalized services, such as messenger, email and more.
Yahoo said it would alert users who had been inactive for at least 12 months and instruct them to login to their accounts if they wanted to keep them. Accounts that remained dormant would be recycled and up for grabs.
In July, Yahoo opened up a wish list where users could name their top five choices for a username. Come August, Yahoo would contact them if one of their IDs was available and send them instructions to claim it within 48 hours.
Almost immediately, privacy advocates and security analysts criticized Yahoo's initiative. Some called it "an underhanded and risky way to get people to re-engage with Yahoo," while others called attention to the real potential for others to take over people's identities via password resets and other methods.
Following the criticism, Yahoo released a statement reaffirming its confidence in the initiative and shedding more light on the steps it would take to ensure privacy and security. The company said that personal data and private content associated with the accounts would be deleted and would not be accessible to the new account holder.
"To ensure that these accounts are recycled safely and securely, we're doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we'll send bounce-back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others. Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties."
In July, Yahoo followed up with more details about its security efforts. The company said it would work with businesses to implement a "Require-Recipient-Valid-Since" (RRVS) header. If you submit a Facebook request to reset your password, for example, Facebook would add the RRVS header to the reset email, and the new header would signal to Yahoo to check the age of the account before delivering the mail. If the values don't match, the email would bounce.
Yahoo's security measures appeared sound in theory, said Gant Redmon, general counsel and VP with privacy and security company Co3 Systems, but failed in practice.
Yahoo's idea was problematic from the start, Redmon said. "I can understand why Yahoo would want to do it: It's a legacy email service that they're trying to turn around and generate more interest in. But the initiative is troublesome," he said in an interview. "Email has become a primary identifier because no two people are supposed to have the same email address. When you sign up for it, you think it's yours for life."
However, Terry Cutler, chief technology officer at IT security company Digital Locksmiths, said he's surprised that Yahoo's security measures allowed for such a slip in the examples of Jenkins, Harris and Newman. "Yahoo seems to have done it right," Cutler said in an interview. "They did the right thing by shutting down accounts for a period of time, which should have helped to clean them up. But something's clearly not working, and that's a big problem."
2 of 3