Vulnerabilities / Threats
09:48 AM
Connect Directly

Yahoo Recycled Emails: Users Find Security Surprises

Some Yahoo users who took advantage of recycled IDs report they're getting emails intended for the old account holders -- including personal data.

Though Yahoo's security measures weren't effective for everyone, Redmon said the company isn't liable for the misdirected personal emails. "Businesses are in trouble when they lose personal information they collected and were entrusted with, but that doesn't fit the Yahoo scenario," he said. "Yahoo hasn't lost or disclosed information they shouldn't have. They're not responsible for the fact that it was disclosed to a third party -- the user is."

Yahoo performed what Redmon calls a "risk shift": Yahoo transferred the burden of responsibility to the customer by requesting that the person log in to ensure the account remained active.

In a statement to InformationWeek, Dylan Casey, senior director of platforms at Yahoo, said that the company has received minimal complaints from recycled-account holders. "We take the security and privacy of our users very seriously. We have heard from a very small number of users who have received emails through other third parties which were intended for the previous account holder," he said. "We are continuing to work with companies to implement the RRVS email header standard that we published to the [Internet Engineering Task Force]."

Today, Yahoo charges $1.99 for you to request up to five usernames on Yahoo's Watch List. Jenkins, who signed up when it was free, said that the hassle of dealing with the misdirected email -- which totals between six and 10 messages a day, in addition to the "boatloads" of junk email -- hasn't been worth it. He's considering shutting down his account.

Harris, whose two Yahoo accounts were merged into one, said it took four phone calls and about four hours with Yahoo customer service to separate the two accounts and close the recycled one. "They were really helpful considering it's a free service, but they had a lot of trouble figuring out how to do it."

Newman said he's actively filtering the former account holder's email with hopes that the volume will eventually decrease. "I'm using the new account mostly for unimportant email because I'd probably go crazy trying to figure out what email is supposed to be mine and theirs," he said. "It's kind of disappointing because it's a great username to have, but I don't want to work this hard for it. Plus, getting someone else's mail just feels gross."

Those peeks into other people's personal lives leave Newman and Jenkins uneasy about Yahoo's continuation with recycled accounts, and concerned for others whose accounts may have closed.

"The most distressing part for me is that because I'm a Web developer, I know how easy it could be to reset all their passwords. It's scary to think about the damage I could do," Newman said. "Just yesterday I got an email confirmation for an apartment application. I could have canceled someone's apartment."

Jenkins said the opportunities for hackers are his biggest concern. "In some ways, the former user should be lucky that I'm getting this email because I would never do anything bad with it. But this whole situation made me nervous about my other email addresses. What happens when I stop using them?"

3 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/25/2013 | 5:03:29 PM
re: Yahoo Recycled Emails: Users Find Security Surprises
My immediate reaction to what Yahoo is done is that it's typical of the new Yahoo. If Yahoo were truly concerned about the privacy of their users, they would retire inactive email addresses and terminate the service for those accounts. The fact that they're trying to get people interested in Yahoo email in this way shows just how clueless they actually are.

They redesigned their Groups service with something called Neo. I have no problem or objection to recasting the look of a free service, or even a paid one for that matter, but to break the functionality that people have used for years for the sake of something merely new is unforgivable. Yahoo's terms of service are essentially that they can do whatever they want, whenever they want to do it, and you have no real recourse - except to either deal with the fallout of gimcrack implementation or take your business elsewhere. That is not the way to build up a trust relationship with people you want to court or maintain as customers.
User Rank: Apprentice
9/25/2013 | 3:11:42 PM
re: Yahoo Recycled Emails: Users Find Security Surprises
People make a lot of fuss over this, but how do you think plain old mail system works?

If you don't change your home address when you move, companies still send you sensitive information to your old address just as easy for the taking. You really think the new guy at your old place never opened your mail? You really think that little paper envelope will guard your information from those prying eyes? Really?

Wake up people, the Internet isn't some new place with a complete new set of rules, it's the freaking same thing as in real life...
User Rank: Apprentice
9/25/2013 | 12:50:31 AM
re: Yahoo Recycled Emails: Users Find Security Surprises
Makes me glad that I'm paying $20 a year for my account with Yahoo! I once sent a long message to an old friend, trying to catch up, and it came back from someone in the UK saying that he now possessed the address and realized my message wasn't intended for him. He was courteous and did the right thing. The opportunities for this process to go awry don't need to be delineated, beyond the story above.
User Rank: Apprentice
9/24/2013 | 6:02:27 PM
re: Yahoo Recycled Emails: Users Find Security Surprises
Mike Bracco @bracco tweeted that he forwards all email (even old accounts he doesn't use) because he doesn't ever want to lose past namespaces. Readers: How do you treat your email addresses differently?
User Rank: Apprentice
9/24/2013 | 4:33:58 PM
re: Yahoo Recycled Emails: Users Find Security Surprises
The notion that a free email address will be "yours for life" seems a tad optimistic. But these users saw the flip side of recycling IDs.

Readers, are you surprised by the "risk shift" approach? Have you had experiences like this with other providers? Let's hear from you.
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/ in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.