Vulnerabilities / Threats
9/23/2013
09:48 AM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Yahoo Recycled Emails: Users Find Security Surprises

Some Yahoo users who took advantage of recycled IDs report they're getting emails intended for the old account holders -- including personal data.

Though Yahoo's security measures weren't effective for everyone, Redmon said the company isn't liable for the misdirected personal emails. "Businesses are in trouble when they lose personal information they collected and were entrusted with, but that doesn't fit the Yahoo scenario," he said. "Yahoo hasn't lost or disclosed information they shouldn't have. They're not responsible for the fact that it was disclosed to a third party -- the user is."

Yahoo performed what Redmon calls a "risk shift": Yahoo transferred the burden of responsibility to the customer by requesting that the person log in to ensure the account remained active.

In a statement to InformationWeek, Dylan Casey, senior director of platforms at Yahoo, said that the company has received minimal complaints from recycled-account holders. "We take the security and privacy of our users very seriously. We have heard from a very small number of users who have received emails through other third parties which were intended for the previous account holder," he said. "We are continuing to work with companies to implement the RRVS email header standard that we published to the [Internet Engineering Task Force]."

Today, Yahoo charges $1.99 for you to request up to five usernames on Yahoo's Watch List. Jenkins, who signed up when it was free, said that the hassle of dealing with the misdirected email -- which totals between six and 10 messages a day, in addition to the "boatloads" of junk email -- hasn't been worth it. He's considering shutting down his account.

Harris, whose two Yahoo accounts were merged into one, said it took four phone calls and about four hours with Yahoo customer service to separate the two accounts and close the recycled one. "They were really helpful considering it's a free service, but they had a lot of trouble figuring out how to do it."

Newman said he's actively filtering the former account holder's email with hopes that the volume will eventually decrease. "I'm using the new account mostly for unimportant email because I'd probably go crazy trying to figure out what email is supposed to be mine and theirs," he said. "It's kind of disappointing because it's a great username to have, but I don't want to work this hard for it. Plus, getting someone else's mail just feels gross."

Those peeks into other people's personal lives leave Newman and Jenkins uneasy about Yahoo's continuation with recycled accounts, and concerned for others whose accounts may have closed.

"The most distressing part for me is that because I'm a Web developer, I know how easy it could be to reset all their passwords. It's scary to think about the damage I could do," Newman said. "Just yesterday I got an email confirmation for an apartment application. I could have canceled someone's apartment."

Jenkins said the opportunities for hackers are his biggest concern. "In some ways, the former user should be lucky that I'm getting this email because I would never do anything bad with it. But this whole situation made me nervous about my other email addresses. What happens when I stop using them?"

Previous
3 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BubbaIT
50%
50%
BubbaIT,
User Rank: Apprentice
9/25/2013 | 5:03:29 PM
re: Yahoo Recycled Emails: Users Find Security Surprises
My immediate reaction to what Yahoo is done is that it's typical of the new Yahoo. If Yahoo were truly concerned about the privacy of their users, they would retire inactive email addresses and terminate the service for those accounts. The fact that they're trying to get people interested in Yahoo email in this way shows just how clueless they actually are.

They redesigned their Groups service with something called Neo. I have no problem or objection to recasting the look of a free service, or even a paid one for that matter, but to break the functionality that people have used for years for the sake of something merely new is unforgivable. Yahoo's terms of service are essentially that they can do whatever they want, whenever they want to do it, and you have no real recourse - except to either deal with the fallout of gimcrack implementation or take your business elsewhere. That is not the way to build up a trust relationship with people you want to court or maintain as customers.
John109
50%
50%
John109,
User Rank: Apprentice
9/25/2013 | 3:11:42 PM
re: Yahoo Recycled Emails: Users Find Security Surprises
People make a lot of fuss over this, but how do you think plain old mail system works?

If you don't change your home address when you move, companies still send you sensitive information to your old address just as easy for the taking. You really think the new guy at your old place never opened your mail? You really think that little paper envelope will guard your information from those prying eyes? Really?

Wake up people, the Internet isn't some new place with a complete new set of rules, it's the freaking same thing as in real life...
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
9/25/2013 | 12:50:31 AM
re: Yahoo Recycled Emails: Users Find Security Surprises
Makes me glad that I'm paying $20 a year for my account with Yahoo! I once sent a long message to an old friend, trying to catch up, and it came back from someone in the UK saying that he now possessed the address and realized my message wasn't intended for him. He was courteous and did the right thing. The opportunities for this process to go awry don't need to be delineated, beyond the story above.
Guest
50%
50%
Guest,
User Rank: Apprentice
9/24/2013 | 6:02:27 PM
re: Yahoo Recycled Emails: Users Find Security Surprises
Mike Bracco @bracco tweeted that he forwards all email (even old accounts he doesn't use) because he doesn't ever want to lose past namespaces. Readers: How do you treat your email addresses differently?
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
9/24/2013 | 4:33:58 PM
re: Yahoo Recycled Emails: Users Find Security Surprises
The notion that a free email address will be "yours for life" seems a tad optimistic. But these users saw the flip side of recycling IDs.

Readers, are you surprised by the "risk shift" approach? Have you had experiences like this with other providers? Let's hear from you.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.