Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/23/2013
09:48 AM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Yahoo Recycled Emails: Users Find Security Surprises

Some Yahoo users who took advantage of recycled IDs report they're getting emails intended for the old account holders -- including personal data.

10 Ways To Fight Email Overload
10 Ways To Fight Email Overload
(click image for larger view and for slideshow)
When Tom Jenkins, an IT security professional, learned in June that Yahoo planned to free up abandoned account IDs, he jumped on the opportunity to request a nickname he's had since high school. He was thrilled when Yahoo emailed him in August to say the ID was available.

"I had tried periodically to obtain this email address, but I was never able to do it," Jenkins said in an interview. "I was aware that these Yahoo IDs were once owned by someone else, but I was pretty surprised by the types of emails I immediately started getting."

In less than a day, emails intended for the original account owner hit his inbox. Among them were marketing emails from retailers and catalogs, which were a nuisance, he said. But then came the emails with sensitive personal information: messages from the former Yahoo account holder's Boost Mobile service, which included the account and pin numbers; emails from a Fidelity investment account; Facebook emails; Pandora account information; and more.

[ Need new ways to lock down your smartphone? See 9 Android Apps To Improve Security, Privacy. ]

Jenkins and other users who have obtained recycled Yahoo email IDs say, based on what they see in their inboxes, that identity theft concerns exist.

"I can gain access to their Pandora account, but I won't. I can gain access to their Facebook account, but I won't. I know their name, address and phone number. I know where their child goes to school, I know the last four digits of their social security number. I know they had an eye doctor's appointment last week and I was just invited to their friend's wedding," Jenkins said. "The identity theft potential here is kind of crazy."

Neil Harris, a software executive, also signed up for a recycled Yahoo ID. A Yahoo user for many years, Harris wanted a new username that was easier to remember than the one he currently had.

On the first day he logged into the account, he found that Yahoo merged his former account with the new one, giving him one inbox that funneled emails from both accounts. That wouldn't have been a problem, Harris said, if it weren't for the misdirected emails he suddenly started receiving.

"I immediately got email addressed to the [former] account owner and the nature of them made me uncomfortable," Harris said in an interview, noting that a number of emails were from men looking to meet up with a woman.

In the following weeks, Harris was sent emails from department stores, including emailed receipts from recent purchases at Nordstrom. He also received timecards that detailed mileage reimbursements and included the former account holder's name and address.

"It seemed odd to me that this email was coming from all over. It's clear that while the owner supposedly hadn't logged in in a while, she was still actively giving out that email address," Harris said.

They're not alone: Scott Newman, a Web developer, also signed up for one of Yahoo's recycled IDs. "I thought it was a cool idea because when you're standing at Williams-Sonoma and they ask for your email address it would be easier to give them something that made more sense than what I had," he said.

Personal emails intended for someone else began arriving within the first day of account usage, Newman said.

"It started off with some stuff from catalogs and clothing companies and I thought, 'That's fine, I'll just unsubscribe.' I figured I'd have to deal with a little of that," Newman said in an interview. "But then I started getting emails with court information, airline confirmations, a funeral announcement saying someone had just died -- it was nuts."

Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BubbaIT
50%
50%
BubbaIT,
User Rank: Apprentice
9/25/2013 | 5:03:29 PM
re: Yahoo Recycled Emails: Users Find Security Surprises
My immediate reaction to what Yahoo is done is that it's typical of the new Yahoo. If Yahoo were truly concerned about the privacy of their users, they would retire inactive email addresses and terminate the service for those accounts. The fact that they're trying to get people interested in Yahoo email in this way shows just how clueless they actually are.

They redesigned their Groups service with something called Neo. I have no problem or objection to recasting the look of a free service, or even a paid one for that matter, but to break the functionality that people have used for years for the sake of something merely new is unforgivable. Yahoo's terms of service are essentially that they can do whatever they want, whenever they want to do it, and you have no real recourse - except to either deal with the fallout of gimcrack implementation or take your business elsewhere. That is not the way to build up a trust relationship with people you want to court or maintain as customers.
John109
50%
50%
John109,
User Rank: Apprentice
9/25/2013 | 3:11:42 PM
re: Yahoo Recycled Emails: Users Find Security Surprises
People make a lot of fuss over this, but how do you think plain old mail system works?

If you don't change your home address when you move, companies still send you sensitive information to your old address just as easy for the taking. You really think the new guy at your old place never opened your mail? You really think that little paper envelope will guard your information from those prying eyes? Really?

Wake up people, the Internet isn't some new place with a complete new set of rules, it's the freaking same thing as in real life...
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
9/25/2013 | 12:50:31 AM
re: Yahoo Recycled Emails: Users Find Security Surprises
Makes me glad that I'm paying $20 a year for my account with Yahoo! I once sent a long message to an old friend, trying to catch up, and it came back from someone in the UK saying that he now possessed the address and realized my message wasn't intended for him. He was courteous and did the right thing. The opportunities for this process to go awry don't need to be delineated, beyond the story above.
Guest
50%
50%
Guest,
User Rank: Apprentice
9/24/2013 | 6:02:27 PM
re: Yahoo Recycled Emails: Users Find Security Surprises
Mike Bracco @bracco tweeted that he forwards all email (even old accounts he doesn't use) because he doesn't ever want to lose past namespaces. Readers: How do you treat your email addresses differently?
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
9/24/2013 | 4:33:58 PM
re: Yahoo Recycled Emails: Users Find Security Surprises
The notion that a free email address will be "yours for life" seems a tad optimistic. But these users saw the flip side of recycling IDs.

Readers, are you surprised by the "risk shift" approach? Have you had experiences like this with other providers? Let's hear from you.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.