Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/25/2013
08:57 AM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Yahoo Responds To Recycled Email Security Problem

Yahoo will launch a "Not My Email" button to return old account-holders' email and help former users reclaim their accounts.

10 Ways To Fight Email Overload
10 Ways To Fight Email Overload
(click image for larger view and for slideshow)
Yahoo announced late Tuesday night that the company plans to roll out a tool for recipients of recycled email accounts to return messages that were not intended for them. InformationWeek reported Tuesday on three Yahoo users who began receiving emails containing personal information intended for the former user -- including bank and wireless account information -- after signing up for a recycled Yahoo account.

The new button, called "Not My Email," will roll out this week and will be found under the "Actions" tab in users' inboxes. The button will help users of recycled accounts train their inboxes to recognize which email is intended for them and which is not, eventually rejecting email before the user has read it.

Yahoo said it also plans to help to users who have lost their Yahoo account due to inactivity. These steps include outreach to users by phone and email and extending the grace period for inactive accounts.

[ Some Yahoo users got more than they bargained for. Read more: Yahoo Recycled Emails: Users Find Security Surprises. ]

In a statement to InformationWeek, a Yahoo spokesperson said that users of inactive accounts will be notified one month in advance via their Yahoo Mail account, alternate email address and SMS if their account is subject to being recycled. If they don't activate their account within the next 30 days by logging into any Yahoo property, the email account will be scrubbed and everything deleted.

"We will then bounce emails to it and after a period of time open it up for anyone to register for," the spokesperson said. "At that time, the earlier account owner could try to register for it -- but their content wouldn't be in there. Alternatively, if someone else registers the account, the earlier account owner could go to watchlist.yahoo.com and pay $1.99 to get put on the watchlist for that name and 4 others."

According to Dylan Casey, Yahoo's senior director of platforms, the company monitored systems for claims about mistaken deliveries and were able to identify the problem with some of the accounts. The email bounce method, he said, was insufficient for senders to see that the email was no longer valid. Casey maintained that the email problem has affected only a small number of Yahoo users.

Casey also said that Yahoo is continuing to look into its Require-Recipient-Valid-Since protocol, a header that senders add to emails to check the age of the account before delivering a message. The company said it is reaching out to businesses such as Amazon, eBay, PayPal and Walmart to target emails to current users instead of the former account holders.

Yahoo's initiative to free up dormant accounts began in mid-June when the company first announced its plan. Yahoo said it would alert users who had been inactive for at least 12 months and instruct them to login to their accounts if they wanted to keep them. Accounts that remained dormant would be recycled and up for grabs.

In July, Yahoo opened up a wish list where users could name their top five choices for a username. In August, Yahoo contacted them if one of their IDs was available and sent them instructions to claim it within 48 hours. Almost immediately, privacy advocates and security analysts criticized Yahoo's initiative.

A Yahoo user cited in InformationWeek's story reported that the emails he received would allow him to log into the former accountholder's Pandora and Facebook accounts. He also knew the user's name, address, phone number, the last four digits of the user's social security number and where the user's child goes to school.

The other Yahoo users reported similar experiences: They received email receipts from Nordstrom, timecards that detailed mileage reimbursements, airline confirmations and an apartment application confirmation.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GinaH714
50%
50%
GinaH714,
User Rank: Apprentice
6/1/2016 | 12:15:43 AM
re: Yahoo Responds To Recycled Email Security Problem
Yahoo should have notified all users before they deleted accounts and give them an option to keep them .however not all deleted accounts were inactive for a long time.Also,Some accounts will not let you sign in even with the correct password unless a phone verification code is used without an email  warning for a chance to  update info .There is no option to verify old phone numbers to add new one.so people are locked out,even though they have an open active account and correct password
Kawit Ajang
50%
50%
Kawit Ajang,
User Rank: Apprentice
9/26/2013 | 8:06:32 AM
re: Yahoo Responds To Recycled Email Security Problem
why
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
9/25/2013 | 6:10:57 PM
re: Yahoo Responds To Recycled Email Security Problem
"Not My Email"... LOL
They follow up one disaster with another. It's NEVER a good idea to recycle any account without first deleting any data associated with the previous account holder. Yahoo should have handled this correctly instead of making one gaffe beget another.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14499
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials.
CVE-2020-14501
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper authentication for critical function (CWE-306) issue. Successful exploitation of this vulnerability may allow an attacker to obtain the information of the user table, including the administrator credentials in plain text. An attacker may also ...
CVE-2020-14503
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper input validation vulnerability. Successful exploitation of this vulnerability could allow an attacker to remotely execute arbitrary code.
CVE-2020-14497
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code.
CVE-2020-14505
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper neutralization of special elements used in a command (“command injection�) vulnerability. Successful exploitation of this vulnerability may allow an attacker to send a HTTP GET or POST request that create...