Yahoo tells security critics to chillax regarding its email recycling program
So much for trying to be nice. Yahoo’s latest bid to lift itself from the tech also-ran swamp with an email recycling initiative has been criticized for potential security threats to dormant users. To try and calm down the pitchfork-wielding crowd, the company has released a statement describing various security measures that will be taken to insure past users’ data and security—but they may not cover all the bases.
How safe are old users?
A June 12 tumblr post unveiled Yahoo’s plan to make available inactive, but succinctly-named Yahoo accounts. The company holds nearly two decades worth of accounts and their associated emails. Over the years, many of these users have moved on from the ecosystem forcing newer, active users to settle for an unintelligible email address like email@example.com as opposed to firstname.lastname@example.org.
The primary concern is that with a little research into dormant Yahoo accounts, crafty identity thieves could use associated email addresses to access bank accounts, social media, and other online portals.
The threat of that isn’t off base. For example, I signed into Yahoo Groups and joined a group dedicated to Janet Jackson’s 2004 Super Bowl appearance. Oddly enough, the group (built around the event that took place in George W. Bush’s first term!) features posts as recently as a month ago, though all the newer posts appear to be spam bots. However, Yahoo offers an “oldest” function in their posts that automatically took me back to a number of original and peopled posts from 2004.
Going back in time nine years, I was able to find a bounty what appears to be genuine users full real name along with their Yahoo email handle—or at least a handle for some other email address. Within this glut of information are surely some genuine Yahoo address handles along with a user’s full name.
Playing the numbers game, a would-be identity thief would be able to have their pick of retired Yahoo accounts along with the associated person’s real name and use that information to access online information.
According to Wired’s Matt Honan, Yahoo has responded the concerns with the following statement:
Our goal with reclaiming inactive Yahoo! IDs is to free-up desirable namespace for our users. We’re committed and confident in our ability to do this in a way that’s safe, secure and protects our users’ data. It’s important to note that the vast majority of these inactive Yahoo! IDs don’t have a mailbox associated with them. Any personal data and private content associated with these accounts will be deleted and will not be accessible to the new account holder.
To ensure that these accounts are recycled safely and securely, we’re doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we’ll send bounce back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others. Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties.
The most important part of the statement is the notification of merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties, which will hopefully help lax users remain secure. Hopefully the various online entities will act quickly to avoid any unwanted access.
Protect your ghost accounts
Yahoo’s recycling plan will free-up IDs that have been inactive for the past 12 months. Current users will be able to apply for newly-freed Yahoo ID beginning in mid-July, and they will find out which accounts they were able to by mid-August.
If you wish to keep your Yahoo address, simply log-in to any Yahoo property before July 15 and your account will be spared from the recycling program. If you can remember your old Yahoo account, it may be worth it to log-in to that Flickr account you haven’t touched in five years. Just to be on the safe side.