Yahoo ID recycling scheme is potential security minefield

Yahoo’s recently announced email account / Yahoo ID recycling scheme was meant to free up inactive (and attractive) accounts so that they can be snapped up by another user. But while the idea initially had been thought by company executives as good move, the reality has proven to be harsher.

InformationWeek‘s Kristin Burnham has tracked down three users who took advantage of the (then free, now costing $1.99) offer of creating a wish list with their top five choices for a username, and have been fortunate enough to receive one.

But what they didn’t expect was the barrage of legitimate and spam emails they continued to receive in their new inbox.

Marketing emails, Facebook and Pandora emails with certain account information, emails from investment firms and Boost Mobile, emailed receipts from stores, detailed mileage reimbursements, court information, and much more was delivered, often including personal and financial information the new users could have easily used to steal the identity of the previous account owner.

In theory, this should not have happened.

When Yahoo made a list of inactive accounts (after notifying their owners of the initiative and failing to receive proof that the accounts were still used), they deleted all the data contained in the account.

Then, they took a month to send bounce-back emails alerting senders that the deactivated account no longer exists; unsubscribe these accounts from commercial emails such as newsletters and email alerts; and coordinate with online services and companies the implementation a “Require-Recipient-Valid-Since” (RRVS) header that would prevent password reset emails to be delivered to the new owners.

But in practice, these measures failed. Yahoo said that they “have heard from a very small number of users who have received emails through other third parties which were intended for the previous account holder,” and that they continue working with companies to implement the RRVS email header.

Nevertheless, the interviewed three new owners were not ultimately satisfied with the move to the new account, and are either trying to filter the unwanted emails, have closed down the new account and reverted to the old one, or are actively thinking about doing it.

All in all, what should have been a positive experience that should have made them appreciate Yahoo even more has turned into a nuisance and additional work – not something that Yahoo hoped for, surely.

But whether these experiences are exceptions or the norm is hard to tell just now – let’s hope for the former. In these cases, the new account owners were ethical, and haven’t misused the sensitive information they garnered via the emails, but chances are there are people out there who won’t be that virtuous.

More about

Don't miss