Yahoo Recycled Emails: Users Find Security Surprises

  /     /     /  
Publicated : 22/11/2024   Category : security


Yahoo Recycled Emails: Users Find Security Surprises


Some Yahoo users who took advantage of recycled IDs report theyre getting emails intended for the old account holders -- including personal data.



10 Ways To Fight Email Overload(click image for larger view and for slideshow)
When Tom Jenkins, an IT security professional, learned in June that Yahoo planned to
free up abandoned account IDs
, he jumped on the opportunity to request a nickname hes had since high school. He was thrilled when Yahoo emailed him in August to say the ID was available.
I had tried periodically to obtain this email address, but I was never able to do it, Jenkins said in an interview. I was aware that these Yahoo IDs were once owned by someone else, but I was pretty surprised by the types of emails I immediately started getting.
In less than a day, emails intended for the original account owner hit his inbox. Among them were marketing emails from retailers and catalogs, which were a nuisance, he said. But then came the emails with sensitive personal information: messages from the former Yahoo account holders Boost Mobile service, which included the account and pin numbers; emails from a Fidelity investment account; Facebook emails; Pandora account information; and more.
[ Need new ways to lock down your smartphone? See
9 Android Apps To Improve Security, Privacy
. ]
Jenkins and other users who have obtained recycled Yahoo email IDs say, based on what they see in their inboxes, that identity theft concerns exist.
I can gain access to their Pandora account, but I wont. I can gain access to their Facebook account, but I wont. I know their name, address and phone number. I know where their child goes to school, I know the last four digits of their social security number. I know they had an eye doctors appointment last week and I was just invited to their friends wedding, Jenkins said. The identity theft potential here is kind of crazy.
Neil Harris, a software executive, also signed up for a recycled Yahoo ID. A Yahoo user for many years, Harris wanted a new username that was easier to remember than the one he currently had.
On the first day he logged into the account, he found that Yahoo merged his former account with the new one, giving him one inbox that funneled emails from both accounts. That wouldnt have been a problem, Harris said, if it werent for the misdirected emails he suddenly started receiving.
I immediately got email addressed to the [former] account owner and the nature of them made me uncomfortable, Harris said in an interview, noting that a number of emails were from men looking to meet up with a woman.
In the following weeks, Harris was sent emails from department stores, including emailed receipts from recent purchases at Nordstrom. He also received timecards that detailed mileage reimbursements and included the former account holders name and address.
It seemed odd to me that this email was coming from all over. Its clear that while the owner supposedly hadnt logged in in a while, she was still actively giving out that email address, Harris said.
Theyre not alone: Scott Newman, a Web developer, also signed up for one of Yahoos recycled IDs. I thought it was a cool idea because when youre standing at Williams-Sonoma and they ask for your email address it would be easier to give them something that made more sense than what I had, he said.
Personal emails intended for someone else began arriving within the first day of account usage, Newman said.
It started off with some stuff from catalogs and clothing companies and I thought, Thats fine, Ill just unsubscribe. I figured Id have to deal with a little of that, Newman said in an interview. But then I started getting emails with court information, airline confirmations, a funeral announcement saying someone had just died -- it was nuts. Yahoos initiative to free up dormant accounts began in mid-June when the company first announced its plan. Today, Im excited to share with you our next big push: We want to give our loyal users and new folks the opportunity to sign up for the Yahoo ID theyve always wanted, wrote Jay Rossiter, senior VP of platforms, on
the companys Tumblr
. A Yahoo ID is a user name that lets you access all of the companys personalized services, such as messenger, email and more.
Yahoo said it would alert users who had been inactive for at least 12 months and instruct them to login to their accounts if they wanted to keep them. Accounts that remained dormant would be recycled and up for grabs.
In July, Yahoo opened up a
wish list
where users could name their top five choices for a username. Come August, Yahoo would contact them if one of their IDs was available and send them instructions to claim it within 48 hours.
Almost immediately, privacy advocates and security analysts criticized Yahoos initiative. Some called it an
underhanded and risky
way to get people to re-engage with Yahoo, while others called attention to the real potential for others to
take over peoples identities
via password resets and other methods.
Following the criticism, Yahoo released a statement reaffirming its confidence in the initiative and shedding more light on the steps it would take to ensure privacy and security. The company said that personal data and private content associated with the accounts would be deleted and would not be accessible to the new account holder.
To ensure that these accounts are recycled safely and securely, were doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, well send bounce-back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others. Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties.
In July, Yahoo followed up with more
details about its security efforts
. The company said it would work with businesses to implement a
Require-Recipient-Valid-Since
(RRVS) header. If you submit a Facebook request to reset your password, for example, Facebook would add the RRVS header to the reset email, and the new header would signal to Yahoo to check the age of the account before delivering the mail. If the values dont match, the email would bounce.
Yahoos security measures appeared sound in theory, said
Gant Redmon
, general counsel and VP with privacy and security company Co3 Systems, but failed in practice.
Yahoos idea was problematic from the start, Redmon said. I can understand why Yahoo would want to do it: Its a legacy email service that theyre trying to turn around and generate more interest in. But the initiative is troublesome, he said in an interview. Email has become a primary identifier because no two people are supposed to have the same email address. When you sign up for it, you think its yours for life.
However, Terry Cutler, chief technology officer at IT security company
Digital Locksmiths
, said hes surprised that Yahoos security measures allowed for such a slip in the examples of Jenkins, Harris and Newman. Yahoo seems to have done it right, Cutler said in an interview. They did the right thing by shutting down accounts for a period of time, which should have helped to clean them up. But somethings clearly not working, and thats a big problem. Though Yahoos security measures werent effective for everyone, Redmon said the company isnt liable for the misdirected personal emails. Businesses are in trouble when they lose personal information they collected and were entrusted with, but that doesnt fit the Yahoo scenario, he said. Yahoo hasnt lost or disclosed information they shouldnt have. Theyre not responsible for the fact that it was disclosed to a third party -- the user is.
Yahoo performed what Redmon calls a risk shift: Yahoo transferred the burden of responsibility to the customer by requesting that the person log in to ensure the account remained active.
In a statement to
InformationWeek
, Dylan Casey, senior director of platforms at Yahoo, said that the company has received minimal complaints from recycled-account holders. We take the security and privacy of our users very seriously. We have heard from a very small number of users who have received emails through other third parties which were intended for the previous account holder, he said. We are continuing to work with companies to implement the RRVS email header standard that we published to the [
Internet Engineering Task Force
].
Today, Yahoo charges $1.99 for you to request up to five usernames on Yahoos
Watch List
. Jenkins, who signed up when it was free, said that the hassle of dealing with the misdirected email -- which totals between six and 10 messages a day, in addition to the boatloads of junk email -- hasnt been worth it. Hes considering shutting down his account.
Harris, whose two Yahoo accounts were merged into one, said it took four phone calls and about four hours with Yahoo customer service to separate the two accounts and close the recycled one. They were really helpful considering its a free service, but they had a lot of trouble figuring out how to do it.
Newman said hes actively filtering the former account holders email with hopes that the volume will eventually decrease. Im using the new account mostly for unimportant email because Id probably go crazy trying to figure out what email is supposed to be mine and theirs, he said. Its kind of disappointing because its a great username to have, but I dont want to work this hard for it. Plus, getting someone elses mail just feels gross.
Those peeks into other peoples personal lives leave Newman and Jenkins uneasy about Yahoos continuation with recycled accounts, and concerned for others whose accounts may have closed.
The most distressing part for me is that because Im a Web developer, I know how easy it could be to reset all their passwords. Its scary to think about the damage I could do, Newman said. Just yesterday I got an email confirmation for an apartment application. I could have canceled someones apartment.
Jenkins said the opportunities for hackers are his biggest concern. In some ways, the former user should be lucky that Im getting this email because I would never do anything bad with it. But this whole situation made me nervous about my other email addresses. What happens when I stop using them?

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Yahoo Recycled Emails: Users Find Security Surprises