Even After Yahoo Defends Itself, Security Expert Still Calls Email Address Plan ‘Trash’

    June 21, 2013
    Chris Crum
    Comments are off for this post.

Yahoo has raised a pretty good amount of concern regarding account security with a recently announced move to shut down inactive Yahoo IDs and email addresses and give them to other users that desire them.

As previously reported, security experts and others in the industry have been criticizing the company, calling the move names like “stupid,” “moronic,” and “a terrible idea”. You can see the kinds of things they were saying here.

Yahoo has not ignored its critics, telling Reuters that only 7% of the IDs in question are even tied to Yahoo email accounts, for example. The company also gave the following statement to Wired:

Our goal with reclaiming inactive Yahoo! IDs is to free-up desirable namespace for our users. We’re committed and confident in our ability to do this in a way that’s safe, secure and protects our users’ data. It’s important to note that the vast majority of these inactive Yahoo! IDs don’t have a mailbox associated with them. Any personal data and private content associated with these accounts will be deleted and will not be accessible to the new account holder.

To ensure that these accounts are recycled safely and securely, we’re doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we’ll send bounce back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others. Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties.

Well-known security expert Graham Cluley, who has worked for security giants like McAfee and Sophos, was particularly critical of Yahoo’s move. We picked his brain to see what he had to say about Yahoo’s defense of its actions. Suffice it to say, it didn’t make him feel much better about the whole thing.

“Yahoo’s response doesn’t reassure me one bit,” Cluley tells us. “If the ‘vast majority’ of IDs covered by this action don’t have associated email addresses, why not exclude all of the ones which do have email addresses from the guillotine?”

“I saw them say elsewhere that they would contact third party websites that might have accounts registered with one of the email addresses, which gave me the biggest laugh of all,” he adds. “I mean, there aren’t that many websites out there, are there? :) The whole thing sounds utterly impossible to pull off competently, so they should throw the idea away in the trash can where it belongs.”

“I’d like to see yahoo provide a list of all the sites they plan to contact with their list of email addresses potentially up for grabs,” Cluley says. “I imagine that’s quite a long list of websites that could have had accounts created on them. After all, yahoo wouldn’t forget to include any sites would it… I mean, it’s a search engine so it probably has a grasp on how many websites there are out there, right?”

“And, umm, isn’t there some slight risks in contacting – lets say, x hundred million – websites with a long list of yahoo ids and email addresses that will shortly be deactivated and available for anyone to claim?” he adds. “They just haven’t thought this through at all.”

Users who are concerned about losing their Yahoo IDs only need to log in before July 15th if they want to keep them.

  • Luna

    I had to quit using my Yahoo email about 3 years ago because, for some reason, I kept losing composed email text before finishing and hitting send (no auto-save/default draft function like Gmail) and friends kept telling me they were receiving spam from my email address (even after having changed my password several times). These days, when I receive spam email from a friend it is inevitably from a Yahoo account. Also, the experience of setting up a Yahoo Local account when a business I work for went through a name change was PAINFUL. Yahoo’s verification method is abyssmal. They mail you a card with a code and the code NEVER worked. Even contacted a Yahoo human and that was an act of Congress. The problem is still not fixed. Yahoo can suck it.

  • http://www.konveksi.org/ konveksi

    oh… no. i think will be dificult use yahoo. i just change to gmail.

  • http://www.abinea.com hotel Südtirol

    Great story Luna, in italy we do like you….
    Greatings M.

  • stolen account

    I never, never comment but just have to on this. On Wednesday morning, someone somehow got into my email account (seldom used), and sent a link to all of my contacts, as well as 3 people who were not in my contact list — one of them was me at my other email address. You tell me.

    • Loki57

      You at the least need to change password, and security questions.

      If you did anything foolish like share passwords among accounts, all other accounts need to be changed too, to distinct credentials. Even if you didn’t share passwords, but had the same 1st grade teacher, dog, first car, and favorite wombat, used on other sites using security questions, all those could be exposures now. Contrary to what idiot parents and teachers may have claimed in lies to kids, it’s essential to security to use fake answers, and securely store what they were, rather than use real info for such security tests. A security key is a secret distinct key, where being a factual answer to the literal test question is irrelevant. (Also good to munge DOB and other personal details in most cases for similar reasons, or don’t answer if that’s an option.)

      Look for and set the new SSL always option (bottom of general options page on account info, where it isn’t disabled for some users; you’ll then see https and a padlock in your browser). Setting 2nd party verification may help. If YIM is on, disable it. If you actually use it, stop, and suggest friends do too. (You can always promote trafficking in international munitions, eg, use Jitsi or similar encrypted clients for XMPP or SIP. yes, US laws are absurd, but they operate from France. Jit.si and Ippi.fr offer free XMPP/Jabber and OpenSIP ID’s that don’t suffer the issues of Ekiga et al.)

      What modes was your account in, and were any changed (old or new, basic or Super-Spyware features; and, YIM on or off)?

      In recent logins, how did they login? Typical is a Partner API login, followed by a Mail login, from some foreign IP. (Open your Yahoo Account Info page to check.)

      What if any Partner API shares did you have? Were any (eg, Facebook) added? Kill any you didn’t set or aren’t using, and consider killing all of them when not in immediate active use. Also, it’s best to NOT use those Yahoo features (YIM or Partner API) at all from any account used for serious emails, and either boycott those Yahoo functions, or set up a separate dummy account with no emails other than one contact for yourself elsewhere, that can warn of hacking if the entire list (of 1) and stored email addresses are SPAMmed.

      The consensus on tech sites seems to be that Yahoo knows how this exploit works, and is denying what they know, so as to encourage users to let them aggravate it with more spyware, and use of shared Yahoo data with Facebook and major media sites. The combination of YIM being on, whether by users setting it or failing to turn it off after Yahoo by default enables it or turns it on without warning with software pushes, AND Partner API defects, somehow is enabling not account hacks, but a wide open side door an international SPAM and data harvesting criminal organization knows how to walk right in to Yahoo accounts that don’t avoid the configs they use.

      These Yahoo ignored or suppressed barn door security defects need to be discussed more widely around the net to warn users and encourage sharing tech details, to nail down how the exploit works, and reduce use of it to SPAM lists and users, and steal account contents. These exploits seem to have started around the time Yahoo started pushing the currently more heavily extorted software changes, to sniff email contents and use a more scripted client to push ads.

  • http://Mabuzi.com Kevin

    We have noticed a big increased in spam form Yahoo hacked accounts over the last 2 months.

    Yahoo needs to come in from the dark ages.