Is Yahoo Doing Enough To Protect Sensitive Emails?

    September 26, 2013
    Chris Crum
    Comments are off for this post.

If you used to be a Yahoo Mail user, but stopped using it in favor of another service a year ago or more, there’s a chance that sensitive emails meant for you are being delivered to other people thanks to a recent move by Yahoo to give other users your old email address.

Do you think Yahoo’s email address recycling program was a good idea? Let us know what you think in the comments.

Back in June, as you may recall, Yahoo announced that it would give away inactive email addresses and Yahoo IDs. They would only do so if the address had been inactive for at least a year. The idea was that Yahoo’s loyal users would be able to get more desirable email addresses. Remember, part of the appeal of Gmail when it first came out was that people could get simple email addresses. If your name was John Smith, there was a good chance you could have gotten something like john.smith@gmail.com, for example. That’s opposed to something like johnsmith935245435@gmail.com. Yahoo wanted to do the same for its users now that many have moved on to different services (including, but not limited to Gmail).

Yahoo notified those who had signed up to get different email addresses/Yahoo IDs of the ones they were able to get about a month ago. For those that didn’t get what they wanted, Yahoo launched a “watchlist” feature, which allows users to pay a few dollars and have Yahoo keep an eye on the desired addresses, so they can be notified if they do become available. In other words, Yahoo intends to keep giving people email addresses that were once used by others.

People began criticizing Yahoo’s move pretty much right after it was announced in early summer. Security experts warned of privacy and cybersafety issues that could arise from the initiative.

Wired writer Mat Honan, who made national headlines last year when his digital life was “destroyed” by hackers, called Yahoo’s move a “terrible idea.”

“It means that people will be able to claim Yahoo IDs and use them to take over other people’s identities via password resets and other methods,” he wrote at the time. “For example someone who uses a Yahoo email address solely as a backup for Gmail, and thus haven’t logged into it for a long time, would be vulnerable to having that address taken over by a malicious individual who only wanted to ultimately get into the active Gmail address. You can see a chain of events where that could lead to taking over online banking accounts, social media accounts and the like.”

“Nor would it be hard to discover some of these inactive addresses,” he added. “You could, for example, find a dormant Flickr account which previously required a Yahoo email address.”

Well-known security expert Graham Cluley, who has worked for security giants like McAfee and Sophos, was particularly critical of Yahoo’s move. On his person blog, he called it “moronic.”

After some of the initial concerns came out, Yahoo took to its own blog to try and ease them. Yahoo’s Bill Mills wrote:

To communicate that a username has a new owner to e-commerce sites like “JoesAntiques.com,” or social networking sites like Facebook, we’ll allow them to “ask” for a new type of validation when sending an email to a specific Yahoo! user. The field, which can be requested via an email’s header is called “Require-Recipient-Valid-Since.”

We feel that our approach, which we’ve worked on with our friends at Facebook, is a good solution for both our users and our partners.
Here’s how it works:

If a Facebook user with a Yahoo! email account submits a request to reset their password, Facebook would add the Require-Recipient-Valid-Since header to the reset email, and the new header would signal to Yahoo! to check the age of the account before delivering the mail. Facebook users typically confirm their email when they sign up for the service or add new emails to their account, and if the “last confirmed” date that Facebook specifies in the Require-Recipient-Valid-Since header is before the date of the new Yahoo! username ownership, then the email will not be delivered and will instead bounce back to Facebook, who will then contact the user by other means.

This example illustrates how Facebook will do this – others will have their rules for determining their age requirement for the recipient / receiving account.

This is a new standard, being published with the IETF, that we’ll be working with partners to implement, and one that other email service providers can adopt for similar efforts of their own.

The company also had this to say in a statement to Wired:

Our goal with reclaiming inactive Yahoo! IDs is to free-up desirable namespace for our users. We’re committed and confident in our ability to do this in a way that’s safe, secure and protects our users’ data. It’s important to note that the vast majority of these inactive Yahoo! IDs don’t have a mailbox associated with them. Any personal data and private content associated with these accounts will be deleted and will not be accessible to the new account holder.

To ensure that these accounts are recycled safely and securely, we’re doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we’ll send bounce back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others. Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties.

Cluley told WebProNews at the time, “Yahoo’s response doesn’t reassure me one bit. If the ‘vast majority’ of IDs covered by this action don’t have associated email addresses, why not exclude all of the ones which do have email addresses from the guillotine?”

“I saw them say elsewhere that they would contact third party websites that might have accounts registered with one of the email addresses, which gave me the biggest laugh of all,” he said. “I mean, there aren’t that many websites out there, are there? The whole thing sounds utterly impossible to pull off competently, so they should throw the idea away in the trash can where it belongs.”

Fast forward to this week. People have had the recycled addresses for a while now, and they’ve been getting other people’s emails. Go figure. InformationWeek ran a story speaking with some of these users. Here’s an excerpt with one of multiple stories from users:

Jenkins and other users who have obtained recycled Yahoo email IDs say, based on what they see in their inboxes, that identity theft concerns exist.

“I can gain access to their Pandora account, but I won’t. I can gain access to their Facebook account, but I won’t. I know their name, address and phone number. I know where their child goes to school, I know the last four digits of their social security number. I know they had an eye doctor’s appointment last week and I was just invited to their friend’s wedding,” Jenkins said. “The identity theft potential here is kind of crazy.”

After we reached out to Yahoo for comment, Senior Director, Platforms, Dylan Casey told us, “As part of our account recycling effort, we took many steps to make sure this was done in a safe and secure manner. First, the accounts that were recycled hadn’t been active for more than 12 months. Before recycling inactive accounts we attempted to reach the account owners multiple ways to notify them that they needed to log in to their account or it would be subject to recycling. Before recycling these accounts, we took many precautions to ensure this was done safely – including deleting any private data from the previous account owner, sending bounce-backs to the senders for at least 30-60 days letting them know the account no longer existed and unsubscribing the accounts from commercial mail.”

“In addition, we published a new email header to the IETF with Facebook for email senders to implement to reduce the risk of a new user receiving emails intended for the previous owner,” Casey adds. “We also collaborated with email service providers, merchants and other large email senders so they were aware of this effort, and worked extensively to get the word out directly to our users.”

Now that users are actually getting emails that are intended for other people, Yahoo has decided to take another step.

Casey says, “Additionally, we’re in the process of rolling out a button in Yahoo Mail called ‘Not My Email’ where users can report that an email is not intended for them. We continue to look for ways to protect our users.”

Here’s what it looks like (via TechCrunch):

Not My Email

It’s something, but the feature still places responsibility in the hands of the new account holder – the one gaining access to the sensitive data. Let’s hope everybody getting such data (like info about where old account holders’ children go to school) is noble enough to let Yahoo know. Unfortunately those that would be most likely to abuse the data they’re receiving are quite unlikely to use the feature.

Yahoo maintains that only a small number of people have reported getting other people’s email, but again, would the ones that would abuse the sensitive email be likely to report it to the company? I’m guessing not.

What do you think? Is Yahoo doing enough to protect its old users? Does the responsibility all belong to those users themselves? Share your thoughts in the comments.

Lead Image: Yahoo

  • http://www.ubetterwatchout.com Bill Jones

    Yahoo has never done enough….

  • http://www.androidgamespro.com/ Lalitha

    I think yahoo needs to very much to compete with Google.

  • Ibitz

    Personally, I have become tired of the feminization of Yahoo. Effeminate purple color everywhere and an angry feminist in charge.

  • http://www.aditmicrosys.com/ Hemang Shah

    Bill Jones right when I used Yahoo to my personal account that are lots of unusual and spam mail comes in my email account. and that’s not enough. If you want to create a security than block always unwanted and spam mail. Create this type of algorithm.

  • James Reynolds

    Simple, don’t use an email address as a ‘backup’ access point to your other email accounts or social accounts or anything unless you actually use the ‘backup’ email account. It’s the same when you have an old bank account and move house – where the statements continue to get sent to your old address. Those that do that are idiots in my mind, and I don’t have a different opinion when it comes to an email ADDRESS.
    If you don’t use an email address anymore then don’t be lazy and sloppy about it. Update your accounts to new addresses. If you have lost access to your account don’t just do nothing about it.
    At the end of the day it is their website their space and their decision on what they do with it.

  • Romy Elepano

    Please leave my email address directory alone. Do not delete inactive addresses nor give them away to others. Just let it be. That is the ethical thing to do.

  • smarter than the average bear

    if you are using a free service like Yahoo or Gmail, you have to be smart enough to know you get what you pay for….real professionals (and every fortune 500 company) uses Microsoft Outlook for a reason.

    free email and cloud services are a joke…roll your own and install a server…they are not expensive nor complicated to set up properly…

    my .02

    • Francis

      Question – aren’t IBM a ‘fortune 500 company’?, as, unless I’m mistaken, they use (Lotus) Notes, not Microsoft Outlook.

  • CJC

    It is not at all surprising that Yahoo sells old e-mail addresses. I don’t do anything pertaining to Yahoo anymore — business or personal. Their practice of slowing down my personal computer by attacking it with a Yahoo toolbar that can’t be easily removed is overtly “customer-hostile.” They even post articles on how to remove their toolbar — but those instructions don’t work. Bad business.

  • Dan

    Okay, here’s the deal. Changes to Yahoo news are obviously a work in progress. Until such time the new edition of Yahoo news is in far better shape, take it down. It appears ‘you’ are relying on the users to find the bugs. That is not how a responsible software developer releases their product.
    There is no feature that allows the readers to respond directly to the folks at Yahoo so I will post my comment here, in hopes, Yahoo will accidentally read it.

    WE have been promised the return of the ‘bell’, so we can track our comments. That has not been returned.

    NOW, the “Your Comments” at the end of the articles has also disappeared.

    You are frustrating your reader and when you frustrate your readers, you also frustrated your advertisers. When you frustrate your advertisers, they may withdraw their support and then, the end result for Yahoo is not good.

  • http://yahoo justina

    is good

  • http://www.sharethestars.com Shari Kavalin

    What is worse is that Bellsouth as an internet provider has inserted Yahoo into their email process…creating a while new level of complications. Now, in changing internet providers …we have discovered it appears that Bellsouth is shadowing the Yahoo email policies and will RECYCLE my boyfriend’s email address of 17 years….after 30 days!!!!! Emails and phone numbers are so much a part of our identities! AOL long ago opted to allow one to keep ones email address..without holding you hostage to them. Even telephone providers allow phone numbers to be portable! Releasing the USE of our former email addresses to the public seems like such a security breach and leaves us open to identity theft that in any other circumstance we would be getting an apology letter from a provider for putting us at risk. Within Bellsouth/ATT/Uverse/Yahoo…. I have heard the term whispered “legacy accounts” …which should be portable, but no one at BS seems to know details. Without question, the email address in name alone that has been used over “X” years should follow “first use” rules and be portable. In this day & age, Email addresses = identity and should be protected at all costs!

    I know no one of consequence who has control in changing corporate policies for the companies involved will likely read this here…so feel free to repost my rant elsewhere at will. I pray it will help bring needed changes. Please credit to me as twitter identity @vacationshari

    • ms b

      This is terrible. I have had a brain injury an although I dont recall my old login password and info I do know that I used my email accounts to correspond with my bank, utility company, docters office and lawyer. This means someone will have acess to everything including my ss number just because I havent been able to log into my old yahoo account. Not fair!

  • Henry

    New yahoo mail sucks. Cannot modify text cut and copied into an email message without the cursor going to places you do not want it to.

  • acar

    The new email launch is frightful. You can’t even understand what you re doing, who you are sending to or anything. All of the expands and compresses are worthless and defy understanding what you are doing. This is the worst ever. Please return us to the prior program. It worked. This does not!