Is Yahoo Doing Enough To Protect Sensitive Emails?By: Chris Crum - September 26, 2013
If you used to be a Yahoo Mail user, but stopped using it in favor of another service a year ago or more, there’s a chance that sensitive emails meant for you are being delivered to other people thanks to a recent move by Yahoo to give other users your old email address.
Do you think Yahoo’s email address recycling program was a good idea? Let us know what you think in the comments.
Back in June, as you may recall, Yahoo announced that it would give away inactive email addresses and Yahoo IDs. They would only do so if the address had been inactive for at least a year. The idea was that Yahoo’s loyal users would be able to get more desirable email addresses. Remember, part of the appeal of Gmail when it first came out was that people could get simple email addresses. If your name was John Smith, there was a good chance you could have gotten something like email@example.com, for example. That’s opposed to something like firstname.lastname@example.org. Yahoo wanted to do the same for its users now that many have moved on to different services (including, but not limited to Gmail).
Yahoo notified those who had signed up to get different email addresses/Yahoo IDs of the ones they were able to get about a month ago. For those that didn’t get what they wanted, Yahoo launched a “watchlist” feature, which allows users to pay a few dollars and have Yahoo keep an eye on the desired addresses, so they can be notified if they do become available. In other words, Yahoo intends to keep giving people email addresses that were once used by others.
People began criticizing Yahoo’s move pretty much right after it was announced in early summer. Security experts warned of privacy and cybersafety issues that could arise from the initiative.
“It means that people will be able to claim Yahoo IDs and use them to take over other people’s identities via password resets and other methods,” he wrote at the time. “For example someone who uses a Yahoo email address solely as a backup for Gmail, and thus haven’t logged into it for a long time, would be vulnerable to having that address taken over by a malicious individual who only wanted to ultimately get into the active Gmail address. You can see a chain of events where that could lead to taking over online banking accounts, social media accounts and the like.”
“Nor would it be hard to discover some of these inactive addresses,” he added. “You could, for example, find a dormant Flickr account which previously required a Yahoo email address.”
Well-known security expert Graham Cluley, who has worked for security giants like McAfee and Sophos, was particularly critical of Yahoo’s move. On his person blog, he called it “moronic.”
After some of the initial concerns came out, Yahoo took to its own blog to try and ease them. Yahoo’s Bill Mills wrote:
To communicate that a username has a new owner to e-commerce sites like “JoesAntiques.com,” or social networking sites like Facebook, we’ll allow them to “ask” for a new type of validation when sending an email to a specific Yahoo! user. The field, which can be requested via an email’s header is called “Require-Recipient-Valid-Since.”
We feel that our approach, which we’ve worked on with our friends at Facebook, is a good solution for both our users and our partners.
Here’s how it works:
If a Facebook user with a Yahoo! email account submits a request to reset their password, Facebook would add the Require-Recipient-Valid-Since header to the reset email, and the new header would signal to Yahoo! to check the age of the account before delivering the mail. Facebook users typically confirm their email when they sign up for the service or add new emails to their account, and if the “last confirmed” date that Facebook specifies in the Require-Recipient-Valid-Since header is before the date of the new Yahoo! username ownership, then the email will not be delivered and will instead bounce back to Facebook, who will then contact the user by other means.
This example illustrates how Facebook will do this – others will have their rules for determining their age requirement for the recipient / receiving account.
This is a new standard, being published with the IETF, that we’ll be working with partners to implement, and one that other email service providers can adopt for similar efforts of their own.
The company also had this to say in a statement to Wired:
Our goal with reclaiming inactive Yahoo! IDs is to free-up desirable namespace for our users. We’re committed and confident in our ability to do this in a way that’s safe, secure and protects our users’ data. It’s important to note that the vast majority of these inactive Yahoo! IDs don’t have a mailbox associated with them. Any personal data and private content associated with these accounts will be deleted and will not be accessible to the new account holder.
To ensure that these accounts are recycled safely and securely, we’re doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we’ll send bounce back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others. Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties.
Cluley told WebProNews at the time, “Yahoo’s response doesn’t reassure me one bit. If the ‘vast majority’ of IDs covered by this action don’t have associated email addresses, why not exclude all of the ones which do have email addresses from the guillotine?”
“I saw them say elsewhere that they would contact third party websites that might have accounts registered with one of the email addresses, which gave me the biggest laugh of all,” he said. “I mean, there aren’t that many websites out there, are there? The whole thing sounds utterly impossible to pull off competently, so they should throw the idea away in the trash can where it belongs.”
Fast forward to this week. People have had the recycled addresses for a while now, and they’ve been getting other people’s emails. Go figure. InformationWeek ran a story speaking with some of these users. Here’s an excerpt with one of multiple stories from users:
Jenkins and other users who have obtained recycled Yahoo email IDs say, based on what they see in their inboxes, that identity theft concerns exist.
“I can gain access to their Pandora account, but I won’t. I can gain access to their Facebook account, but I won’t. I know their name, address and phone number. I know where their child goes to school, I know the last four digits of their social security number. I know they had an eye doctor’s appointment last week and I was just invited to their friend’s wedding,” Jenkins said. “The identity theft potential here is kind of crazy.”
After we reached out to Yahoo for comment, Senior Director, Platforms, Dylan Casey told us, “As part of our account recycling effort, we took many steps to make sure this was done in a safe and secure manner. First, the accounts that were recycled hadn’t been active for more than 12 months. Before recycling inactive accounts we attempted to reach the account owners multiple ways to notify them that they needed to log in to their account or it would be subject to recycling. Before recycling these accounts, we took many precautions to ensure this was done safely – including deleting any private data from the previous account owner, sending bounce-backs to the senders for at least 30-60 days letting them know the account no longer existed and unsubscribing the accounts from commercial mail.”
“In addition, we published a new email header to the IETF with Facebook for email senders to implement to reduce the risk of a new user receiving emails intended for the previous owner,” Casey adds. “We also collaborated with email service providers, merchants and other large email senders so they were aware of this effort, and worked extensively to get the word out directly to our users.”
Now that users are actually getting emails that are intended for other people, Yahoo has decided to take another step.
Casey says, “Additionally, we’re in the process of rolling out a button in Yahoo Mail called ‘Not My Email’ where users can report that an email is not intended for them. We continue to look for ways to protect our users.”
Here’s what it looks like (via TechCrunch):
It’s something, but the feature still places responsibility in the hands of the new account holder – the one gaining access to the sensitive data. Let’s hope everybody getting such data (like info about where old account holders’ children go to school) is noble enough to let Yahoo know. Unfortunately those that would be most likely to abuse the data they’re receiving are quite unlikely to use the feature.
Yahoo maintains that only a small number of people have reported getting other people’s email, but again, would the ones that would abuse the sensitive email be likely to report it to the company? I’m guessing not.
What do you think? Is Yahoo doing enough to protect its old users? Does the responsibility all belong to those users themselves? Share your thoughts in the comments.
Lead Image: Yahoo