Security Vet: Yahoo’s Email ‘Scheme’ Was ‘Downright Reckless’
Yahoo continues to come under fire over its recycling of old email addresses and user IDs. Back in June, the company announced its plans to give old, inactive IDs to current users who wanted better email addresses.
Immediately, the plan drew a fair amount of criticism from security experts and journalists, including the guy from Wired that who was famously hacked last year. Back then, well-known security expert Graham Cluley, who has worked for security giants like McAfee and Sophos, called Yahoo’s plan “moronic,” and told WebProNews, “they should throw the idea away in the trash can where it belongs.”
Last week, InformationWeek put out a story sharing quotes from users of the recycled email addresses who were getting other people’s email with sensitive information. Yahoo acknowledged that it had been happening to some users, and in response, launched a “Not My Mail” button (pictured) so that those getting other people’s emails could notify Yahoo and fix the problem. Of course, that relies on the user to be honorable enough to use it, and not to exploit the sensitive info they’re getting.
Cluley has taken to his personal blog again to bash Yahoo’s strategy.
“The truth is that this button doesn’t deal with the fundamental security problem with what Yahoo did,” writes Cluley. “The fact that Yahoo has had to roll out this new button says to me that it knows it has failed to deliver this intitiative “in a way that’s safe, secure and protects [its] users’ data.”
“None of this would have happened if Yahoo hadn’t initiated the reckless, harebrained scheme in the first place,” he adds. “They should be ashamed of this fundamentally flawed scheme which is not just half-baked, but downright reckless.”
According to Yahoo, only a small number of users have complained about getting other people’s email, but again, are the ones likely to exploit these emails going to let the company know about it?
Image via TechCrunch