InformationWeek ran an article on Tuesday talking to a handful of people with users claiming to get quite sensitive info intended for past account holders. This included things like Facebook account info and even where their kids went to school.
That's not good.
Though Yahoo had previously outlined the security steps it was taking ahead of the release of the recycled addresses, clearly some are still having their personal data compromised. Yahoo even confirmed as much in a statement to InformationWeek, acknowledging that “a very small number of users” had told them they were getting emails meant for the previous account holders.
Dylan Casey, Senior Director, Platforms at Yahoo, tells WebProNews, "As part of our account recycling effort, we took many steps to make sure this was done in a safe and secure manner. First, the accounts that were recycled hadn’t been active for more than 12 months. Before recycling inactive accounts we attempted to reach the account owners multiple ways to notify them that they needed to log in to their account or it would be subject to recycling. Before recycling these accounts, we took many precautions to ensure this was done safely – including deleting any private data from the previous account owner, sending bounce-backs to the senders for at least 30-60 days letting them know the account no longer existed and unsubscribing the accounts from commercial mail."
"In addition, we published a new email header to the IETF with Facebook for email senders to implement to reduce the risk of a new user receiving emails intended for the previous owner," Casey adds. "We also collaborated with email service providers, merchants and other large email senders so they were aware of this effort, and worked extensively to get the word out directly to our users."
Now that users are getting emails not intended for them, Yahoo is going a step further, and rolling out a new feature in Yahoo Mail aimed at eliminating, or at least reducing the amount of mail going to the wrong person.
Casey says, "Additionally, we’re in the process of rolling out a button in Yahoo Mail called ‘Not My Email’ where users can report that an email is not intended for them. We continue to look for ways to protect our users.”
TechCrunch managed to get a screenshot of what the button looks like:
While the feature can't hurt, it still relies on the user to be good enough to use it, and not to be creepy and take advantage of the info they're being sent. This appears to help the new users of the account much more than it does the previous account holder.
The company maintains that the number of users who have reported getting other people's emails has been small. This is apparently based on users that have complained or otherwise notified Yahoo. But How many of the wrong people that are getting sensitive emails would notify Yahoo about it?
Ever sent a sensitive email to the wrong recipient? #Oops
— YMail Team (@yahoomail) September 19, 2013