Quantcast

Security Expert Call Yahoo’s Email Plan ‘Moronic’

Get the WebProNews Newsletter:


Security Expert Call Yahoo’s Email Plan ‘Moronic’
[ Technology]

A week ago, we reported that Yahoo was about to give away inactive email addresses. The company said it would be freeing up Yahoo IDs (and email addresses) that have been inactive for at least a year, and resetting them. The move has been called “stupid,” “terrible,” and “moronic,” to name a few adjectives, and these are coming from security experts. It’s not exactly the kind of thing you want to hear if you used to use a Yahoo email address, but haven’t touched it lately.

Do you think Yahoo is making a good move in releasing these IDs and email addresses? Let us know in the comments.

The idea is that people who actually want Yahoo IDs/email addresses will be able to get more desirable addresses as if it were the 90s. You could get something like albert@yahoo.com instead of albert9330399@yahoo.com, to use the example Yahoo gave in the announcement.

“A Yahoo! ID is not only your email address, it also gives you access to content tailored to your interests – like sports scores for your favorite teams, weather in your hometown, and news that matters to you,” Yahoo said.

Starting in mid-July, anyone can “have a shot” at obtaining the Yahoo email address and ID they’ve always wanted. In mid-August, those who tried to get one will be able to find out if they got what they wanted. Those who wish to keep their current ID/address simply need to log in before July 15th.

Since Yahoo’s announcement, a number of people, including noted security experts, have expressed concerns about the security ramifications of what Yahoo is doing. That’s where those words like “terrible,” “moronic,” and “stupid” come in.

Wired’s Mat Honan, who famously had his digital life “destroyed” by hackers last year, calls it a “terrible idea”.

“It means that people will be able to claim Yahoo IDs and use them to take over other people’s identities via password resets and other methods,” he writes. “For example someone who uses a Yahoo email address solely as a backup for Gmail, and thus haven’t logged into it for a long time, would be vulnerable to having that address taken over by a malicious individual who only wanted to ultimately get into the active Gmail address. You can see a chain of events where that could lead to taking over online banking accounts, social media accounts and the like.”

“Nor would it be hard to discover some of these inactive addresses,” he adds. “You could, for example, find a dormant Flickr account which previously required a Yahoo email address.”

Remember, this is a guy who experienced the wrath of cyber criminals firsthand. He received a lot of attention for the story in 2012 from various news outlets. His situation even led to Apple and Amazon making adjustments to their user security strategies.

Forbes has a similar story out now, with quotes from Graham Cluley, a security expert who has worked for Sophos and McAfee:

So, imagine years ago you created yourself a Yahoo address but you subsequently decided to use GMail or Hotmail instead, but maybe – prior to that – you registered some of your third-party web accounts using your Yahoo address,” writes Cluley in an email. “What happens when you forget your password, and you ask the site to send your registered email address a password reset/reminder? Potentially it could fall into the wrong hands.”

“Also, what if people have kept their old email address as an archive – they may not have needed it in the last year, but who’s to say that they might not want to access some of its content (emails and photos from since-deceased relatives and the like) in the future?” he writes. “Yahoo is forcing anyone who doesn’t want their Yahoo ID to expire to log into their account before July 15th (if they haven’t checked in for a year). Of course, many people will *never* realise that the clock is ticking and that they could be about to lose control of their Yahoo ID.”

He writes more about it on his blog where he calls it “moronic”. There, he says, “In short: as an idea it sucks, and it shows Yahoo’s lack of respect to customers who created accounts with them in years gone by.”

Help Net Security managing editor Zejika Zorz says Yahoo’s plan “could lead to trouble” and points to something Microsoft has done.

“In fact, a similar scheme by Microsoft concerning Hotmail email accounts has been proved dangerous by researchers from Rutgers University in Newark, New Jersey, who demonstrated that retired’ accounts can be requested by attackers and used to hijack users’ Facebook accounts,” writes Zorz.

Since all of these concerns were voiced, Yahoo has come out and defended its actions. Honan shares a statement the company gave him, in an update to his article:

Our goal with reclaiming inactive Yahoo! IDs is to free-up desirable namespace for our users. We’re committed and confident in our ability to do this in a way that’s safe, secure and protects our users’ data. It’s important to note that the vast majority of these inactive Yahoo! IDs don’t have a mailbox associated with them. Any personal data and private content associated with these accounts will be deleted and will not be accessible to the new account holder.

To ensure that these accounts are recycled safely and securely, we’re doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we’ll send bounce back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others. Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties.

Alexei Oresskovic at Reuters reports that Yahoo says only 7% of the IDs in question are even tied to Yahoo email accounts.

More Yahoo Mail controversy is probably about the last thing the company needed right now. They recently pushed a new redesign (which has actually been around as an option for about half a year) on all users, and many of them are upset about the move. We continue to get negative feedback from readers about it on just about a daily basis.

Are you confident that Yahoo is handling this situation in a safe way, or are you afraid the security experts are right? Let us know in the comments.

Security Expert Call Yahoo’s Email Plan ‘Moronic’
Top Rated White Papers and Resources
  • http://www.epalmspringsrealestate.com Abraham Baghbodorian

    I have had a Yahoo Business Account for several years now and they have been continuously regressing in
    security . I had my account hacked twice already within 6 months and they have NO ANSWERS.

    All Yahoo is concerned with is their stupid and annoying Ads . The fact that a Business Account is required to use a Yahoo ID to access a Business email account is nothing but a door to hackers to
    access the business accounts.

    I have a Google Apps Business account and what a difference it is from Yahoo’s email for Business.
    I am trying to find a way to consolidate all my emails with Google Apps time permitting .

  • http://www.sbwebcenter.com Steve B

    That’s a bad idea. Can you imagine the issues you’ll have with paypal payments being sent to unintended parties? Also, scammers will jump all over this.

  • http://www.michaelwalkeradv.com Bill

    Just another reason I’ve never used YAHOO for any email service!! In fact friend of mine just had his YAHOO email account hacked for the second time in over two years……recommended he switch to gmail!

  • http://www.BestAngelStore.com Edie Feiste

    I am totally amazed at Yahoo’s stupidity. How they ever could have arrived at such a bad decision is beyond my comprehension! I am in shock.

  • steve lowen

    Bad, bad idea that can easily lead to worse drama.
    I am rethinking use of Yahoo.

  • MaMa MiA

    :( NOT A SMART MOVE……AT ALL!!!! I am very disappointed by YAHOOS lack of care….concern…for their loyal Users and by their total lack of common sense!!!!!

    • http://yahoo Nancy vernand

      amen to that!

  • Ed Davis

    It really depends on the execution of the change. Obviously, email addresses which have been not used for long periods of time, that is, perhaps greater than one year should be eligible. Most of us have a primary email address and some back up email addresses. We should not have to come up with longer and more exotic email addresses as the pool of used names dwindles.

    I have used Yahoo small business email for several years and have been relatively satisfied with a few exceptions. It still cannot be accessed from most Android devices. Yahoo makes an app for their non-business email to be accessed on Android devices but not their business email.

  • Tony Valentino

    This is a stupid idea. I’m moving everything over to gmail. Will set up multiple gmail accounts to take care of logins, etc. Better delete all you can from Yahoo or it will wind up in Hacker Heaven.

  • Luis

    I would appreciate the double spacing for your articles. It is really difficult to read with no spacing. Your articles are good, but it is frustrating and I will simply delete it from my emails and unsubscribe.

    Thanks

  • http://www.annuityally.com Ronald Johnston

    This is stupid!

  • http://www.thirdcoastautos.com Third Coast Autos

    Yahoo Mail has been around for a while and the main problem they never consider is, to improve the look and feel and pull away the excessive advertisements the user have to suffer. Our reviewers discuss whether this pioneer of free email accounts is still ripening with age or starting to compete with Google gmail which so far…It is amazing.

    • Kevin Morley

      There was nothing wrong with “classic” email, they have “improved” it so much it is hardly usable.

      Hotmail have altered a lot too but seemed to have done a better job of it

  • http://www.delbertstwocents.com Del

    How about they just leave everything else alone and offer additional domains for free email. Is that too simple? They probably own other domains right? What’s wrong with yourname@yahoomail.com or something like that, and everyone can go after the good names all over again without the security risks.

  • http://truckertwotimes.com TruckerTwotimes

    Anything that goes wrong on the internet is now the responsibility of NSA regardless of email or whatever, anything and all faults are of NSA period.

    • http://truckertwotimes.com TruckerTwotimes

      O and also CISPA, those two are to be held accountable for everything from credit card fraud to a person being ran over on the road.

  • http://polalor.wix.com/republic#! Peter

    Regardless, “your” old email is going to be picked up and used to spam and spam some more. How does that risk reflect customer service.? Is this just one potential risk? Yes, and too often, the unkown factor is ignored.

  • http://www.fmeextensions.com FME

    Absolutely perfect, it should be, people cant leave their email address for a year abandoned, they are ignoring it. This gives Yahoo, right to reset them.

  • P Primo

    Whats moronic is the use of Emails as a user id in the first place. that is the real security risk. Let this be a lesson for companies using email as user id. Anyone doing so, it should be clear now that you need to migrate your user voluntarily to alternate userID’s and mandatory for those that dont act within a specific time frame.

    Also Moronic is the expectation that a free email address will be saved for life. Even with Inactivity.

  • http://infosecur.pl Outsourcing IT – Cracow

    Savings on people and theit identity is always bad idea. If Yahoo wants save on disks, disks arrays and memory – can lock these account for several years. After some period of quarantine (years) will be much better to make such decision.

    Yahoo is modern company with longtherm tradtion, where were working great engineers. Who makes such decisions, which destroys company reputation? Marketers or people, who have small experience in IT world?
    It’s terrible…

  • Kevin Morley

    BT have shown the way by removing yahoo as the default email client, might “only” be 7 million current BT subscribers but there are likely as many more email users.

  • KJ

    Please leave alone. I can see LOTS of problems with this idea. I also think new users would be afraid to open an account because this may be done again in the future. Who would want to have an account that could be taken away at any time and be subjected to security issues.

    NO THANKS YAHOO! LEAVE ALONE!

  • https://www.searchen.com John Colascione

    Seven (7) years seems like it would be the right amount of time, or five (5) at the absolute minimum.

  • Loki57

    Given the caption to this article, I’m surprised what kid gloves treatment it gives to Yahoo, compared to what they deserve.

    Why are there not class action suits and criminal fraud, computer crime, and privacy criminal prosecutions against Yahoo, for its ongoing, reckless, open door security exploits that go unpatched for over a year, and that are aggravated by the defaults of spyware and adware pushes that Yahoo calls “upgrades”?

    Yahoo has been dodgy and evasive when questioned as to why it’s so common and easy for botnets of SPAMers and data harvesters to not merely hack Yahoo accounts, but walk right in doors Yahoo opens for them, and send SPAM plus harvest private info from accounts just as if the user himself logged in?

    Yahoo has added an SSL connect option, not highly visible, and only present for some variants of optional account variants. They have added a potentially annoying 2nd party login verification system copying Google. But, they’re also setting YIM to “on” by default, even for users who’ve intentionally disabled that.

    I’ve yet to see details properly analyzed and documented on tech or security sites, but some combination of YIM and Yahoo’s Partner program API to share user status and account details, in some cases fairly extensively in both directions, is being used by botnet operators to login to user accounts from infected machines all over the world.

    Whether that’s entirely a direct Yahoo security defect and exploit, or is being done via Yahoo Partner affiliates, like CBS News, HuffPo, OpenID, Disqus, and many TV station and newspaper chains and sites, is unclear. If those third parties are exposing security holes to enable exploit of what’s properly criminally reckless Yahoo programming and business practices, those partners deserve criminal convictions for serial felonies, plus to pay BOTH Yahoo users AND third parties victimized by SPAMmers or release of info for damages, in addition to Yahoo. An equitable resolution for Yahoo’s extended gross recklessness with international criminal botnets would likely exceed their purchase price for Tumblr.

    Sure, this Yahoo ID recall and relatively short notice period relative to how some long term accounts are used, has potential to enable or trigger a range of consequences that are idiotic through criminal in different cases. That seems like a lot less severe problem than forced software changes that degrade rather than fix a major security defect, that allows breaking into accounts without even hacking or sniffing passwords from sloppy users, or reckless storage practices as resulted in Care2′s major breach (where any service that can send you a copy of your password rather than only a reset link, isn’t securing it well, as they use reversible hashes hackers can reserve too, or less security).

    Maybe some public serving Web publisher is overdue to host a contest, as to who can document the Yahoo open door exploit that seems to involve their Partner API plus broken YIM, with bonus points to anyone who does so in a manner that reveals or disproves partner negligence, or becomes evidence in class action or criminal prosecutions of Yahoo?

  • Albert

    This is a terrible idea. But par for the course, given that Yahoo has already forced a new version of mail down our throats that loses messages
    and is slower and more cumbersome to use.

    People over there are apparently being paid for screwing things up, and then “fixing” their mistakes. Way to go, guys.

  • http://www.abcdesignstudio.com turnkey websites

    Yahoo’s email is not good at all. They are still charging me for an email account I never use, plus you can’t move your emails out of yahoo and forward them to another provider. That’s Right! They have their email system setup so it blocks you from being able to forward any of your yahoo emails to gmail for example. You have no choice but to either walk away from yahoo email account or keep logging in to check for old emails you no longer care about but are unable to move someplace else. They offer the worst email service ever. It does not surprise me what they are now trying to pull. They should be receiving plenty of civil lawsuits over this. I am sure it is some other scheme to turn higher profits at the expense of others.

    • http://yahoo Nancy vernand

      T
      HAT IS DEFINITELY NOT TRUE. THOUSANDS OF PEOPLE WERE USING YAHOO AS THEIR BUSINESS E-MAIL. I WAS DOING BUSINESS OUT OF MY HOUSE WHICH IS VERY TIMELY AND THEY HAVE TURNED THIS INTO A STUPID CIRCUS. PEOPLE ARE JUST PLAIN FED UP. IF YOU WANT WORTHLESS ADS, TRY FACEBOOK! THEY WILL BE GONE WITHIN THE YEAR I PREDICT. YAHOO’S SERVER IS NOW SO MESSED UO, ONE CAN ONLY BE ONLINE FOR FIVE MINUTES BEFORE “OOPS OUR SEVER HAS APROBLEM. TRY AGAIN. OR OUR SERVER CANNOT FIND THE PAGE YOU AE LOOKING FOR (WHICH IS YOUR E-MAIL ACCOUNT OR SOMETHING SO SIMPLE) OR BETTER YET OUR SEVER DOES NOT RECOGNIZE YOUR QUESTION (THAT YOU DID NOT ASK!) THIS IS ALL SINCE THIS IDIOTIC NEW FORMAT WAS FORCED DOWN OUR THROATS.

  • http://www.eyerys.com Nia Rianti

    This is a bad move for Yahoo. But maybe the idea is because most users (I think) use Yahoo mail just for registration for specific sites or as a way to spam people with worthless ads. And if this is true, it probably takes much of Yahoo’s server resources.

  • http://yahoo Nancy vernand

    HELL NO! NOTHING THEY HAVE DONE LATELY HAS BEEN FOR THE BETTER GOOD OF THE USERS. IF THEY ARE INVADING OTHERS PRIVACY AND PUTTING THEIR TWO CENTS IN HERE AND THERE, I CAN GUARANTEE SOME JAIL TIME AS I AM KEEPING TRACK OF EVERY STUPID COMMENT THROWN IN AS A “SUGGESTION” TO DOING MY BUSINESS ONLINE. EVERY E=MAIL I DELETE, THEY ARE KEEPING. I AM NOTIFYING EACH AND EVERY ONE OF THOSE PEOPLE AND WEBSITES. THIS NEEDS TO BE REPLACE WITH MAIL CLASSIC RUN BY INTELLIGENT PEOPLE OR ANOTHER E-MAIL FORMAT SET UP TOTALLY SEPARATE AND FAR AWAY FROM THIS MORONIC MESS! I CAN’T EVEN LOOK DOWN AT WHAT E-MAILS I HAVE YET TO DEAL WITH OR HAVE BEEN RESPONSDED TO. EACH ONE SEPARATELY POPS UP BELOW MY E-MAILS BLOCKING MY INFO. REAL CUTE.

  • Steve

    This new yahoo really sucks – and tho the new Yahoo CEO may be considered a “genius” and pushed her email team hard, the result was a big steaming pile of poo.

    It is so slow and clunky and gone is the wonderful tweaks which could be done for classic.

    I will be rolling over to mail.com after I get my emails transferred. It’s sad because I switched from Excite to Yahoo mail when Yahoo rolled out. But this new interface sucks so bad that it overwhelms any nostalgia I have for Yahoo Mail.

    Steve

  • http://gunnarsolvang@yahoo.se Gunnar Solvang

    HEJ!På er alla….Det var ju bra att det är fler än jag som tycker det är en problematisk ändring Yahoo har gjort på våra emailadresser.Kunde vi samla ihop en massa röster om att Yahoo ska återgå till det gamla som det var innan,då vi hade full kontroll på emails som vi hade skickat eller tagit emot.. KAN DE SOM HAR DENNA SIDAN ELLER NÅGON ANNAN,SAMLA IN EN ENKÄT PÅ ALLA SOM ÄR NEGATIVA PÅ DEN KNÄPPA FÖRÄNDRINGEN SOM YAHOO NYLIGEN HAR GJORT PÅ VÅRA EMAILSADRESSER?????

  • Join for Access to Our Exclusive Web Tools
  • Sidebar Top
  • Sidebar Middle
  • Sign Up For The Free Newsletter
  • Sidebar Bottom