Security Expert Call Yahoo’s Email Plan ‘Moronic’

    June 20, 2013
    Chris Crum

A week ago, we reported that Yahoo was about to give away inactive email addresses. The company said it would be freeing up Yahoo IDs (and email addresses) that have been inactive for at least a year, and resetting them. The move has been called “stupid,” “terrible,” and “moronic,” to name a few adjectives, and these are coming from security experts. It’s not exactly the kind of thing you want to hear if you used to use a Yahoo email address, but haven’t touched it lately.

Do you think Yahoo is making a good move in releasing these IDs and email addresses? Let us know in the comments.

The idea is that people who actually want Yahoo IDs/email addresses will be able to get more desirable addresses as if it were the 90s. You could get something like instead of, to use the example Yahoo gave in the announcement.

“A Yahoo! ID is not only your email address, it also gives you access to content tailored to your interests – like sports scores for your favorite teams, weather in your hometown, and news that matters to you,” Yahoo said.

Starting in mid-July, anyone can “have a shot” at obtaining the Yahoo email address and ID they’ve always wanted. In mid-August, those who tried to get one will be able to find out if they got what they wanted. Those who wish to keep their current ID/address simply need to log in before July 15th.

Since Yahoo’s announcement, a number of people, including noted security experts, have expressed concerns about the security ramifications of what Yahoo is doing. That’s where those words like “terrible,” “moronic,” and “stupid” come in.

Wired’s Mat Honan, who famously had his digital life “destroyed” by hackers last year, calls it a “terrible idea”.

“It means that people will be able to claim Yahoo IDs and use them to take over other people’s identities via password resets and other methods,” he writes. “For example someone who uses a Yahoo email address solely as a backup for Gmail, and thus haven’t logged into it for a long time, would be vulnerable to having that address taken over by a malicious individual who only wanted to ultimately get into the active Gmail address. You can see a chain of events where that could lead to taking over online banking accounts, social media accounts and the like.”

“Nor would it be hard to discover some of these inactive addresses,” he adds. “You could, for example, find a dormant Flickr account which previously required a Yahoo email address.”

Remember, this is a guy who experienced the wrath of cyber criminals firsthand. He received a lot of attention for the story in 2012 from various news outlets. His situation even led to Apple and Amazon making adjustments to their user security strategies.

Forbes has a similar story out now, with quotes from Graham Cluley, a security expert who has worked for Sophos and McAfee:

So, imagine years ago you created yourself a Yahoo address but you subsequently decided to use GMail or Hotmail instead, but maybe – prior to that – you registered some of your third-party web accounts using your Yahoo address,” writes Cluley in an email. “What happens when you forget your password, and you ask the site to send your registered email address a password reset/reminder? Potentially it could fall into the wrong hands.”

“Also, what if people have kept their old email address as an archive – they may not have needed it in the last year, but who’s to say that they might not want to access some of its content (emails and photos from since-deceased relatives and the like) in the future?” he writes. “Yahoo is forcing anyone who doesn’t want their Yahoo ID to expire to log into their account before July 15th (if they haven’t checked in for a year). Of course, many people will *never* realise that the clock is ticking and that they could be about to lose control of their Yahoo ID.”

He writes more about it on his blog where he calls it “moronic”. There, he says, “In short: as an idea it sucks, and it shows Yahoo’s lack of respect to customers who created accounts with them in years gone by.”

Help Net Security managing editor Zejika Zorz says Yahoo’s plan “could lead to trouble” and points to something Microsoft has done.

“In fact, a similar scheme by Microsoft concerning Hotmail email accounts has been proved dangerous by researchers from Rutgers University in Newark, New Jersey, who demonstrated that retired’ accounts can be requested by attackers and used to hijack users’ Facebook accounts,” writes Zorz.

Since all of these concerns were voiced, Yahoo has come out and defended its actions. Honan shares a statement the company gave him, in an update to his article:

Our goal with reclaiming inactive Yahoo! IDs is to free-up desirable namespace for our users. We’re committed and confident in our ability to do this in a way that’s safe, secure and protects our users’ data. It’s important to note that the vast majority of these inactive Yahoo! IDs don’t have a mailbox associated with them. Any personal data and private content associated with these accounts will be deleted and will not be accessible to the new account holder.

To ensure that these accounts are recycled safely and securely, we’re doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we’ll send bounce back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others. Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties.

Alexei Oresskovic at Reuters reports that Yahoo says only 7% of the IDs in question are even tied to Yahoo email accounts.

More Yahoo Mail controversy is probably about the last thing the company needed right now. They recently pushed a new redesign (which has actually been around as an option for about half a year) on all users, and many of them are upset about the move. We continue to get negative feedback from readers about it on just about a daily basis.

Are you confident that Yahoo is handling this situation in a safe way, or are you afraid the security experts are right? Let us know in the comments.