In June, Yahoo announced that it would give away inactive email addresses to users who wanted them. It would take addresses (and Yahoo IDs) that had been inactive for at least a year and reset them, so users with addresses like email@example.com could get more desirable addresses like firstname.lastname@example.org.
About a month ago, Yahoo notified users of their new addresses and launched a "watchlist" feature, where users that didn't get the ones they wanted could pay a few bucks to keep an eye on those addresses in case they became available.
From the beginning, security experts shared concerns about Yahoo's move, suggesting that giving people others' addresses could pose problems, and now, it appears that these concerns were pretty valid, despite Yahoo playing them down.
InformationWeek is running a story today after speaking with users who got these recycled addresses, and were surprised to get emails intended for the original owners. Here's a telling excerpt:
Jenkins and other users who have obtained recycled Yahoo email IDs say, based on what they see in their inboxes, that identity theft concerns exist.
"I can gain access to their Pandora account, but I won't. I can gain access to their Facebook account, but I won't. I know their name, address and phone number. I know where their child goes to school, I know the last four digits of their social security number. I know they had an eye doctor's appointment last week and I was just invited to their friend's wedding," Jenkins said. "The identity theft potential here is kind of crazy."
Yahoo told the publication that it has heard from "a very small number of users" about receiving emails meant for the previous account holders, and that it continues to work with companies to implement the RRVS email header standard it described in its initial explanation of its security efforts.
We've reached out to Yahoo for further comment, and will update accordingly.
Update: We received the following comment from Dylan Casey, Senior Director, Platforms at Yahoo:
"As part of our account recycling effort, we took many steps to make sure this was done in a safe and secure manner. First, the accounts that were recycled hadn't been active for more than 12 months. Before recycling inactive accounts we attempted to reach the account owners multiple ways to notify them that they needed to log in to their account or it would be subject to recycling. Before recycling these accounts, we took many precautions to ensure this was done safely – including deleting any private data from the previous account owner, sending bounce-backs to the senders for at least 30-60 days letting them know the account no longer existed and. unsubscribing the accounts from commercial mail. In addition, we published a new email header to the IETF with Facebook for email senders to implement to reduce the risk of a new user receiving emails intended for the previous owner. We also collaborated with email service providers, merchants and other large email senders so they were aware of this effort, and worked extensively to get the word out directly to our users. Additionally, we’re in the process of rolling out a button in Yahoo Mail called 'Not My Email' where users can report that an email is not intended for them. We continue to look for ways to protect our users.”