Yahoo says unleashing people's old accounts will be fine, just fine

Filed Under: Featured, Privacy, Security threats

Inbox. Image courtesy of Shutterstock.Yahoo says it's got everything under control.

Many of us were dubious when the company announced on 12 June that it was going to give away inert accounts starting on July 15.

Fear not, it said one week later, for no personal data or content shall be attached to the tossed-aside handles.

Nor will any miscreants mishandle mail that mistakenly gets sent to what they think is the same old address but belongs to a brand-new, heaven-knows-who recipient, one is apparently supposed to assume.

That's because Yahoo plans to bounce back emails with an alert to senders, telling them that the deactivated account is no longer amongst the living.

At least, that's what it plans to do for 30 days. Hence its initial statement that the new holders of the accounts will be able to use them in August.

Wired posted the full statement in an update to its original reporting on Yahoo's plan:

“Our goal with reclaiming inactive Yahoo! IDs is to free-up desirable namespace for our users. We’re committed and confident in our ability to do this in a way that’s safe, secure and protects our users’ data. It’s important to note that the vast majority of these inactive Yahoo! IDs don’t have a mailbox associated with them. Any personal data and private content associated with these accounts will be deleted and will not be accessible to the new account holder.

"To ensure that these accounts are recycled safely and securely, we’re doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we’ll send bounce back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others. Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties.”

Critics are far from convinced that this isn't, in the words of Wired's Mat Honan, "Yahoo's very bad idea".

TechHive's Evan Dashevsky, for example, did an experiment wherein he signed into Yahoo Groups and joined one dedicated to Janet Jackson’s 2004 Super Bowl appearance.

Yahoo logoHe found, "oddly enough," posts as recent as a month old, although newer posts appeared to be produced by spam bots.

Using Yahoo's "oldest" filter in its posts, he got whisked back to a number of original, non-spam-bot posts from 11 years ago.

That sounds like a quick way to mine for the type of succinctly named Yahoo accounts that Yahoo wants to replenish. As it is, Yahoo's been around long enough that most all of those have been snapped up, leaving new users to craft clunky handles with long strings of extra characters, such as numbers affixed to names.

Honan imagines how would-be identity thieves would work it:

Going back in time nine years, I was able to find a bounty what appears to be genuine users' full real name along with their Yahoo email handle - or at least a handle for some other email address. Within this glut of information are surely some genuine Yahoo address handles along with a user’s full name.

Playing the numbers game, a would-be identity thief would be able to have their pick of retired Yahoo accounts along with the associated person’s real name and use that information to access online information.

Beyond potentially seeding identity theft, Yahoo's plan leaves open only a brief window of time - 30 days - for senders to do something about the defunct account.

Also, as a commenter on my original post pointed out, yet another thing to worry about is the scenario of an attacker who can request a password reset email from popular websites in order to hijack the victim's account.

It's easy to sympathize with Yahoo's desire to revitalize the site with new users.

Still, it's hard to imagine that come mid-August, we won't see a wave of Yahoo-focused exploits.

I said it before, and I'll say it again: if you've got a Yahoo account you haven't visited for awhile, visit the gutter and give it a poke.

See what dribbles out besides spam.

Find out who's still emailing that account, and then reach out to let them know that it's kaput.


Image of inbox message courtesy of Shutterstock.

, , , , , ,

You might like

12 Responses to Yahoo says unleashing people's old accounts will be fine, just fine

  1. Galen · 403 days ago

    Yahoo is "on top of the situation" about as much as Facebook. Within a week of Yahoo's announcement my wife received an email from a Yahoo account that I hadn't used in years. (hint: the email wasn't from me.)

    As Yahoo prepares for the upcoming changes I have to wonder what backdoors they open in the process.... with the brilliant choices they've made over the past several years I'm sure they will find themselves rubbing elbows with AOL and MySpace...

  2. Mick A · 402 days ago

    Not reusing redundant user ID's is a basic requirement of information security. It seems to me that the whole commercial world is a timebomb; whatever products and services you use from commercial (and even government) organisations will undoubtedly end up being used by criminals keen to exploit your identity. What happens if someone sends an email threatening a terrorist act? Will you be arrested and kept in jail until you can prove that you no longer have that email address? It almost beggars belief - but not quite after being an avid reader of Naked Security for so long. I'm starting to get desensitised.

  3. TweeterBrooks · 402 days ago

    I call BS on Yahoo!'s claim that they need to free up namespace for new users. Who do they think they are kidding?

  4. 2072 · 402 days ago

    Some deceased people will probably come back to life once their yahoo handle will be free, it'll be easy for thieves to request password reset and impersonate them on the Internet, this will lead to weird scenarios..

  5. Guest · 402 days ago

    Yahoo has more problems than they're telling anyone. I had a Yahoo account for around ten years, but about a year ago they decided my password was not my password and I had to go through all kinds of kazarai to get a new one that was okay to them. Within a couple of months, Yahoo decided the new password I was using was not my password. Yes, again. They finally after several tries, decided that my original password was fine, just fine. A few days later, that password I was using was the wrong one, per them. Yes, again. I've gone through this several times in the past year or so and I finally just decided to drop the account altogether, as at this point none of the new passwords they said I needed is the one I need to log on there. Yahoo is still coming to me, but just the generic issue because I have no password. I don't exist for them, as far as I know, because none of the passwords they gave me works. That's fine, I don't need it that much. I would have pursued that one more time but there is no way to contact them directly and I'm tired of spinning my wheels.

  6. JC Torpey · 402 days ago

    There's only one problem with the suggestion of logging into an old account to see who is emailing you, and direct them to the new account. I did just that and it turns out that Yahoo deleted all my old mail. The account was heavily used at one time (I'm talking more than four years ago), and I signed in just now to find that all messages are gone, spam and otherwise.

    How are we supposed to fight that?

    Plus, in the world where disposable email addresses come so easily, how is everyone supposed to remember every email address they've had going back until the beginning of time? Bad move, Yahoo. I have a feeling you'll be seeing lots of lawsuits over this...

  7. Dave · 401 days ago

    To allow new users to get sensible account names, all they need to do is offer alternative domains - as they did with @ymail.com. There are plenty of new TLDs, so no shortage of possibilities. They don't need to reuse old accounts.

  8. windows explorer · 391 days ago

    I have a theory that this actually is the result of somebody at Yahoo wanting to have one of those old names, but the only way they could figure out how to do it was by making it happen for a whole batch of other old names, thus hiding their tree in the virtual forest. Somebody at Yahoo should wake up and stop this nonsense before it is too late.

  9. Mariel · 348 days ago

    Now yahoo is being kind enough not only to delete those accounts but to take them out of other user contacts, going into your active account deleting them. I just got an email to inform me. I older what!s next!

  10. Creeped Out · 340 days ago

    Yahoo sells closed account contacts to sources like Linkedin. My closed account contacts are showing up as People You May Know on LinkedIn. If your life (and emails) were compartmentalized say work, family and the one you used for online dating sites when you were single, then be careful!

    Now that I'm married, many of the old Yahoo contacts routinely pop up on LinkedIn. These contacts only existed in the now closed account. The account links to me, because it did have legitimate purposes (in my case Match and eHarmony) -- but after marriage I no longer wanted/needed/desired the account. That was 4 years ago. And even today, in suggested LinkedIn accounts are suggested email addresses with no names.

    Yahoo -- you suck for this. And Linkedin you suck twice for buying them.

  11. Tom · 338 days ago

    Two days after getting a new, reused Yahoo email address, I'm starting to get emails certainly intended for the old owner of the account. This is going to be interesting.

  12. michael peter. · 78 days ago

    Yahoo has just recycled my account saying that I have not used it in a year. HUH?? I was using it almost every day. What's up with them?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.