Yahoo's going to boot us off our deadbeat accounts, but who is going to grab them?

Filed Under: Data loss, Featured, Privacy, Security threats

Yahoo logoBeginning next month, Yahoo will attempt to resuscitate inactive email accounts by giving them away, according to Associated Press.

If you haven't checked in on your Yahoo account for at least a year, there's still time to save your handle from being given away to a stranger, and that might be a very good idea indeed.

On July 15, any newcomers can claim a handle from the dead pool that was previously unavailable. The new accounts will be usable by mid-August.

Yahoo hasn't revealed how many emails are in its dead pool, but it's probably a substantial number, given competitor Google's robust growth.

As of June 2012, Google's Gmail was reported to be the most widely used web-based email, with over 425 million active users worldwide.

Yahoo Mail reportedly had 281 million global users as of last year.

The move to purge the dead-account pool is obviously designed to re-energize the Yahoo mail user base. Once newcomers have new handles, as Associated Press suggests, they well might try out all the other services Yahoo is offering.

All well and good.

I would assume that Yahoo isn't giving away personal details associated with defunct handles.

I can't help but wonder, however, about the potential for identity fraud.

Let's say that Joe Schmoe hasn't used his account for over a year. (Pardon me if there's really a Joe Schmoe with that Yahoo account out there.)

Therefore, is up for grabs as of July 15.

What's to stop a miscreant from claiming the JoeSchmoe handle (and any other handles from the dead pool, for that matter) and then just sitting back and waiting for email to arrive?

Yahoo login screen

If a personal email comes in from a relative who hasn't updated her address book for a while, or, say, if Joe Schmoe hadn't informed her of his new email address, what's to stop a crook from pretending to be Joe Schmoe, given that he's now got the handle?

What's to stop such email identities from being exploited for anything that miscreants can suck out of unknowing email correspondents, be it financial scams or personal information?

I asked Yahoo about this scenario. I'll update this story when they reply. While we're waiting, please do let us all know if there are further unintended consequences that you can imagine.

In the meantime, if you have a defunct account and don't like the idea of somebody else controlling it, get thee to Yahoo before July 15 and resurrect it from the dead.

, , , , ,

You might like

29 Responses to Yahoo's going to boot us off our deadbeat accounts, but who is going to grab them?

  1. Jeremy · 844 days ago

    Yea, I got a reminder email to login. I don't care if they trash the email though. Their email service is inferior to gmail.

  2. C. Prescher · 843 days ago

    This is totally ignorant. What becomes of a user account if they are deleted? To just free auction off all old deadbeat email accounts should constitute some type of personal violation. Delete deadbeat accounts, don't hand them out on the street corner like bread for the poor . . . Way to go Yahoo. You just keep proving to us all you are nothing but a bunch of yahoo's!

  3. Richard · 843 days ago

    What if Joe's set his Yahoo email as the password recovery address on another account, and then forgotten about it?

    This won't end well.

  4. Phil · 843 days ago

    And what's to stop a miscreant taking an old email address or two, then hitting "forgot my password" links on commercial sites? May not be a huge harvest, but could be worthwhile.

    Can't see the benefit to anyone except the bad guys, myself.

  5. Matt · 843 days ago

    They can have, when I need another throw away account I'll create another at Yahoo

  6. I foresee see a whole spate of phishing attack that says "click here to make sure that Yahoo does not delete your email." And those will be verifiable with the news.

  7. TweeterBrooks · 843 days ago

    This is what happens when children are allowed to be CEOs of companies...

  8. What if we just use our Yahoo! IM account but not the email?

  9. Jamie · 843 days ago

    I think this is a really stupid move from Yahoos behalf.
    There should be a 2 year period from last log in before the email account is then up for grabs.

    And then when it's re-created using the same name, every single email address that has ever emailed the account should get an automated reply to say that the original account holder has changed and not to divulge any personal information

  10. lost/reset password emails going to handles with new owners. fail.

  11. Hate Yahoo so bye LOL

  12. Jakob Lell · 843 days ago

    Instead of passively waiting for incoming emails an attacker can also request a password reset email from popular websites in order to hijack the victim's account.

  13. gigi · 843 days ago

    I just left yahoo mail for gmail. In less than a year, Melissa Meyers has ruined a perfectly good email service. Between the "updates" that have actually made it less user friendly, the incredibly long time it takes to load emails and the periodic inexplicable inability to access one's email account, it's just too annoying to maintain a yahoo address.

  14. Dan · 843 days ago

    Yes - try to reset password across many accounts using a bot. Then the new user could gain access to Joe's credit card or band or something else he forgot to change the old email to. Can be dangerous.

  15. Ferd · 843 days ago

    My Yahoo account merged with my SBC DSL account years ago. Now, there is no way to change my password. SBC/ATT blames Yahoo, and vice versa.

  16. Don · 843 days ago

    For starters 'Enter Email Addres to Reset Password' on every major site you can think of...

  17. shadywilbury · 843 days ago

    What happens to those of us who are having email sent to Yahoo addresses re-routed to other accounts? Does this affect us?

  18. MikeB-Cda · 843 days ago

    My primary addy, even for Yahoo's purposes, is my ISP's POP3 addy, which back in my dialup days was considerably faster to access than webmail. So anything going to the Yahoo addy is almost certain to be junk. But I do check it every morning, usually just to dump the spam or to mark as such the rare item that slips past the filters into my inbox, and hopefully Yahoo recognizes that as current activity.

    My chief concern about losing my Yahoo addy to someone else relates to the way in which Yahoo not that long ago integrated mail with a number of other services such as the calendar under the broad heading of "Contacts", so that a lot of info is now accessible if you're logged into mail. Apparently that even includes Messenger, which no longer seems to be offered as a separate add-on. They totally messed up their profile system somewhere along the line, which used to be a major decision-tool for owners and moderators of restricted-membership Groups (e.g., medical and medical-related peer-support groups).

    Yahoo used to be, supposedly, the most visited website in the world, but they've become more and more unattractive and uninviting over the years. If they don't implement proper and obvious security measures with this latest upcoming change, I wouldn't be surprised if it turns out to be their "death rattle".

  19. Kelson · 843 days ago

    I wonder how this applies to other Yahoo services. Are they going to purge, for instance, Flickr accounts that have tons of photos but haven't been updated recently? That could cause problems for people who want to keep their archive available, even if they're posting new stuff somewhere else.

  20. njorl · 843 days ago

    I can see that an inactive account can't be allowed to lock up a user name for ever, or else we'll face a bleak future in which no-one alive can obtain a free e. mail account with a name anyone other than a secure-password champion is able to remember, but one year's inactivity is far too brief a period for recycling of an address. My feeling is 10 years at least.

    An inactive address may still be registered for password-rest purposes, on an unrelated site - possibly even a banking or other financial site. I'm sure there are more than a few of us who are guilty of not keeping them all up-to-date.

    Let's be positive and assume Yahoo! is creating a massive honey pot to reel in the bot nets.

    Otherwise, Microsoft's approach to resurrecting comatose user names is markedly superior - introduce a new domain name. (Choosing the name of a popular e. mail application, even when it's your own product, is less well thought out.)

  21. Sam · 843 days ago

    Who in their right mind would want someone else's cast off email address? It'll probably come ready made with 10-20 of the very best spam messages every day! Just what a new user needs to get blooded really quickly!

  22. What if I use my yahoo login for yahoo chat (yes some of us still use that) and other purposes and I *don't have* a yahoo mail account? The way your article is written, my account will be given away, even though I log into it every day. Please clarify this.

  23. jet86 · 843 days ago

    Pretending to be Joe Schmoe to a relative doesn't scare me as much as the possibility that Joe may have forgotten that his yahoo account was set up to be the account for recovering passwords for some other service. So when Joe forgets a password, he asks for it to be reset, and the reset password email goes to his old yahoo account, now in use by someone else.

  24. Anonymous · 843 days ago

    The main thing I would be concerned about are the "Forgot Password?" links on other sites that point to old Yahoo accounts the person hasn't used in a while. Someone could get the Yahoo account, then use the Forgot Password link to reset the password on an active account.

  25. Ken · 842 days ago

    To clarify, Yahoo is not "giving away [existing] accounts". They are deleting accounts and allowing the userids to be taken by new or other existing accounts. There will be nothing left for anyone to get any data from. Identity spoofing is possible, just like with any deleted account of any online service, but most services continue to reserve userids of deleted accounts for at least a year specifically to minimize this problem...including Yahoo before this announcement. So the remarkable thing (besides the mass deletion itself) is Yahoo abandoning their previous, safer userid reservation policy.

  26. windows explorer · 826 days ago

    What about alias "accounts" ? Do they have to have been "used" in the past year also? In that case, does simply receiving an email addressed to the alias constitute use or do I have to have sent something out under that name? Sometimes these aliases are more important than the main account, so I would very much like to know the answers. Thank you.

  27. Annette · 813 days ago

    Why do people use yahoo, gmail, MS live mail anyway?? There is no single free email service on-line, which would not try to racketeer your personal information one way or the other. Free email services also use use the cloud, which puts everyone in danger from hackers.

    Why so many people fall for the 'free' internet services is beyond me. If you want every word in your email filtered by government and advertisers, go ahead and follow the rest of the sheep and continue to spend your 5 bucks on your daily cappuccino and cheap out not spending 10 or 20 bucks a year on a private secure encrypted email service..

    I will only use private email services including hush mail and for privacy, professionalism and student discounts. ;))

    If I receive an email from some company who are using a yahoo, gmail, M$ email or some other freebie email service that does not reflect the company name, I know that they are not worth doing business with.

  28. · 749 days ago

    All nice, short usernames are swimming in spam...

  29. Anonymous · 375 days ago

    Sophos, thank you for the heads up re: Yahoo email. Very good to know.

    Please let me tell you why this matters.

    Five years ago, I exchanged emails with a stranger who lives in another state. The emails pertained to a dead celebrity. Two years and many small red flags later, I finally realized that the stranger had installed spyware on my computer by way of an infected email attachment. By so doing, the stranger had captured every one of my keystrokes for the past two years. This means the stranger knows every one of my email addresses and to whom I had sent emails.

    Said stranger has disparaged me to the people (also strangers to me) with whom I had exchanged emails. I have not communicated with these people in many years. If the stranger assumes an email address that these people associate with me, and if the stranger sends to any one of them a vicious email in my name, how will the recipient(s) know the stranger sent the offending email(s)?

    I have not communicated with the stranger in several years. But even to this day, I periodically receive fake Facebook friend requests and taunting emails from the stranger.

    The foregoing experience has taught me something about narcissists and psychopaths. The experience has also taught me not to open attachments from people whom I do not know and to scan attachments from those whom I do; to keep my software current; and to be informed about issues related to computer security. That's what brought me here.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.