Yahoo says it’s got everything under control.
Many of us were dubious when the company announced on 12 June that it was going to give away inert accounts starting on July 15.
Fear not, it said one week later, for no personal data or content shall be attached to the tossed-aside handles.
Nor will any miscreants mishandle mail that mistakenly gets sent to what they think is the same old address but belongs to a brand-new, heaven-knows-who recipient, one is apparently supposed to assume.
That’s because Yahoo plans to bounce back emails with an alert to senders, telling them that the deactivated account is no longer amongst the living.
At least, that’s what it plans to do for 30 days. Hence its initial statement that the new holders of the accounts will be able to use them in August.
Wired posted the full statement in an update to its original reporting on Yahoo’s plan:
“Our goal with reclaiming inactive Yahoo! IDs is to free-up desirable namespace for our users. We’re committed and confident in our ability to do this in a way that’s safe, secure and protects our users’ data. It’s important to note that the vast majority of these inactive Yahoo! IDs don’t have a mailbox associated with them. Any personal data and private content associated with these accounts will be deleted and will not be accessible to the new account holder.
"To ensure that these accounts are recycled safely and securely, we’re doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we’ll send bounce back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others. Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties.”
Critics are far from convinced that this isn’t, in the words of Wired’s Mat Honan, “Yahoo’s very bad idea”.
TechHive’s Evan Dashevsky, for example, did an experiment wherein he signed into Yahoo Groups and joined one dedicated to Janet Jackson’s 2004 Super Bowl appearance.
He found, “oddly enough,” posts as recent as a month old, although newer posts appeared to be produced by spam bots.
Using Yahoo’s “oldest” filter in its posts, he got whisked back to a number of original, non-spam-bot posts from 11 years ago.
That sounds like a quick way to mine for the type of succinctly named Yahoo accounts that Yahoo wants to replenish. As it is, Yahoo’s been around long enough that most all of those have been snapped up, leaving new users to craft clunky handles with long strings of extra characters, such as numbers affixed to names.
Honan imagines how would-be identity thieves would work it:
Going back in time nine years, I was able to find a bounty what appears to be genuine users' full real name along with their Yahoo email handle - or at least a handle for some other email address. Within this glut of information are surely some genuine Yahoo address handles along with a user’s full name.
Playing the numbers game, a would-be identity thief would be able to have their pick of retired Yahoo accounts along with the associated person’s real name and use that information to access online information.
Beyond potentially seeding identity theft, Yahoo’s plan leaves open only a brief window of time – 30 days – for senders to do something about the defunct account.
Also, as a commenter on my original post pointed out, yet another thing to worry about is the scenario of an attacker who can request a password reset email from popular websites in order to hijack the victim’s account.
It’s easy to sympathize with Yahoo’s desire to revitalize the site with new users.
Still, it’s hard to imagine that come mid-August, we won’t see a wave of Yahoo-focused exploits.
I said it before, and I’ll say it again: if you’ve got a Yahoo account you haven’t visited for awhile, visit the gutter and give it a poke.
See what dribbles out besides spam.
Find out who’s still emailing that account, and then reach out to let them know that it’s kaput.