Yahoo announced in June 2013 that it was going to recycle inactive email addresses by giving them to other users who wanted them.
Addresses and Yahoo IDs that had been inactive for at least a year would be reset, in the hope of allowing someone with an awkward address, such as johnsmith4737, the opportunity to grab something far more desirable, like plain johnsmith.
About a month ago the company began to inform successful users of their new email addresses, and set up a $1.99 watchlist for those who wanted to monitor up to five IDs and receive notification if they became available.
Yahoo, however, was keen to downplay security concerns, saying:
To ensure that these accounts are recycled safely and securely, we're doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we'll send bounce-back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others. Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties.
Unfortunately, however, some new owners of recycled accounts have nevertheless received messages of a sensitive nature.
InformationWeek, for example, has reported the cases of three users who received messages intended for the previous owners of their accounts.
At the outset, they received spam, but soon afterwards started to receive messages that contained PII – that’s “Personally Identifiable Information”, grist to the mill of identity thieves.
Tom Jenkins, an IT security professional, said he had received emails that contained account details and much more:
I can gain access to their Pandora account, but I won't. I can gain access to their Facebook account, but I won't. I know their name, address and phone number. I know where their child goes to school, I know the last four digits of their social security number. I know they had an eye doctor's appointment last week and I was just invited to their friend's wedding.
Other users of recycled accounts were sent emails about recent purchases, court information, and even funeral information.
Dylan Casey, senior director of Consumer Platforms at Yahoo, played down the extent of the problem, saying that:
We take the security and privacy of our users very seriously. We have heard from a very small number of users who have received emails through other third parties which were intended for the previous account holder.
Casey also added that Yahoo is continuing to encourage companies to implement its Require-Recipient-Valid-Since (RRVS) email header system in order to minimise such occurrences in the future.
Yahoo’s hope is that more companies will add the RRVS header to password reset and other sensitive emails so that Yahoo can check the age of the email account before delivering the message to the account holder.
If the account ages don’t match the email would be bounced back to the sender who would then be expected to make contact via other channels.
For now, I recommend logging into your Yahoo account every six months or so in order to ensure that you retain control over it.
This could be especially important if you signed up to sit on your own or company name, or if you use the account as a backup for password resets.