Sophos Cloud Optix
Yahoo announced in June 2013 that it was going to recycle inactive email addresses by giving them to other users who wanted them.
Addresses and Yahoo IDs that had been inactive for at least a year would be reset, in the hope of allowing someone with an awkward address, such as johnsmith4737, the opportunity to grab something far more desirable, like plain johnsmith.
About a month ago the company began to inform successful users of their new email addresses, and set up a $1.99 watchlist for those who wanted to monitor up to five IDs and receive notification if they became available.
Security experts and other critics raised concerns about Yahoo’s plan at the time.
Yahoo, however, was keen to downplay security concerns, saying:
To ensure that these accounts are recycled safely and securely, we're doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we'll send bounce-back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others. Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties.
Unfortunately, however, some new owners of recycled accounts have nevertheless received messages of a sensitive nature.
InformationWeek, for example, has reported the cases of three users who received messages intended for the previous owners of their accounts.
At the outset, they received spam, but soon afterwards started to receive messages that contained PII – that’s “Personally Identifiable Information”, grist to the mill of identity thieves.
Tom Jenkins, an IT security professional, said he had received emails that contained account details and much more:
I can gain access to their Pandora account, but I won't. I can gain access to their Facebook account, but I won't. I know their name, address and phone number. I know where their child goes to school, I know the last four digits of their social security number. I know they had an eye doctor's appointment last week and I was just invited to their friend's wedding.
Other users of recycled accounts were sent emails about recent purchases, court information, and even funeral information.
Dylan Casey, senior director of Consumer Platforms at Yahoo, played down the extent of the problem, saying that:
We take the security and privacy of our users very seriously. We have heard from a very small number of users who have received emails through other third parties which were intended for the previous account holder.
Casey also added that Yahoo is continuing to encourage companies to implement its Require-Recipient-Valid-Since (RRVS) email header system in order to minimise such occurrences in the future.
Yahoo’s hope is that more companies will add the RRVS header to password reset and other sensitive emails so that Yahoo can check the age of the email account before delivering the message to the account holder.
If the account ages don’t match the email would be bounced back to the sender who would then be expected to make contact via other channels.
For now, I recommend logging into your Yahoo account every six months or so in order to ensure that you retain control over it.
This could be especially important if you signed up to sit on your own or company name, or if you use the account as a backup for password resets.
Can't they just leave the inactive ID remain inactive? just purge the records of those ID to save disk space.
The idea, presumably, is to attract new users by making groovy usernames (before there were 57 varieties of "cooldude") available again.
Same reason that the motor vehicle registries in many countries re-sell old number plates when cars are scrapped.
I’m guessing this has more to do with trying to force users to stick with yahoo mail than opening up new addresses.
I had a weird situation come up with a hotmail address years ago. I grabbed an email address to use for a spam account. Unbeknownst to me, it was a recycled email address. Later, I decided to set up a PayPal account with that address. PayPal said I already had a PayPal account with that email address. Okay, perhaps I had forgotten setting it up? So I did the password reset to regain access to the PayPal account. Turns out, the person who had owned that hotmail address before me had set up their PayPal account using that email address – and they were STILL using that PayPal account. Suddenly, I had access to all of their banking info and credit card numbers. Yikes.
Why they can just deactivate the inactive accounts? Why they have to do the recycle?
I dumped yahoo years ago. I was getting too much spam even with their filters. it was so bad I worked with a concierge from Yahoo for a year trying to get my spam cut down. She finally gave up telling me that people pay Yahoo to let their company's email come through. I did reopen with another name that I only use for newsletters and the spam has gotten much less, Hotmail too has a bad issue with spam. Gmails spam filters are too good I don't get mail from people I want it!
Why would anyone expect this experience to be any different? The systems sending the emails to the recycled addresses has no clue the email address was recycled. Besides, aren't these dead addresses anyway? The (former) address owners shouldn't care if they had taken ownership of these old email addresses anyway.
A wait of a month is far, far too short. I still get messages sent to an address that was linked to an old ISP and closed two years ago! They still forward the messages despite being asked to completely delete the account.
Plus, I had a message on a currently used account from a recruitment company asking why I was not responding to messages from them on an account that was closed eleven years ago! They were using a very old CV from 25 years ago! Thing is, I never registered with them nor sent them a CV as they only started business 3 years ago! So they must have 'bought' an old database.
That shows how things can hang on and means the Yahoo approach is seriously flawed.
Lucky you, to have an old ISP forward emails to your new one.
The main reason why I keep the same ISP is to avoid the hassle of changing my email address. I once lost one through no fault of my own, and it was not a pleasant experience. Many emails vanished completely when I thought they had been archived. Others that I thought I had saved to my own computer were only readable minus the HTML and attachments.
I think email addresses should by law be transferable to a new provider, just as mobile phone numbers are.
So…is there any way to get rid of your account without risking this?
Be careful, I managed to get the inactive address of my choice myname @ yahoo.com added to my Yahoo account as an alias. I used it for over a year for sending and receiving mail, had it registered with social accounts, eBay etc.
Then all of a sudden, without warning, Yahoo changed it from @yahoo.com to @rocketmail.com which has since caused me a lot of problems. I can no longer send mail from the @yahoo.com address but still receiving mail from it, and going by the mail I’m receiving, it would appear that someone else is sending mail from their own account with the address as some of the email is quite personal.
I tried to contact Yahoo regarding this but have not been able to contact them.
I’m still receiving personal private emails to this day. Actually the funny thing is, it belongs to a celebrity. I’m worried if they are using the email then can they see my emails in it too? These messages are very current but the email belongs to me now ever since yahoo gave it to me. I know this celebrity’s Facebook, twitter and their lovely dating sites along with other things including their false names that they have to use to keep themselves private from the media. Yahoo really screwed up.