Yahoo ID recycling could lead to trouble
Yahoo has announced that coming July 15th, any Yahoo email account / Yahoo ID that hasn’t been logged into for over a year will be “freed up” and can be snapped up by another user.
While the plan has obvious advantages for Yahoo, it could be a big, big problem for users who have associated their Yahoo email address with other online services but haven’t, for one reason or another accessed that particular email account for a year or more.
In fact, a similar scheme by Microsoft concerning Hotmail email accounts has been proved dangerous by researchers from Rutgers University in Newark, New Jersey, who demonstrated that “retired” accounts can be requested by attackers and used to hijack users’ Facebook accounts.
By misusing password reset options and using clever social engineering, a new malicious owner of a Yahoo ID could ultimately effect a thorough hijacking of the previous users’ online persona and access sensitive online accounts – social network accounts, but also those at PayPal and possibly even online banking accounts.
Commenters have almost universally condemned Yahoo’s plan, and pointed out these potential problems. But Yahoo is “committed and confident” that they can pull this off without putting their users’ data in jeopardy.
“It’s important to note that the vast majority of these inactive Yahoo! IDs don’t have a mailbox associated with them. Any personal data and private content associated with these accounts will be deleted and will not be accessible to the new account holder,” the company stated for Wired.
“To ensure that these accounts are recycled safely and securely, we’re doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we’ll send bounce back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others. Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties.”