Yahoo ID recycling could lead to trouble
Posted on 20 June 2013.
Yahoo has announced that coming July 15th, any Yahoo email account / Yahoo ID that hasn't been logged into for over a year will be "freed up" and can be snapped up by another user.

While the plan has obvious advantages for Yahoo, it could be a big, big problem for users who have associated their Yahoo email address with other online services but haven't, for one reason or another accessed that particular email account for a year or more.

In fact, a similar scheme by Microsoft concerning Hotmail email accounts has been proved dangerous by researchers from Rutgers University in Newark, New Jersey, who demonstrated that "retired" accounts can be requested by attackers and used to hijack users' Facebook accounts.

By misusing password reset options and using clever social engineering, a new malicious owner of a Yahoo ID could ultimately effect a thorough hijacking of the previous users' online persona and access sensitive online accounts - social network accounts, but also those at PayPal and possibly even online banking accounts.

Commenters have almost universally condemned Yahoo's plan, and pointed out these potential problems. But Yahoo is "committed and confident" that they can pull this off without putting their users' data in jeopardy.

"Its important to note that the vast majority of these inactive Yahoo! IDs dont have a mailbox associated with them. Any personal data and private content associated with these accounts will be deleted and will not be accessible to the new account holder," the company stated for Wired.

"To ensure that these accounts are recycled safely and securely, were doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, well send bounce back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others. Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties."


VPN protocol flaw allows attackers to discover users' true IP address

The team running the Perfect Privacy VPN service has discovered a serious vulnerability that affects all VPN providers that offer port forwarding, and which can be exploited to reveal the real IP address of users.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Dec 1st