Yahoo’s Very Bad Idea to Release Email Addresses

Yahoo is releasing inactive Yahoo IDs so that users can score a better email address. This means you can finally have This email address is being protected from spambots. You need JavaScript enabled to view it. instead of This email address is being protected from spambots. You need JavaScript enabled to view it., for example. Sounds great, right? It’s actually a spectacularly bad idea.

In a Tumblr post, the company announced that on July 15, it will be “freeing up” Yahoo email addresses that have been inactive for a year or more. But it’s not just deactivating these accounts, it’s going to offer them to other people.

In mid July, anyone can have a shot at scoring the Yahoo! ID they want. In mid August, users who staked a claim on certain IDs can come to Yahoo! to discover which one they got.

This may have seemed like a good way to get people to log in again, or to try to convert new users to a groovy Yahoo address. But it’s a terrible idea. It means that people will be able to claim Yahoo IDs and use them to take over other people’s identities via password resets and other methods.

For example, someone who uses a Yahoo email address solely as a backup for Gmail, and thus hasn’t logged into it for a long time, would be vulnerable to having that address taken over by a malicious individual who only wanted to ultimately get into the active Gmail address. You can see a chain of events where that could lead to taking over online banking accounts, social media accounts and the like.

Nor would it be hard to discover some of these inactive addresses. You could, for example, find a dormant Flickr account, which previously required a Yahoo email address.

The bottom line is that unless it rethinks this policy, this is going to lead to a social engineering gold rush come mid-July. Wired has reached out to Yahoo for comment.

 Yahoo released a statement saying it has confidence it can make this transition securely. We’ve included it below.

Our goal with reclaiming inactive Yahoo! IDs is to free-up desirable namespace for our users. We’re committed and confident in our ability to do this in a way that’s safe, secure and protects our users’ data. It’s important to note that the vast majority of these inactive Yahoo! IDs don’t have a mailbox associated with them. Any personal data and private content associated with these accounts will be deleted and will not be accessible to the new account holder.

To ensure that these accounts are recycled safely and securely, we’re doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we’ll send bounce back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others. Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties.

 

Original article by Mat Honan at http://www.wired.com/threatlevel/2013/06/yahoos-very-bad-idea/