Skip to main content

Some Yahoo users describe recycled email addresses as a security nightmare

Some Yahoo users describe recycled email addresses as a security nightmare

Share this story

Yahoo for iOS
Yahoo for iOS

If reports from Information Week are correct, Yahoo's scheme to free up vacant usernames may not be working as well as it hoped. Last month, Yahoo began offering derelict account IDs to users who had requested them, reinvigorating its aging email system. While critics raised security concerns, Yahoo said it had taken precautions to stop old mail — from something as innocuous as a mailing list or as harmful as a password reset system — from reaching new users. In interviews with at least three people, however, Information Week found that some recycled accounts are more like zombies than miracle resurrections.

Tom Jenkins, who was given a new Yahoo name in August, says he quickly started receiving emails from common services like Facebook and Pandora, which still had the address on file. "I know their name, address and phone number. I know where their child goes to school, I know the last four digits of their social security number," he says. "I know they had an eye doctor's appointment last week and I was just invited to their friend's wedding." Even if someone is no longer signing into their email address, it may still be attached to services that they use frequently. Another user describes getting an email confirmation for an apartment application. "I could have canceled someone's apartment," he says.

"I could have canceled someone's apartment."

Yahoo deactivates old accounts for 30 days before giving them to new users, automatically unsubscribing them from any lists that send emails in that period. It's also developed and evangelized a new header standard, which sites like Facebook could use to only deliver mail like password reset requests if the user had confirmed the account since it was reactivated. Unfortunately, this method only works if senders adopt it, and private messages from old friends would probably still go through. One Information Week interviewee describes personal emails sent from men looking to "meet up" with a woman.

Yahoo's Dylan Casey, though, tells Information Week that most people aren't having problems. "We have heard from a very small number of users who have received emails through other third parties which were intended for the previous account holder," he says, noting that Yahoo is still working to get more people on board with the header standard. Yahoo did not immediately respond to questions from The Verge.

Update: Yahoo has responded with the following statement from Casey:

As part of our account recycling effort, we took many steps to make sure this was done in a safe and secure manner. First, the accounts that were recycled hadn't been active for more than 12 months. Before recycling inactive accounts we attempted to reach the account owners multiple ways to notify them that they needed to log in to their account or it would be subject to recycling. Before recycling these accounts, we took many precautions to ensure this was done safely — including deleting any private data from the previous account owner, sending bounce-backs to the senders for at least 30 - 60 days letting them know the account no longer existed and unsubscribing the accounts from commercial mail.

In addition, we published a new email header to the IETF with Facebook for email senders to implement to reduce the risk of a new user receiving emails intended for the previous owner. We also collaborated with email service providers, merchants and other large email senders so they were aware of this effort, and worked extensively to get the word out directly to our users. Additionally, we're in the process of rolling out a feature in Yahoo Mail called 'Not My Email' where users can report that an email is not intended for them. We continue to look for ways to protect our users.