Yahoo drew criticism in June when it announced its plan to recycle old user IDs that have been inactive for more than 12 months. For consumers, it may be a chance to get a new address that says yournamehere@yahoo.com instead of “yournamehere00087524353@yahoo.com,” but security professionals conjured up the specter of potential identity theft. Critics said the problem is that if a Yahoo ID is also the same as, say, an ID for a Google account, a hacker can request a new password be sent to the email account to gain access to the Google account too.
Yahoo dissmissed the issue at the time, and said that it’s coordinating with other major web companies, including Google and Amazon, to share information and head off identity theft. The possibility is "something we are aware of and we've gone through a bunch of different steps to mitigate that concern," Dylan Casey, a senior director for consumer platforms, told Reuters at the time. "We put a lot of thought, a lot of resources dedicated to this project."
Now, however, InformationWeek reported that three users came forward who received messages meant for the prior account holders. While the information is hardly the stuff of massive financial fraud, it’s more than a little uncomfortable on the privacy front.
“I can gain access to their Pandora account, but I won't,” Tom Jenkins, an IT security professional, told the magazine. “I can gain access to their Facebook account, but I won't. I know their name, address and phone number. I know where their child goes to school, I know the last four digits of their social security number. I know they had an eye doctor's appointment last week and I was just invited to their friend's wedding.”
Others reported receiving funeral details, purchase confirmations and a host of other online bits and pieces that create a picture of a person’s life.
Casey issued a stock statement to media outlets about the problem: “We take the security and privacy of our users very seriously. We have heard from a very small number of users who have received emails through other third parties which were intended for the previous account holder.”
Clearly, consumers with old addresses need to update all accounts and anyone who sends them email as to their new account status – but that puts the onus on the person abandoning the account. Yahoo is continuing to encourage companies to implement its Require-Recipient-Valid-Since (RRVS) email header system too, which notifies companies if they’re sending mail to an old address: if the account ages don't match the email would be bounced back to the sender.
Yahoo also, according to reports, plans to implement a button, called "Not My Email," which will roll out this week and will be found under the "Actions" tab in users' inboxes. Users of recycled accounts can click on it when they receive mail that isn’t intended for them, to help block messages like that in the future.