The concept has drawn widespread criticism that it may open the door to identity thieves, but Yahoo! begs to differ.
Yahoo! is clearly looking to reinvigorate the outlook for online services like Flickr, Mail, Weather, the Homepage and Search in the face of the onward march of Googleization. Jay Rossiter, senior vice president of platforms at Yahoo! was almost ebullient in announcing the ID plan.
“Today, I’m excited to share with you our next big push: we want to give our loyal users and new folks the opportunity to sign up for the Yahoo! ID they’ve always wanted,” he said. “If you’re like me, you want a Yahoo! ID that’s short, sweet, and memorable…a Yahoo! ID is not only your email address, it also gives you access to content tailored to your interests – like sports scores for your favorite teams, weather in your hometown, and news that matters to you.”
Beginning in mid-July, the company will open up inactive IDs to a claiming process. In mid-August, users who staked a claim on certain IDs can come to Yahoo! to discover which one they got.
Critics say that the problem is that if a Yahoo! ID is also the same as, say, an ID for a Google account, a hacker can request a new password to be sent to the email account to gain access to the Google account too.
“The assertion [that] Yahoo! is going to allow reactivation of these accounts by new, unrelated users does create an opportunity for malicious re-use,” said Scott Hazdra, principal security consultant at Neohapsis, in a comment to Infosecurity. “Those quick on the draw will be able to grab accounts like they would freed-up vanity license plates. There will definitely be instances where those secondary accounts will receive notices that a password is about to expire or has been changed, that a balance is low, that someone has pushed this message to your account, that someone has to tried to log in to your account, and on and on – and that could present a major problem. This is what malicious users are looking for. For others, it may just present a crime of opportunity to find out if they can access someone else’s information.”
Yahoo! told Reuters thought that it’s coordinating with other major web companies, including Google and Amazon, to share information and head off identity theft.
The possibility of identity theft is "something we are aware of and we've gone through a bunch of different steps to mitigate that concern," Dylan Casey, a senior director for consumer platforms, told the news service. "We put a lot of thought, a lot of resources dedicated to this project."
At the very least, Hazdra said, the company should take more time to verify that accounts are dead before re-releasing them. “Yahoo! plans to send out notices and bounce back emails that the accounts no longer exist, but doing that for just 30 days is not long enough,” he said. “If Yahoo is intent on re-issuing these accounts, they should keep them inactive for at least six months to allow that process to payout and to provide the original account owner a chance to take action.”