Print 20 comment(s) - last by Fritzr.. on Jun 22 at 11:53 PM

Critics say recycling of old accounts could lead to identity theft

Web giant Yahoo has operated its own e-mail service (free and paid) for many years, and many of us at one point in time have owned (or still own) a Yahoo email address. As you can imagine, a huge number of people all around the world subscribed to Yahoo's services, used the accounts for a while, and then abandoned the account.

The problem for Yahoo and users who actually want to use the Yahoo e-mail service is that having millions of dormant accounts taking up usable names kept some people from using the e-mail service.
As a result, Yahoo announced that it plans to recycle inactive user IDs. Yahoo's plan would take any accounts that have been inactive for more than 12 months and make them available for use by other users.

[Image Source:]

Privacy advocates are now rallying against Yahoo's plans saying that by recycling inactive user IDs, Yahoo could allow spammers and other nefarious users to assume the identity of the previous account holder. Yahoo says that it has safeguards in place and is coordinating with other web companies such as Google and Amazon to minimize any risk of identity theft.

"[The possibility of identity theft is] something we are aware of and we've gone through a bunch of different steps to mitigate that concern," said Dylan Casey, a senior director for consumer platforms. "We put a lot of thought, a lot of resources dedicated to this project."

Yahoo will also be unsubscribing inactive accounts from all mailing lists to prevent the new account holders from getting content they didn't ask for.

"Can I tell you with 100 percent certainty that it's absolutely impossible for anything to happen? No. But we're going to extraordinary lengths to ensure that nothing bad happens to our users," Casey added.

Source: Reuters

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

more a user problem then yahoo
By carigis on 6/20/2013 10:36:11 AM , Rating: 3
now, Im not sure how i feel about this. I get the complaints. but my way of looking at this is if you stop using a service, you really should be taking the responsibility of cancelling or transfering all your accounts, newsletter subscribtions, notifying people of your new address etc.

You can't expect to own the name forever if your not using the service.

i mean how many people use yahoo for dozens of one time burner accounts etc for signing up for things you don;t want to ever recieve emails from.

Im thinking one thing that might help is after the 12 months, maybe have a 6 month FROZEN period were all emails are bounced return to sender.

kinda like telephone numbers, usually they will drop an error message for six months or so before they reassign them.

as much as Im not a fan of yahoo.. this seems to be a user problem.. not yahoo's.

RE: more a user problem then yahoo
By BRB29 on 6/20/2013 10:56:53 AM , Rating: 2
yahoo can just make a new domain name

RE: more a user problem then yahoo
By Fritzr on 6/22/2013 3:15:02 AM , Rating: 2
They have already done that. and are also Yahoo Mail addresses.

This proposal is for cancelling all those accounts created by users who wanted to try it or needed a one off throwaway account or lost their password while their contact info was incorrect and thousands of other reasons for accounts being created and abandoned with no indication to Yahoo other than inactivity.

However on checking on their policies for free mail, I find that an account expires automatically if inactive for 6 months plus 2 months times for each year it was active up to the last recorded activity.!_Mail
Other sources say 4 months flat

Yahoo itself says only that an inactive account WILL expire unless it is a YahooPlus account (I'm assuming that having it's payments current is a requirement to prevent conversion to FREE mail and then expiration)
From the Termination portion of the TOS: (e) extended periods of inactivity,

Going from 4 months to 12 months actually makes these throwaway accounts last longer. If 12 months is shortening the period then you really have to wonder where the other sites giving authoritative answers got their info from.

By maverick85wd on 6/20/2013 11:25:46 AM , Rating: 3
I agree, bouncing msgs for 6 months is a good idea. I would also say 12 months isn't really that long, I've had accounts I didn't log in to for over a year and then used again. I'm guessing if they went back even four or five years they would still recover a lot of old addresses, but two or three years seems reasonable.

RE: more a user problem then yahoo
By Qapa on 6/20/2013 11:28:05 AM , Rating: 3
This is also a problem both ways:
- new user should be informed it is an already used account, so he can choose another one (I found myself getting SMSs and call with sensitive information for someone else... with a recycled phone number)
- old user may get sensitive information public to other people. So I agree with your suggestion of frozen account (bounce back as if it didn't exist), but I would suggest at least another 12 months

Another hypothesis would be that all servers would provide burner accounts...

Good idea..
By zhivaji on 6/20/2013 10:11:35 AM , Rating: 1

So many people have jumped ship from Yahoo mail to google / hotmail etc.. Why lock up their usernames ? Make them available to those who want them.. I'm sure there are so many Smith's and Kumar's out there who would want to have userids with their first name/last name combination

RE: Good idea..
By Ammohunt on 6/20/2013 10:18:07 AM , Rating: 1
Seriously? because if john smith 1 owns then yahoo recycles it jsmith 2 gets all of jsmith 1's emails and potentially chats. This is about as dumb as not allowing employees to work remotely. This new Yahoo CEO is not very bright.

RE: Good idea..
By kattanna on 6/20/2013 10:28:18 AM , Rating: 2
yep. if you havent logged into the account in over a full year, you have clearly shown you do not use it.

and if you have important accounts point to such an inactive account, then you get what you deserve.

RE: Good idea..
By Solandri on 6/20/2013 2:02:09 PM , Rating: 2
Yahoo requires you to sign up for their email to join their other services, like their email message lists. I'm on a couple Yahoo message lists (not my choice - the people who started them chose Yahoo to host their list), so I have a Yahoo email address.

But I never login to my yahoo account. I just set up my yahoo mail account to forward all mail to my real email address, and get my message list mails that way. I would be pretty upset if yahoo gave away my email address simply because I hadn't logged into it in ~8 years.

RE: Good idea..
By carigis on 6/20/2013 2:04:38 PM , Rating: 2
just log in once a year problem solved.

RE: Good idea..
By Azethoth on 6/20/2013 7:44:26 PM , Rating: 2
Better make it twice, so you get a 6 month margin for when the meteor strike comas you for a bit.

By amanojaku on 6/20/2013 12:24:03 PM , Rating: 3
"Recycling" accounts is the same as "recycling" postal mailing addresses. If someone moves out of the house or apartment, the address doesn't change. Sure, the new owner of an address runs the risk of getting mail for the previous owner, but that's no different from receiving spam. The previous owner had the option of removing himself from mailing lists, services, etc... before abandoning the account. Besides, the accounts are deleted before being re-issued, so nothing remains from the previous owner.

By Stuka on 6/20/2013 9:33:09 PM , Rating: 2
This is entirely different because the implications of real estate is effectively widely known and accounted for. There is ZERO precedent for email addresses changing hands because it has never happened. So, email addresses are, for all practical applications, personally identifiable. When you sign up for a chat client or just about any internet service or website, all you need is an email address, and all your activity and information is tied to that address and access to it's inbox. Postal addresses are not in themselves an identifier, they must be accompanied by other info such as name, DOB, SSN, etc.

To make this work, there needs to be a vast procedural and cultural change across the internet, not just one website's last gasp at remaining solvent.

By Fritzr on 6/22/2013 11:53:31 PM , Rating: 2
Postal addresses are all you need. Their bank sends out paper statements, the postman delivers them to the designated address. It is up to the residents to then distribute the mail correctly.

Forget to update your address and confidential information WILL be mailed to the new residents. Who may toss the mail in the trash, read the mail (it is delivered so the Post Office no longer cares) or hands it back to the postman with a note saying "Addressee Unknown". The last is what the Post Office thinks you should do, but the first two are the usual treatment.

New Resident receives bank statement. New Resident uses the bank statement and CORRECT mailing address to receive the forms for update. Account updated, address is changed, then plundered. If the investigation contacts New Resident, they simply say they don't remember seeing any of that mail. The fraud was done from a separate address, so someone else must have done it (of course New Resident does not say this because they don't even remember seeing the mail from the bank :P )

terrible idea
By Mizerable on 6/20/2013 9:06:43 AM , Rating: 2
Wow. This really is full retard. The first rule of the internet is pretty much: you never recycle usernames...

RE: terrible idea
By StevoLincolnite on 6/20/2013 9:12:29 AM , Rating: 2

Seems the first rule is actually... "Don't talk about rules 2-33."

Learn something new everyday! :P

RE: terrible idea
By Mizerable on 6/20/2013 12:39:03 PM , Rating: 2
rule 34 on yahoo's leadership.

By HrilL on 6/20/2013 6:30:37 PM , Rating: 2
If you go to sign up for a new account on a different site and it says that email is already used... What do you do? reset the other users password or go and get a new email account? Doesn't sound like there is really any solution that would solve this.

By Stuka on 6/20/2013 9:21:22 PM , Rating: 2
Most sites simply require you to enter your email address, then it send a reset link to that email. Once you reset the password for the account attached to that email, you now have access to all their order history, shipping and billing addresses, and quite often, saved credit cards. More often than not, once logged in there are no further security measures to prevent you from placing an order with that existing account. Hardly any commerce sites require security questions when resetting password. That is a practice relegated to service companies, ie. electric, cable, insurance, etc.

So, to make this work, Yahoo simply needs to coerce 1,000,000+ random internet sites to improve their security.

By HrilL on 6/21/2013 2:03:05 PM , Rating: 2
Yeah I know that. But What if you're not a bad person and you just want to have an account for yourself. You won't be able to create your own account because your email address will already be used for a different account. You won't be able to. That was my point.

"We are going to continue to work with them to make sure they understand the reality of the Internet.  A lot of these people don't have Ph.Ds, and they don't have a degree in computer science." -- RIM co-CEO Michael Lazaridis

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki