Over the summer, Yahoo announced a plan to recycle old user IDs in an effort to get rid of dormant account names. The plan allowed Yahoo to free up accounts that no one had used in over a year. If you wanted to get one of the newly freed accounts, you put your name on a waiting list. So, if you were stuck with the user ID “yourname79954114″, here was a chance to lose all those numbers. After Yahoo deleted all of the old emails, contacts, and data, it informed people on the list of whether they got the account they wanted.
At the time of the announcement, most people realized that the plan had more than a few problems. While some merely thought the scheme was “moronic”, others called it “a spectacularly bad idea.” As Mat Honan at Wired explained, the biggest concern was security:
[S]omeone who uses a Yahoo email address solely as a backup for Gmail, and thus hasn’t logged into it for a long time, would be vulnerable to having that address taken over by a malicious individual who only wanted to ultimately get into the active Gmail address. You can see a chain of events where that could lead to taking over online banking accounts, social media accounts and the like.
Yahoo defended the plan and released a statement outlining how they would protect their old users, claiming they were “committed and confident in [their] ability to do [it] in a way that’s safe, secure and protects [their] users’ data.”
But now, the old IDs have been recycled, and it appears that, unsurprisingly, there are security problems. Tom Jenkins, a man who signed up for a recycled ID and an IT security professional, explained to Information Week that he started seeing highly personal emails on literally the first day of having his new account:
“I can gain access to their Pandora account, but I won’t. I can gain access to their Facebook account, but I won’t. I know their name, address and phone number. I know were their child goes to school, I know the last four digits of their social security number. I know they had an eye doctor’s appointment last week and I was just invited to their friend’s wedding,” Jenkins said. “The identity theft potential here is kind of crazy.”
Others noted that it appeared the old users, seemingly unaware that their account was recycled, were still actively giving out their now-recycled Yahoo email address.
Although many people may be at a security risk, Gant Redmon, general counsel with security company Co3 Systems, explains to Information Week that it is unlikely Yahoo is liable for any of the problems:
“Businesses are in trouble when they lose personal information they collected and were entrusted with, but that doesn’t fit the Yahoo scenario,” he said. “Yahoo hasn’t lost or disclosed information they shouldn’t have. They’re not responsible for the fact that it was disclosed to a third party—the user is.”
In any event, Yahoo is currently trying to roll out a feature called “Not My Email,” which allows the new users to report an email that is not intended for them. While this feature may deal with the annoyance of receiving a high volume of emails meant for someone else, it certainly won’t protect the old users from identity thieves who may have gotten their hands on these accounts.