Yahoo tells security critics to chillax regarding its email recycling program

Yahoo's plan to recycle old unused email addresses has come under criticisms for potential use by identity thieves.

It's not hard to find possibly abandoned Yahoo accounts attached to real people.

It's not hard to find possibly abandoned Yahoo accounts attached to real people.

So much for trying to be nice. Yahoo's latest bid to lift itself from the tech also-ran swamp with an email recycling initiative has been criticized for potential security threats to dormant users. To try and calm down the pitchfork-wielding crowd, the company has released a statement describing various security measures that will be taken to insure past users' data and security--but they may not cover all the bases.

How safe are old users?

A June 12 tumblr post unveiled Yahoo's plan to make available inactive, but succinctly-named Yahoo accounts. The company holds nearly two decades worth of accounts and their associated emails. Over the years, many of these users have moved on from the ecosystem forcing newer, active users to settle for an unintelligible email address like as opposed to

The primary concern is that with a little research into dormant Yahoo accounts, crafty identity thieves could use associated email addresses to access bank accounts, social media, and other online portals.

The threat of that isn't off base. For example, I signed into Yahoo Groups and joined a group dedicated to Janet Jackson's 2004 Super Bowl appearance. Oddly enough, the group (built around the event that took place in George W. Bush's first term!) features posts as recently as a month ago, though all the newer posts appear to be spam bots. However, Yahoo offers an "oldest" function in their posts that automatically took me back to a number of original and peopled posts from 2004.

Going back in time nine years, I was able to find a bounty what appears to be genuine users full real name along with their Yahoo email handle--or at least a handle for some other email address. Within this glut of information are surely some genuine Yahoo address handles along with a user's full name.

Playing the numbers game, a would-be identity thief would be able to have their pick of retired Yahoo accounts along with the associated person's real name and use that information to access online information.

According to Wired's Matt Honan, Yahoo has responded the concerns with the following statement:

Our goal with reclaiming inactive Yahoo! IDs is to free-up desirable namespace for our users. We're committed and confident in our ability to do this in a way that's safe, secure and protects our users' data. It's important to note that the vast majority of these inactive Yahoo! IDs don't have a mailbox associated with them. Any personal data and private content associated with these accounts will be deleted and will not be accessible to the new account holder.

To ensure that these accounts are recycled safely and securely, we're doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we'll send bounce back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others. Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties.

The most important part of the statement is the notification of merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties, which will hopefully help lax users remain secure. Hopefully the various online entities will act quickly to avoid any unwanted access.

Protect your ghost accounts

Yahoo's recycling plan will free-up IDs that have been inactive for the past 12 months. Current users will be able to apply for newly-freed Yahoo ID beginning in mid-July, and they will find out which accounts they were able to by mid-August.

If you wish to keep your Yahoo address, simply log-in to any Yahoo property before July 15 and your account will be spared from the recycling program. If you can remember your old Yahoo account, it may be worth it to log-in to that Flickr account you haven't touched in five years. Just to be on the safe side.

Join the CSO newsletter!

Error: Please check your email address.

Tags emailYahoosecurity

More about BushYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Evan Dashevsky

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts