Security & Privacy

Earlier this summer, Yahoo! announced that they would be recycling the accounts of users that had not logged on in the last year. On the surface, this would seem to be a fairly reasonable idea. Usernames are a somewhat limited commodity, and in time they start having to become outlandishly complex, which is less desirable. But there are definite problems with reusing accounts, such that these accounts might still be effectively attached to their old owner. Moreover, unless the outcry users raise about this practice is sufficiently odious, it’s likely Yahoo! will do this regularly.

Yahoo! tried to get around potential problems—specifically with account reset notifications being delivered to the wrong recipient—by adding a field to email headers called “Require-Recipient-Valid-Since.” The idea is that users whose Yahoo! accounts had been deactivated would fail to match, and notifications for that user could then be bounced. Except that only a tiny handful of companies are currently providing or checking this information. So in the majority of cases, notifications sent to the deactivated user continue on their merry way.

Regular emails were not considered so thoroughly, and Yahoo! was only able to remove deactivated users from their own address books. So users of any other address book (or those folks using no address book, just autofill) would be retaining the user’s old address.

Reports are already starting to come in about the problems that have begun to occur as a result of hot-swapping usernames. In one particular instance, a deactivated user was BCC’ed on a note from a job interviewer as a professional reference, and the new user received it instead. Aside from seeing the email addresses of the other recipients, the new user also saw salary negotiation details.

I have no doubt spammers and scammers are wasting no time exploiting this opportunity. What a fantastic way to gather a load of valid email addresses and potential info for phishing or identity theft!