I agree that this is a terrible move, in theory. But in actual practice, I'm not convinced it will be so bad.
Because if you're not using that Yahoo account for e-mail anymore, then you're probably not using it as a sign-in or password recovery e-mail for your banking, Facebook, or anything else important -- because the whole point is, everything that's actually important to you, you're using your current e-mail address. After all, that's where important account notifications go, credit card receipts, bank statements, password resets, etc. -- things which are necessary for you to see.
Of course you'll likely have a bunch of accounts you forgot even existed on random sites you signed up for in the past, with your old Yahoo e-mail address. Most of them will be harmless -- who cares if someone gets access to some random sports forum you once posted on.
The biggest risk I can see is that 1) the new owner chooses to be malicious, 2) successfully locates a site that sends out password-recovery emails with the original passwords in plaintext, which the specific user has an account on, 3) knows the original user's current valid address, 4) tries the old password on the user's new address they use with banking/etc., and it works. But the risk of this would appear to be so small, that it's just lumped in with all the other kinds of "identity theft" weaknesses that already exist (guessing security questions, etc.).
(And then, there's scamming on whatever social networks or forums the old e-mail address had an account on. Although it seems like Facebook etc. is protecting against that? And it's not like spoofing e-mails/accounts is anything new.)
As long as Yahoo is giving significant heavy warning to the e-mail accounts themselves, and months' worth of time -- well if you never check your free e-mail account, it's not unreasonable to expect that it might be deactivated someday. Annoying, but not unreasonable. And if you use the same password for your Facebook, banking, etc. as you did for other random sites you signed up for years ago, then that's a security risk regardless of what Yahoo does.
What about when someone uses their old email address as the password recovery email for the new email address? I agree with Silhouette in that I hope they follow through with this... It will surely be fun to watch, and also people will become a little bit more security conscious.
I changed my email address at my bank. They still send emails to my old address (and to my new address). They have no idea why and how. I'm pretty sure this kind of "thing" will happen to many others, with the difference that I keep my old (yahoo) address active...
It is a pretty compelling argument for little benefit on Yahoo's part. The correct answer for Yahoo is to freeze email in the previous domain, create a new domain for mail and move forward. But there is a certain lack of understanding that is settling in a Yahoo which feels distinctly like 'new young people' (and I mean that in the nicest way possible) but people who consider the time before they were aware of the world "ancient history" and for new grads from college in 2012 - 2013 that was anything before 2000.
Imagine the fun that could be had if Hollywood decided to 're-use' old stage names. We could get a bunch of new John Wayne movies!
Looking at it, fuck, I dont think you really link baited enough.
What are they thinking!?!?!?!?!?
I can almost no benefit to this.
Start a new domain if you want to free up usernames.
Okay, who are you and why all of a sudden are you popping up in news aggregators like Techmeme?
Sorry if I missed out on some new (or old...I have no idea) thing here, but I've never heard of you nor your site. Is this suppose to be some alternate blog/identity for some other semi-famous tech writer or something?
Again, I apologize for not being hip or "with it" in regards to who you are. But you tend to obscure who you are on both your site and twitter feed. Why?
I am always wary of collateral damage arguments, but in a greater-good sense, I almost hope Yahoo do go ahead with this. It's such an obviously bad idea, and enough people probably would suffer significantly as a result, that it might just raise public awareness of why things like good security practices and privacy and data protection matter, and that it can "happen to them", even many years in the future, if they don't take care of how they behave and who they trust today.
Hopefully, Yahoo would also find themselves vulnerable to at least one of the obvious legal attack vectors and wind up paying out a small fortune in compensation to make good on losses due to identity theft and/or frauds committed using false identities they supported. This could be an educational lesson for a lot of businesses that don't take privacy and data protection seriously today because collecting everything you possibly can about everyone is seen almost pure upside with little real cost or risk.
Well, the Internet is dynamic isn't it? Other services are already freeing inactive accounts, email or e.g. Twitter handles, and think of changing mail service owners and domain changes, too. And why should a service hold an email forever, just because someone registered it and maybe was never even using it?
Isn't the real problem that users and services put too much trust in plain email addresses? Especially when accounts are outdated? Crypto might help here someday in the future.
We could even say: Isn't it your fault that you didn't keep track on which services you used that email? Or that you lost your password? Why blame Yahoo for that?
Because for better or worse, email has become the defacto identity identifier on the web. If you allow people to grab emails that used to be owned by someone else, you effectively allow them to own their identity on every website where they registered with that email in the past.
And while some other email providers do the same, it's particularly bad with yahoo because they are such a huge and longstanding provider, they have tons of email, some that are a decade old, and a lot owned by people who are not very technical or who don't check their email very often.
Still, we can't blame Yahoo for that, right? We can't blame them for peoples Internet incompetence. We can't blame them for the limited scope most service developers have.
As I user, I have to update my email address I use and other services should delete inactive accounts, too. Or at least notify inactive users. I know, especially the latter option is more or less inexistent. But although think of all the data that users have no access to, because of lost passwords etc. I rather see that deleted.
Also, if Yahoo is doing things right, they would only delete accounts with no activity for a serious amount of time, e.g. no access, not even POP3 since over 2 years.
You can't blame Yahoo as-in "they are technically and legally allowed to do that".
But on the other hand, Yahoo is a falling behemoth that is trying to earn itself a new image; and doing such a stupid move can and will earn them the mark that they still "don't get it", and rightly so.
I never talked about the legal part. Of course it is legal since their terms might likely allow this.
I just don't see it that wrong like you do. I wonder, if there is an argumentation to really call them stupid. And I don't even think this is relevant referring to their image.
As you said, this only affects people who aren't either informed about computer topics, don't know they had a Yahoo mail at all or who simply reregister their old mail address.
Yahoo of all companies should know what type of users still retain their emails and what type has moved on.
I had setup my mom's email on Yahoo (cause Gmail didn't exist and Hotmail, freshly bought by MS, was rubbish). She had a habit of entering it to everything and was soon unusable. We went over online browsing and safety, but not before her private info ended up on a dozen or so spammy sites. That was more than 10 years ago.
There's no way to reset the password for that thing, since backup emails weren't present plus IT WAS MORE THAN 10 YEARS AGO! Also, she doesn't have a Facebook page, doesn't want a Facebook page and will likely never get one in the future. She's done handing out her info to people she doesn't know.
I'm sure some of her info is still on it, but if Yahoo goes through with this, there will be hell to pay.
Am I missing something? You only lose accounts which you are not using, correct? It is easy enough to avoid losing the account by logging into it once. If you have lost access to the account, you can go ahead and reclaim the same account back through this scheme, if I am not mistaken. Could someone please explain why people are getting so worked up about this issue?
Could someone please explain why people are getting so worked up about this issue?
Because having your identity stolen can pretty much destroy your life, or at the very least cause you a great deal of suffering for many months. This change would mean a tiny oversight from many years ago could allow those things to happen.
It's also a paradise for fraudsters and charlatans, who will have a bountiful source of new identities to build on if they can just find someone who has since died or can otherwise be assumed not to need an old account any more.
To top it off, their password reset for existing users is completely broken now. I don't mean "poorly designed," I mean it is simply not working.
When I tried to reset a password recently, I got "your password is too weak" for every password I tried, including very long randomly-constructed not-previously-used passwords resembling line noise. This after carefully making sure both entries of the password matched. Multiple times. The form simply does not allow the user to proceed, and it gives false reasons. It is broken.
I sign up for a service using my Yahoo email account.
I don't use my Yahoo account for a year.
Someone gains access to my email address.
That person enters my email address into a forgot password field.
Boom They now have access to my service.
It's a valid scenario, but I was starting to think quite unlikely. If I get a a new jrandom@yahoo.com address, I would have to know who that account used to belong to and on which online services it might have been used. If I'm in Boston and the old "jrandom" was in Atlanta, I'd have to first figure that out and then figure out what bank he used, and be lucky enough that he had not updated his email there. And websites like banks and other financial services require more than just an email address to get a password reset. You need to answer some "secret questions" etc.
But I grew up before Facebook and other social networking fads. I still don't use those services. So I sometimes forget how easy it is to get a very good life history on someone by just searching their email address, very possibly including the answers to typical "secret questions" like your pet's name, where you went to elementary school, etc. and maybe I can even get some clues about what bank they use.
So it really might not be too far-fetched a concern. Still I think it somewhat unlikely that an email account tied to a lot of social networking activity is itself going to be dormant. But it's possible. Maybe the person has the account forwarded to another address and never logs in directly. Would that count as "dormant" ??
Before issuing an account, Yahoo themselves should be sure it's not forwarded, and search for any associated internet content, especially on social media. If an account has not been used in years, AND internet searches for that account turn up nothing, it might be safe to reissue it.
A lot of websites send "monthly newsletter from <site>.com" type emails. Ironically it's the avoidance of such emails that often causes people to use throwaway yahoo accounts.
Once these start appearing in the inbox, the new owner can just do a password reset on these sites.
"It's a valid scenario, but I was starting to think quite unlikely. If I get a a new jrandom@yahoo.com address, I would have to know who that account used to belong to and on which online services it might have been used. If I'm in Boston and the old "jrandom" was in Atlanta, I'd have to first figure that out and then figure out what bank he used, and be lucky enough that he had not updated his email there. And websites like banks and other financial services require more than just an email address to get a password reset. You need to answer some "secret questions" etc."
It's not that hard, actually, considering that most websites you sign up for send periodic marketing emails. You're the new owner, you get a marketing email addressed at the old owner, hit the "forgot my password" link, and you have ownership of the account.
I just reactivated my old Yahoo email account to prevent this scenario.
I was hoping they had retained all my old emails so I could go trough and find any exposures. Unfortunately, once an account is deactivated, the emails are gone - even if you log back in with the same password. Deleting the emails from the dormant account is probably the right thing to do, but it makes it impossible to see what sites I may have used the Yahoo email account to register with.
This is gobsmackingly awful. Their 'relax we won't let people use this to hijack accounts on other services solution is to check incoming email for a new header. a new header that yahoo invented.[1] good luck getting every web based sign up site with email password reset to update their email service.
1. Yahoo has official email ids which no longer work (but were functional in the past). Are these also up for grabs? Or, are some email ids "more equal than others"?
2. Websites with paid access. There are people who sign up and do not access these sites for a long time. If the person who signed up with his Yahoo email id no longer uses it (the email id) now, there is the danger of someone claiming that email id and then using the "Forgot password" option on one of these paid websites. Most of them send your password to your email id, or send a link to reset it.
Boom. You now have access to their personal information (and possibly credit card/bank details) as well.
Edit: Even free websites quite often store personal information, for that matter.
The freaking problem with that is that I couldn't retrieve in time my lost password to my old yahoo account I used for flickr.
Don't care that much about the yahoo account but I don't know what'll happen to my flickr pics and contact I use once in a year. And yes, I still use it.
The daisy-chaining of email addresses that may or may not be active anymore (some due to ISP going out of business) and stupid security questions that I can't remember (who was my freaking favourite author in 2002 ?!) turned this into a real clusterfuck.
This isn't the first time they've taken this type of action with email account names.
I had an @att.net email address from when I had U-Verse that was essentially Yahoo mail with an ATT address. I thankfully didn't do anything on that account, but I kept it since it was the same user name I have registered on most major webmail services.
I got an email about a year ago that those addresses would be merging with Yahoo, and that my address would now be @yahoo.com. Fine with me, I thought, perfect if I ever wanted to try out Yahoo mail for a spell.
A few months later a get an email about my password being changed. Not good. From there I had about a 15 minute back and forth with someone else trying to get their information(alternate email address, password, security questions, phone number for 2-factor) on the account to lock me out. I prevailed, and in double checking how that person could have gotten access, found something disturbing. This was not my email account. It was mostly dormant, but there were legitimate emails from years ago sent by another person who shares my name.
I contacted Yahoo through their form about such matters, but they never answered. So now I've held on to the address, which I value for preserving my internet identity, but someone else is out of luck in trying to access an account they used sparingly years ago.
This is obviously much worse, as it's intentionally going to result in these types of account ownership issues, but it certainly seems reflective of Yahoo's attitude towards the importance of holding an email address.
Is it just me or is that an awesomely designed blog page. I'm a fairly decent programmer, but when I see a beautiful page like that I give up all pretenses that I'll ever be more than a barely adequate designer.
Thanks for posting this. I've got several accounts on autopay attached to my yahoo address, but nothing else of note. Re-captured my account after 2 years away.
This would not have been good if it had been given away.
Legitimate question: how can you have accounts on autopay attached to an e-mail address you haven't checked in 2 years?
You have literally not looked at any of the receipts in 2 years? If you've cancelled any of the credit cards, you had no idea that there was an autopay problem? The merchants had no way of contacting you, because you never checked that email?
That doesn't make any sense to me. Or was it just forwarding the emails to the account you do use, or whatnot? In which case, I assume that Yahoo would be sending emails warning of the upcoming account closure, which you could receive and act on?
You have literally not looked at any of the receipts in 2 years? If you've cancelled any of the credit cards, you had no idea that there was an autopay problem? The merchants had no way of contacting you, because you never checked that email?
For me, this is done through the web interface in almost all cases. Did my hosting account try to charge my credit-card and it was declined? It'll show up in the account dashboard. Do I want to look at my Amazon receipts? They're under Your Account -> Your Orders.
I'm updating some old emails now since I was reminded of it, but generally I don't care about receiving email from websites, so I typically send them to an account I don't check in order to keep them out of my way, and to ensure that if they sell my email, the spam will go there too (in my case it's an old AOL account). A number of sites won't even send you anything via email except "please log in" anyway. For example, when my bank sends me a "bank statement" by email, all it contains is a notification that there is a new bank statement waiting online, if I want to log in and read it. So the email is not needed or useful for services where I already log in regularly.
By watching charges via online banking, and it being a service I use every day with a very small repeating charge (e.g. Pandora). Set it, forget it, reap the benefits. Most services do not require monitoring.
As for warning emails, I had a backup email listed with them, and I have received nothing on either the backup email or the Yahoo email warning of this potential problem.
Yahoo could append a text header in the mail body reminding it's a recycled email so caution has to be taken and it should not be trusting it upfront. It adds it to the first 10000 mails sent or the first 6 month whichever comes _last_
That will sufficiently annoying so that only people that really wants back their email and commit to it will stay.
It's not without flaws but it's a tad better than their current plan.
Imho, the main problem with this is people gaining the accounts, then using them to reset account passwords for services that are not dormant. For example, I use a @msn.com password for my facebook - I haven't used that email address in years, and haven't checked it in months. If microsoft announced something similar tomorrow, I would be totally screwed unless I can access the msn.com address, as facebook doesn't allow you to change email addresses.
This isn't a huge problem for me, as I try to keep up with tech news, but imagine that I'm not subscribed to hacker news, and don't realise what's about to happen to my account, in that case there's no possible way for me to rescue my email in time, and every account I've used it for is compromised.
While it could be somewhat a little better (or would it ? people tend to not pay attention to warnings like that) for emails sent from the "claimed" account, it wouldn't help at all alleviate the issue of email sent to the account.
Cheeky. But I doubt they'll include that. More than likely, they've whitelisted all Yahoo CEOs/employees/associates/minions and people with "allah" in the name somewhere.[1]
But you can do password recovery on every service they've ever used with that email and get any private info from that service.
Yahoo should define "dormant" as an email that hasn't RECEIVED email in over X years. Also they should lock the dormant email addresses for 5 years before releasing them to new users.
And how about all "forgot your password" forms that might be exploited on other services. An other service you not been using for long sends you a "long time no see" promotion and your old account is in someone else's hands.
I think there's been a lot of lessons lately about why Internet should not be centralized...
Because if you're not using that Yahoo account for e-mail anymore, then you're probably not using it as a sign-in or password recovery e-mail for your banking, Facebook, or anything else important -- because the whole point is, everything that's actually important to you, you're using your current e-mail address. After all, that's where important account notifications go, credit card receipts, bank statements, password resets, etc. -- things which are necessary for you to see.
Of course you'll likely have a bunch of accounts you forgot even existed on random sites you signed up for in the past, with your old Yahoo e-mail address. Most of them will be harmless -- who cares if someone gets access to some random sports forum you once posted on.
The biggest risk I can see is that 1) the new owner chooses to be malicious, 2) successfully locates a site that sends out password-recovery emails with the original passwords in plaintext, which the specific user has an account on, 3) knows the original user's current valid address, 4) tries the old password on the user's new address they use with banking/etc., and it works. But the risk of this would appear to be so small, that it's just lumped in with all the other kinds of "identity theft" weaknesses that already exist (guessing security questions, etc.).
(And then, there's scamming on whatever social networks or forums the old e-mail address had an account on. Although it seems like Facebook etc. is protecting against that? And it's not like spoofing e-mails/accounts is anything new.)
As long as Yahoo is giving significant heavy warning to the e-mail accounts themselves, and months' worth of time -- well if you never check your free e-mail account, it's not unreasonable to expect that it might be deactivated someday. Annoying, but not unreasonable. And if you use the same password for your Facebook, banking, etc. as you did for other random sites you signed up for years ago, then that's a security risk regardless of what Yahoo does.