Yahoo is taking action to clean up inactive accounts, but some fear they may be opening up a new door to clever attackers.
On July 15, any Yahoo email account or Yahoo ID that has not been logged into for more than a year will be freed up to be acquired by another user. The idea is to give Yahoo’s “loyal users and new folks” the chance to sign up for the Yahoo ID they want.
“If you’re like me, you want a Yahoo! ID that’s short, sweet, and memorable like [email protected] instead [email protected],” blogged Jay Rossiter, senior vice president of platforms at Yahoo. “A Yahoo! ID is not only your email address, it also gives you access to content tailored to your interests – like sports scores for your favorite teams, weather in your hometown, and news that matters to you.”
“In mid July, anyone can have a shot at scoring the Yahoo! ID they want,” he continued. “In mid August, users who staked a claim on certain IDs can come to Yahoo! to discover which one they got.”
For those users who want to hold on to their account IDs, all they need to is to log in to their account before July 15.
There is however some concern that Yahoo’s plan may have security implications.
“If Yahoo reuses inactive ID, the most damage will be done through the password reset feature which is implemented on many sites on the Internet,” said Tommy Chin, technical support engineer at CORE Security. “To steal an account, register a yahoo account that’s inactive which is already being used as a registered e-mail address on a third party site. Then, search for a variety of popular third party website and utilize the password reset feature to send the password to a reused yahoo account.”
“Accounts around the web will get owned in very little time once a script gets developed to automate this attack,” he said.
An example of a similar attack was outlined by a team of researchers from Rutgers University, who argued in a paper that it was possible for an attacker to abuse Microsoft’s Hotmail account expiration policy to access a victim’s Facebook account.
According to the researchers, Microsoft retires Hotmail accounts that haven’t been used in 270 days and allows other users to ask to be assigned to those accounts. In the study, after reactivating the email accounts, the researchers said they were able to use Facebook’s default password recovery mechanism to take over control of the corresponding Facebook accounts.
When contacted by SecurityWeek, a Yahoo spokesperson said the company is “committed and confident” in its ability to handle this process safely.
“It’s important to note that the vast majority of these inactive Yahoo! IDs don’t have a mailbox associated with them,” the spokesperson said. “Any personal data and private content associated with these accounts will be deleted and will not be accessible to the new account holder.”
“To ensure that these accounts are recycled safely and securely, we’re doing several things,” the spokesperson continued. “We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we’ll send bounce back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others.”
Upon deactivation, Yahoo will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties, the spokesperson added.
“As the number of users increases, there will be a need to recycle and reuse information at some point,” said David Britton, vice president of industry solutions at 41st Parameter. “In terms of security risk related to data protection, the risk should be low if the provider companies – like Yahoo in this case – simply delete all data originally associated with any dormant accounts, so that when they redistribute the username it will have absolutely no data behind it – assuming that is what they do. So there should be no risk to new users having access to the previous owner’s data.”