Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Yahoo ID Recycling Plan Raises Security Concerns

Yahoo is taking action to clean up inactive accounts, but some fear they may be opening up a new door to clever attackers.

On July 15, any Yahoo email account or Yahoo ID that has not been logged into for more than a year will be freed up  to be acquired by another user. The idea is to give Yahoo’s “loyal users and new folks” the chance to sign up for the Yahoo ID they want.

Yahoo is taking action to clean up inactive accounts, but some fear they may be opening up a new door to clever attackers.

On July 15, any Yahoo email account or Yahoo ID that has not been logged into for more than a year will be freed up  to be acquired by another user. The idea is to give Yahoo’s “loyal users and new folks” the chance to sign up for the Yahoo ID they want.

“If you’re like me, you want a Yahoo! ID that’s short, sweet, and memorable like [email protected] instead [email protected],” blogged Jay Rossiter, senior vice president of platforms at Yahoo. “A Yahoo! ID is not only your email address, it also gives you access to content tailored to your interests – like sports scores for your favorite teams, weather in your hometown, and news that matters to you.”

“In mid July, anyone can have a shot at scoring the Yahoo! ID they want,” he continued. “In mid August, users who staked a claim on certain IDs can come to Yahoo! to discover which one they got.”

For those users who want to hold on to their account IDs, all they need to is to log in to their account before July 15.

There is however some concern that Yahoo’s plan may have security implications. 

“If Yahoo reuses inactive ID, the most damage will be done through the password reset feature which is implemented on many sites on the Internet,” said Tommy Chin, technical support engineer at CORE Security. “To steal an account, register a yahoo account that’s inactive which is already being used as a registered e-mail address on a third party site. Then, search for a variety of popular third party website and utilize the password reset feature to send the password to a reused yahoo account.”

“Accounts around the web will get owned in very little time once a script gets developed to automate this attack,” he said.

An example of a similar attack was outlined by a team of researchers from Rutgers University, who argued in a paper that it was possible for an attacker to abuse Microsoft’s Hotmail account expiration policy to access a victim’s Facebook account.

According to the researchers, Microsoft retires Hotmail accounts that haven’t been used in 270 days and allows other users to ask to be assigned to those accounts. In the study, after reactivating the email accounts, the researchers said they were able to use Facebook’s default password recovery mechanism to take over control of the corresponding Facebook accounts.

When contacted by SecurityWeek, a Yahoo spokesperson said the company is “committed and confident” in its ability to handle this process safely.

“It’s important to note that the vast majority of these inactive Yahoo! IDs don’t have a mailbox associated with them,” the spokesperson said. “Any personal data and private content associated with these accounts will be deleted and will not be accessible to the new account holder.”

“To ensure that these accounts are recycled safely and securely, we’re doing several things,” the spokesperson continued. “We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we’ll send bounce back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others.”

Upon deactivation, Yahoo will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties, the spokesperson added.

“As the number of users increases, there will be a need to recycle and reuse information at some point,” said David Britton, vice president of industry solutions at 41st Parameter. “In terms of security risk related to data protection, the risk should be low if the provider companies – like Yahoo in this case – simply delete all data originally associated with any dormant accounts, so that when they redistribute the username it will have absolutely no data behind it – assuming that is what they do. So there should be no risk to new users having access to the previous owner’s data.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

UK-based email security and brand protection solutions provider Red Sift on Thursday announced raising $54 million in a Series B funding round that brings...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...