Yahoo Defends Decision to Deactivate/Reassign Unused Mail IDs

LOS ANGELES—At first blush it seemed like a non-event—Yahoo wants to free up email accounts that have been inactive for 12 months or more and let other people use them—but some observers expressed immediate alarm and quickly the ramifications started to sink in. Before you know it, Yahoo had posted a defense of its decision, but not a reversal.

The initial announcement was made around June 12, with a planned start date of July 15 to begin deactivating and reassigning dormant addresses. By June 19, however, both Wired and responsys.com were raising a series of red flag warnings about what a bad idea Yahoo was about to make.

Kevin Senne for responsys.com listed a number of privacy concerns associated with the planned reassignment, adding,Giving access to Personally Identifiable Information (PII) is the most dangerous aspect of this transition. If you now have access to an email address someone used as the sign-in for a website, they have all the tools needed to gain access to the old users account information. Someone could visit a site where the old address holder had an account, click the ‘forgot password link’ and now be mailed a new password. You know the log-in is the email address, and now you have the password.  The danger here is real for sites that allow email address as a log-in and only verify ownership by possession of that email account. There is no way for Yahoo! to police this action because they have no knowledge of activity using that address outside their environment.”

Over at Wired, Matt Honan commented, “This may have seemed like a good way to get people to log in again, or to try to convert new users to a groovy Yahoo address. But it’s a terrible idea. It means that people will be able to claim Yahoo IDs and use them to take over other people’s identities via password resets and other methods… The bottom line is that unless it rethinks this policy, this is going to lead to a social engineering gold rush come mid-July.”

On June 21, Yahoo issued a statement acknowledging that the “announcement did not go down well with many users and security experts for obvious reasons. There would be strong chances of the released IDs being misused by scammers.”

It then defended the decision, adding, “Our goal with reclaiming inactive Yahoo! IDs is to free-up desirable namespace for our users. We’re committed and confident in our ability to do this in a way that’s safe, secure and protects our users’ data. It’s important to note that the vast majority of these inactive Yahoo! IDs don’t have a mailbox associated with them. Any personal data and private content associated with these accounts will be deleted and will not be accessible to the new account holder.

“To ensure that these accounts are recycled safely and securely," Yahoo continued, "we’re doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we’ll send bounce back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others. Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties.”

There will surely be blow-back if scammers are able to slip through Yahoo’s safety net in substantial numbers, especially if the damage wrought in terms of stolen identities and fortunes extends far beyond Yahoo’s ability to fix on its own, but it looks as though that is a risk Yahoo is prepared to take.