Yahoo recycled ID users warn of security risk

Yahoo users who got recycled account IDs said they’ve found a security risk — they are receiving emails containing the personal information of former account owners InformationWeek.com reported Tuesday.

The users told the news site that initially, they were receiving junk mail for the Yahoo ID’s previous owner, but then other mail with sensitive information started showing up. This included account information, confirmation for appointments and flights, and event announcements. The old owners must still be giving out the email address without knowing they no longer have access to the account.

One user, an IT security professional named Tom Jenkins, described the potential for identity theft as, “kind of crazy”:

“I can gain access to their Pandora account, but I won’t. I can gain access to their Facebook account, but I won’t. I know their name, address and phone number. I know where their child goes to school, I know the last four digits of their social security number. I know they had an eye doctor’s appointment last week and I was just invited to their friend’s wedding.”

We’ve contacted Yahoo for a comment and will update if we hear back. The company told InformationWeek that it takes the “security and privacy of our users very seriously,” and has received complaints from “a very small number of users who have received emails through other third parties which were intended for the previous account holder.” It continues to ask other companies, the ones sending the emails, to verify accounts by adding a date-specific marker.

Yahoo began releasing recycled IDs in late August, after giving users a month to login to their accounts and stake their claim. Yahoo shut down any accounts that hadn’t been logged in for more than a year, and then put the usernames up for grabs.

After the initial announcement the company adamantly defended its security process for the switch, with Dylan Casey, Yahoo’s senior director of Consumer Platforms, telling CNETthat it was “very, very foolproof.”

Casey had said that the recycled accounts were inactive and “a very small number” were receiving emails at all. He described a processes that stopped password retrieval emails from being sent to accounts, but did note that there’s no guarantee it could stop everything from going through. While Yahoo can prevent former users from accessing their old accounts, it has to reply on third party companies to put in measures to prevent new users from seeing emails meant for the original ID owners.

Read more: Yahoo recycled ID users warn of security risk

Print Friendly, PDF & Email

Author: Travis Esquivel

Travis Esquivel is an engineer, passionate soccer player and full-time dad. He enjoys writing about innovation and technology from time to time.

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *