I warned earlier this year of Yahoo’s moronic plan to allow users’ email addresses to be stolen.
In a nutshell, if you hadn’t logged into your Yahoo account for 12 months, they decided that they would make it available for any other person to grab the username – and receive any subsequent emails that the email address was sent.
Yahoo said that it was “committed and confident in our ability to do this in a way that’s safe, secure and protects our users’ data”.
Unfortunately, now the system is in place, it doesn’t appear to be working so well.
According to Information Week, the new owners of some of these recycled Yahoo Mail addresses *are* receiving emails clearly intended for the original holders.
IT services professional Tom Jenkins was one of the owners of a recycled Yahoo account who reported problems that raised privacy and security concerns.
Among them were marketing emails from retailers and catalogs, which were a nuisance, he said. But then came the emails with sensitive personal information: messages from the former Yahoo account holder’s Boost Mobile service, which included the account and pin numbers; emails from a Fidelity investment account; Facebook emails; Pandora account information; and more.
“I can gain access to their Pandora account, but I won’t. I can gain access to their Facebook account, but I won’t. I know their name, address and phone number. I know where their child goes to school, I know the last four digits of their social security number. I know they had an eye doctor’s appointment last week and I was just invited to their friend’s wedding,” Jenkins said. “The identity theft potential here is kind of crazy.”
Yahoo appears to be acknowledging that there is a problem, telling reporters that it is rolling out a new “Not my email” button to the new owners of recycled accounts.
Apparently this will help Yahoo learn what emails aren’t intended for the new owner of the old, recycled email address.
Because we can definitely trust all the owners of the recycled accounts to be as honest as Tom Jenkins, and not exploit the private, personal information that they are being sent, right?
[fx: hits head against wall]
The truth is that this button doesn’t deal with the fundamental security problem with what Yahoo did.
The fact that Yahoo has had to roll out this new button says to me that it knows it has failed to deliver this intitiative “in a way that’s safe, secure and protects [its] users’ data.”
None of this would have happened if Yahoo hadn’t initiated the reckless, harebrained scheme in the first place. They should be ashamed of this fundamentally flawed scheme which is not just half-baked, but downright reckless.