Yahoo attempts (and fails) to defend its crazy email plan

Boo hoo YahooThe story so far..

Yahoo came up with a (quite frankly) moronic plan, telling users that if they hadn’t logged into their Yahoo account in the last 12 months, and didn’t log in by July 15th 2013, the company was going to give other people the chance to grab the account.

I and other commentators thought the idea was terribly stupid from the security point of view for a variety of reasons.

Not unexpectedly, Yahoo’s PR team has gone into overdrive as it saw the negative reaction caused by its announcement.

Sign up to our free newsletter.
Security news, advice, and tips.

Let’s take a close look at what they’ve said in their PR statement, sentence by sentence:

Our goal with reclaiming inactive Yahoo! IDs is to free-up desirable namespace for our users.

Well, let’s be honest, Yahoo is also hoping that users might return to their site after ignoring it for years, and rediscover all the wonderful features of Yahoo.

We’re committed and confident in our ability to do this in a way that’s safe, secure and protects our users’ data.

Protecting the data, eh? Okay, we’ll come back to that.

It’s important to note that the vast majority of these inactive Yahoo! IDs don’t have a mailbox associated with them.

In which case, why doesn’t Yahoo exclude any accounts which have a mailbox, and not put them up for grabs by others?

Any personal data and private content associated with these accounts will be deleted and will not be accessible to the new account holder.

Right. So, when you said “protect our users’s data” what you actually meant was delete it.

I mean, it’s good that you won’t allow the new account holder to read any past emails that the account has received, but it seems that they *will* be able to receive any *future* email the account receives. And that’s quite a problem.

To ensure that these accounts are recycled safely and securely, we’re doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we’ll send bounce back emails alerting senders that the deactivated account no longer exists.

Well, that’s only useful to people who might send the account an email during those 30 days. It doesn’t provide any use to the person who owns the email account that is on Yahoo’s recycle-list does it?

In fact, what you have done by bouncing a message back is told the sender that the email address is potentially available for grabbing – a nice tip-off for an identity thief, and no good at all to the account’s true owner.

We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others.

In other words, bad news if you allowed your Yahoo account to slip into deactivation and wanted to resuscitate it during those 30 days. Yahoo has decided to unsubscribe you from your newsletters and mailing lists. They haven’t told you this, of course. If you do manage to get your account back again, you’ll have to resubscribe to those lists and fill in the gaps yourself.

Wouldn’t it have been better if Yahoo had just left the accounts alone in the first place?

Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties.

Hang on a minute. Let me get this straight. Yahoo is going to contact many many websites *all* around the world which *might* have had the deactivated Yahoo accounts registered with them

Yahoo's Melissa MayerHa ha ha. No, stop it. Puhleeze… Oh you Yahoo guys, you’re so funny..

I’d like to see Yahoo provide a list of all the sites they plan to contact with this list of email addresses that are potentially up for grabs.

I imagine that’s quite a long list of websites that could have had accounts created on them. After all, Yahoo wouldn’t forget to include any sites would it… I mean, it’s a search engine so it probably has a grasp on how many websites there are out there, right?

And, umm, isn’t there some slight risks in contacting – lets say, x million – websites with a long list of Yahoo IDs and email addresses that are being deactivated and available for anyone to claim? Heaven knows how the websites themselves are supposed to respond.

To be clear – I don’t have a problem if Yahoo wants to close unused accounts if they haven’t been used for – say – 12 months, so long as they have clearly communicated that to the user at sign-up as one of the conditions. After all, that could be a big incentive to buy a professional account with an extra “no closure” guarantee.

But I *do* think it’s idiotic to then allow a complete stranger to grab the email address – and potentially see future emails that were meant only to be seen the original owner.

Admit it Yahoo. This whole idea of yours is half-baked, and sounds utterly impossible to pull off competently.

You should throw your plan away in the trash can where it belongs.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Yahoo attempts (and fails) to defend its crazy email plan”

  1. jerry p

    this is definitely stupid. maybe we should another group e-mail service.
    Jerry P.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.