Watch out! Yahoo has a moronic plan to let someone steal your email address

Yahoo says that if you haven’t logged into your Yahoo account for 12 months, and *don’t* log in by July 15th, they’re going to give other people the chance to grab it.

Yahoo announcement

What a terribly stupid idea.

Here are some scenarios which you may like to consider.

Sign up to our free newsletter.
Security news, advice, and tips.

Scenario One

Imagine that years ago you created yourself a Yahoo address, registered some third-party web accounts using your new Yahoo address, but subsequently decided to use Gmail or Hotmail as your primary email account instead.

Maybe you haven’t had any reason to log into Yahoo for quite a while..

So, what is going to happen when you forget the password for one of those third-party web accounts, and you ask it to send your registered email address a password reset/reminder?

Tough luck. Yahoo has given your email account to someone else, and potentially they might be able to get up to mischief with your other web account…

Scenario Two

What if you have used your old email address as an archive – you may not have needed it in the last year, but who’s to say that you might not want to access some of its content (emails and photos from since-deceased relatives and the like) in the future?

Scenario Three

Alternative email addresses are good for security.

For instance, when websites ask “Give us an alternative email address in case we need to contact you another way”.

Many websites ask you to supply them with alternative email addresses they can use to contact you should there be an emergency, or if you have been locked out of your account.

Bad luck if your alternative email address was a dusty old Yahoo account, and if Yahoo has long since handed it over to a complete stranger.

YahooOnce an email address has been registered that should be it. Finito.

You didn’t get the email address you wanted? Tough luck – you should have moved faster in the gold rush. Yahoo doesn’t know where its email addresses are being used elsewhere on the web – all it knows is if anyone has been actively logging into the account and sending emails from it.

There is a real risk that many people will *never* realise that the clock is ticking and that they could be about to lose control of their Yahoo ID.

Wouldn’t it be a heck of a lot friendlier (but less commercially interesting to Yahoo) if the company asked people to *opt-in* to giving up their Yahoo ID for others? Of course, Yahoo knows it will have a lot fewer email addresses available to offer afresh if it does that.

Yes, this initiative will encourage some people to log back into their dormant Yahoo accounts and *maybe* they’ll like what they see there… but it’s an underhand way of getting people to re-engage with the site.

In short: as an idea it sucks, and it shows Yahoo’s lack of respect to customers who created accounts with them in years gone by.

Further reading: Yahoo attempts (and fails) to defend its crazy email plan


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

9 comments on “Watch out! Yahoo has a moronic plan to let someone steal your email address”

  1. Seriously Yahoo, this totally undermines customers trust in a product. If I have a dozen email account and only use two that's my choice due to those two providers showing they were reliable and easy to use, if you change and exceed their qualities I'll use you more I'm not costing you money, you are not losing money and the bottom line is the only people who'll scramble for Yahoo email addresses that come up will ironically be spammers & scammers, and how will they register, with disposable email to grab legit addresses I'm guessing.

  2. Graeme

    I don't see why this is yahoo's problem. I also don't understand why the author is picking on yahoo, hotmail does the same as do many other free providers. Provided they email every one of those accounts I don't see how it is any different to cancelling a prepay phone number that is not being used any longer (no one picking on phone companies reusing phone numbers).

  3. "Thanks I just sent out a billion PASSWORD GRABBING emails out"
    – BEWARE of phishing, don't login by clicking on an email
    – log in by typing the yahoo address into the address bar

  4. Samantha Dega

    define use.
    seriously yahoo! define use.

  5. tashi

    i dont see the security risk here! if they havent logged in a year, then clearly they have moved to a different better provider (i.e. google)

    1. Graham CluleyGraham Cluley · in reply to tashi

      What if they were using Yahoo as an email archive, or if it was an "emergency backup address" used in conjunction with other online accounts?

      1. Kapeita · in reply to Graham Cluley

        This thing it's going to happen july 2014 or it has already started???

        1. Graham CluleyGraham Cluley · in reply to Kapeita

          They already did it. :(

      2. alex · in reply to Graham Cluley

        You can always update your backup email addresses; sure
        it's a time-consuming process, but possible nonetheless.
        Moreover, if you haven't logged into your account in ages,
        what chances are there that you would be able to recover the
        password in the first place.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.