Yahoo proves it has a reckless and moronic attitude to email security

Graham Cluley
Graham Cluley
@[email protected]

Yahoo MailI warned earlier this year of Yahoo’s moronic plan to allow users’ email addresses to be stolen.

In a nutshell, if you hadn’t logged into your Yahoo account for 12 months, they decided that they would make it available for any other person to grab the username – and receive any subsequent emails that the email address was sent.

The company, headed by Marissa Mayer who has proved herself to have a lax attitude to security recently, attempted to defend its bizarre decision but – in my opinion – failed to convince.

Yahoo said that it was “committed and confident in our ability to do this in a way that’s safe, secure and protects our users’ data”.

Sign up to our free newsletter.
Security news, advice, and tips.

Unfortunately, now the system is in place, it doesn’t appear to be working so well.

According to Information Week, the new owners of some of these recycled Yahoo Mail addresses *are* receiving emails clearly intended for the original holders.

IT services professional Tom Jenkins was one of the owners of a recycled Yahoo account who reported problems that raised privacy and security concerns.

Among them were marketing emails from retailers and catalogs, which were a nuisance, he said. But then came the emails with sensitive personal information: messages from the former Yahoo account holder’s Boost Mobile service, which included the account and pin numbers; emails from a Fidelity investment account; Facebook emails; Pandora account information; and more.

“I can gain access to their Pandora account, but I won’t. I can gain access to their Facebook account, but I won’t. I know their name, address and phone number. I know where their child goes to school, I know the last four digits of their social security number. I know they had an eye doctor’s appointment last week and I was just invited to their friend’s wedding,” Jenkins said. “The identity theft potential here is kind of crazy.”

Yahoo appears to be acknowledging that there is a problem, telling reporters that it is rolling out a new “Not my email” button to the new owners of recycled accounts.

Yahoo - Not My Email

Apparently this will help Yahoo learn what emails aren’t intended for the new owner of the old, recycled email address.

Because we can definitely trust all the owners of the recycled accounts to be as honest as Tom Jenkins, and not exploit the private, personal information that they are being sent, right?

[fx: hits head against wall]

The truth is that this button doesn’t deal with the fundamental security problem with what Yahoo did.

The fact that Yahoo has had to roll out this new button says to me that it knows it has failed to deliver this intitiative “in a way that’s safe, secure and protects [its] users’ data.”

None of this would have happened if Yahoo hadn’t initiated the reckless, harebrained scheme in the first place. They should be ashamed of this fundamentally flawed scheme which is not just half-baked, but downright reckless.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

20 comments on “Yahoo proves it has a reckless and moronic attitude to email security”

  1. Scott

    The problem is, they are dealing with this as if it was a nuisance issue with the new users, not a security issue with the old users.

    1. Rich · in reply to Scott

      Just keep in mind that these are STALE and UNUSED accounts.

      What Yahoo is saying is that they don't want people taking an email account, then never using it again except as a 100% disposable account.

      Registering Paypal to a Yahoo account, then never checking the Yahoo account again or a banking site to a Yahoo account that one never uses.. that doesn't sound like a realistic argument.

      I sense that those who are crying foul (including the author) are more interested in making noise.

      1. Graham CluleyGraham Cluley · in reply to Rich

        See for perfectly legitimate examples of why folks might have Yahoo mail accounts that they don't regularly access.

      2. Pore · in reply to Rich

        I sense you are an idiot

        1. Cody · in reply to Pore

          Pore, close. Not quite there though. Rich is (dangerously) ignorantly naive and risks himself and his identity, finances, and well, everything about his life. Let's all hope he doesn't maintain ANY network or ANY family member (or friend's) computers, devices of any type or otherwise any thing with private information that is not his and only his (ideally he should have someone else deal with his private information though, given how dangerous his suggestion is). But maybe one of these days someone won't make enough noise for him and he'll get a clue. By then its too late though.

          Here's some noise for him, however.

          Rich, did it ever occur to you that maybe some people USED to use the account REGULARLY and actually forgot about it, lost their password and could never get it back (or forgot they had information of value, or are unaware of risks when abandoning the account… Or maybe even they didn't think Yahoo would be so stupid enough to do such a thing as they have done), or… ? It's more common than you would think. And as Graham already mentioned, there's other reasons. And let's not forget that those reasons are MANY (similar is a company foolishly believing that they are safe from a compromised network all because they have one layer of defence before a layer that has a critically flawed component, as if security has EVER been one layer only that matters).

          You know, unless you're a robot who has an owner with a weird agenda (that is feeding you REALLY FOOLISH information), as a human, you're bound to the same flaw the rest of us have: we make mistakes. Even if you were a robot the fact of the matter is you would have been made by a human which has the same flaw I just mentioned. Why is that you are bound to this flaw? REPEAT AFTER ME: NO ONE IS PERFECT! And what are malicious humans going to abuse? Exactly, they will make much use of any and all mistakes that their targets have made – be it mistakes out of ignorance, making a decision at the wrong time or even from being fooled (social engineering, anyone?).

      3. jobewan · in reply to Rich

        If this assumption is accurate, then Yahoo! policy makers
        have mistaken themselves for being the
        customer/audience/market/etc. There is hardly a story (if any) of a
        commercial business failing, that does not include this indicator.
        In addition, I sense that you are a plant. Perhaps even Ms.

      4. DavID · in reply to Rich

        "What Yahoo is saying is that they don't want people taking an email account, then never using it again except as a 100% disposable account."

        Then Yahoo! (as it was called) should have made it unavoidably clear up front that they would do that. And Yahoo account holders would have been avoided even more than AOL ones, because only reckless fools would have used a Yahoo address for anything important. (Even email address collecting websites would probably not have accepted Yahoo! addresses.)

  2. Erik Bigelow

    Once you get the emails from the previous person and start getting their messages, you'll start finding out where the previous person had accounts at. Go to those sites. Try to log in. Hit "Forgot Password"……Profit? Well if it's banking information that's definitely a viable option.

  3. SB

    Surely this is smashing all known privacy

  4. Funny, since cellphone carriers recycle their phone numbers
    quicker and if you are lucky, you won't receive phone
    calls from debt collectors or patrol officers in your city that
    don't relate to you.

    1. Pore · in reply to Joe Flambe
      1. Cadbury Moose · in reply to Pore

        In the case of Yahoo! it's lemons all the way

      2. Richard Gadsden · in reply to Pore

        Two factor authentication by text message.

  5. jobewan

    It appears that Ms. Mayer was thrust into management
    directly from software development. Since that transition took
    place in 2001, it is very doubtful that she operated in an arena
    that was aware of, much less embraced, DevOps. Which might have
    been the only palpable security orientation she might have been
    exposed to as a developer, which is unlikely to have occurred. Or
    so I say. It does not appear from the current pattern of behavior,
    that any material and subsequent security awareness has germinated
    in the interim. I am of course trying to be as kindly and gentle as
    the idiocy in question might allow.

  6. csmith

    I have a similar problem about 5-7 times per day. I have a gmail address like csmith. Apparently there are 1000s of companies that will add people's email address to their accounts (and mailing lists) – including Virgin Mobile, Chase Credit card, Allstate, DISH, Macy's, Walmart, Control prepaid Mastercard, TurboTax etc. So you have a ton of people who have email addresses like csmith1234, but forget and enter it without the numbers or the people at the store miss the numbers when typing it.

    These companies send no opt-in confirmation email and just start sending account information right away. They provide no method of even informing them of their mistake, let along worrying about their privacy policies.

    Between the NSA and the security stupidity of the developers of many of these sites, it is surprising there are not more data thefts.

  7. Dan

    I think Yahoo is lieing. They said that all inactive emails
    will be made available to register after July 15th. Well there is
    an email that I want to register that has already been
    "deactivated" and yahoo says
    "it's in the process of recycling the email
    account". I mean what the heck? They don't even
    seem to do what they said they do, which is recycle emails. How
    many months would I need to wait before they recycle that
    particular email?

  8. Mike

    I am here to say that Yahoo couldn't have done
    more to damage how I feel about them. I used my yahoo email to
    setup various web accounts. I only found out my email had been
    recycled by an account that claimed my yahoo email was now invalid.
    I tried logging into my yahoo email only to find I had been
    'recycled'. I felt sick as so many of my web
    accounts can be accessed using my yahoo email. A total stranger can
    learn all about me with a simple password reset. So I called yahoo.
    They informed me my yahoo email is deactivated and will be
    recycled. They also told me that my email address has not yet been
    given out. I told yahoo I want my email back. They said, we
    can't do that. Apparently my email address is in some
    black hole called 'being recycled' and they have
    no control over when it will become available. So now I am on a
    'wishlist' for my own email address and can only
    pray I get it back before a total stranger does. Meanwhile I am
    frantically trying to update my web accounts with a valid email
    address. This has been a joy – like with Craigslist that requires
    confirmation emails from both the old and new emails in order to
    update your account. Needless to say I hate Yahoo for this. If I
    wasn't so concerned about a total stranger getting the
    email I have used for years to setup all my web accounts, I would
    dump them forever. As it stands, they are charginging me $1.99 for
    the honour and hope of getting back my email before some random
    person does. Whoever decided on the policy of recycling Yahoo
    emails is a real piece of work.

    1. Mike · in reply to Mike

      Btw, i should also have mentioned that yahoo has been 'scanning and analyzing' the email of it's users since June 2013. This invasive practice has been forced on all Yahoo mail users who have, as a result, been openly stripped of email privacy. You can opt out of the targeted ads but you cannot opt out of the scanning and analyzing of everything you write and receive. What do we really know about how yahoo analyzes our emails, what they do with the analysis, etc.

      I mention this because Yahoo has 'recycled my email' in complete disregard for my user security. But should I be surprised when their new, forced scanning policies reveal such a complete disregard for my privacy?

      Both these new Yahoo policies were implemented around mid-2013. Both show a curious disregard for user security and user privacy. Upon reflection, maybe the silver lining in this email recycling fiasco is that I am finally motivated to find another email provider that doesn't violate my privacy or security. When you think about it, these forced policies are wholly unacceptable. Why do so many Yahoo users accept this? How would we all feel if someone actually stood over our shoulder reading our email and taking notes. We would freak out!

  9. marmot777

    this its OT but related, why would DuckDuckGo, who seems to own the word privste web browsing, enter an alliance that casts doubt on their priorities? When I think of DuckDuckGo, I think of people committed to doing it right, even if it means taking a pass on revenue sources that don't align with their values. their primary asset is trust. An alliance with Yahhoo will cause enough doubt to cause them harm. Why would they do this? And I get there's money involved but their trust is worth more. I bet they lose talent and energy, starting…. Maybe it's started already.

    And I picture a Yahoo users as uncle Charlie who finally switched his AOL over to Yahoo. There's absolutely nothing wrong with that. Not everyone has to care a lot about technology. How's Yahoo helping Uncle Charlie by teaming up with a duck?

    I'm sure there must be something I don't understand, crucial information, an abgke I'm missing here. I realixe both parties must see value in the deal and they're smart. What' going on with this?

  10. DavID

    Brad Fitzpatrick, developer of LiveJournal, was the creator of the original OpenID authentication protocol. Supposedly LiveJournal then ruined the potential of OpenID by similarly recycling LiveJournal user names. So, as with Yahoo accounts, you couldn't tell if it was the same person that previously had that Livejournal account. (Although OpenID might have confirmed that the person eg logging in to your website is the owner of that account.)

    If these practices aren't illegal, I feel they should be. (Are there laws somewhere against aiding and abetting identity theft or email theft?) Anyway I won't be sad if companies are fatally sued for such practices.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.