Yahoo ID-Recycling Plan ‘Stupid,’ Say Security Experts

  yahoo logoYahoo’s recently announced plan to recycle unused IDs has stirred up a hornet’s nest in the security community, with one tech journalist predicting a “gold rush” of identity theft.

However, most of the concern revolves around email addresses, which are often tied in to other accounts around the Internet and hence could be used to take over those accounts. 

Yahoo insists that, in fact, only 7 percent of the potential stock of dormant IDs is tied to Yahoo Mail accounts. The rest, a company spokesman told Reuters, is for non-email Yahoo services, such as fantasy sports leagues.

“We’re going to extraordinary lengths to ensure that nothing bad happens to our users,” Yahoo director Dylan Casey told Reuters.

The ID-recycling plan, unveiled last week, would clean the stables of unused accounts to free up desirable ID names for current users.

“If you’re like me, you want a Yahoo! ID that’s short, sweet and memorable, like instead of,” wrote Jay Rossiter, senior vice president of platforms, in a posting on recent Yahoo acquisition Tumblr.

“So how are we making these Yahoo! IDs available? We’re freeing up IDs that have been inactive for at least 12 months by resetting them and giving them a fresh start.”

Owners of dormant Yahoo IDs have until July 15 to log in and keep their IDs active. Otherwise, the dormant IDs will be released to new users Aug. 15.

[8 Ways to Protect Your Email Account]

Security experts pointed out that the interconnectedness of Internet accounts makes this, in the words of former Sophos security researcher Graham Cluley, “a terribly stupid idea.”

“Imagine that years ago, you created yourself a Yahoo address, registered some third-party Web accounts using your new Yahoo address, but subsequently decided to use Gmail or Hotmail as your primary email account instead,” Cluley said.

“So what is going to happen when you forget the password for one of those third-party Web accounts, and you ask it to send your registered email address a password reset/reminder?” he asked. “Tough luck. Yahoo has given your email account to someone else, and potentially they might be able to get up to mischief with your other Web account.”

Such a scenario did in fact happen to Wired writer Mat Honan, whose entire online life melted down in August 2012 when hackers tricked Apple into revealing his Apple ID, then leveraged that to take over his Google and Twitter accounts as well.

Honan, too, had few kind words for the Yahoo scheme, calling it “a spectacularly bad idea.”

“Someone who uses a Yahoo email address solely as a backup for Gmail, and thus hasn’t logged into it for a long time, would be vulnerable to having that address taken over by a malicious individual who only wanted to ultimately get into the active Gmail address,” Honan wrote. “You can see a chain of events where that could lead to taking over online banking accounts, social media accounts and the like.”

“Unless [Yahoo] rethinks this policy,” Honan concluded, “this is going to lead to a social engineering gold rush come mid-July.”

In response to Honan, the company outlined steps it would take to deter identity theft.

“We will have a 30-day period between deactivation and before we recycle these IDs for new users,” Yahoo’s statement said. “During this time, we’ll send bounce back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others.

“Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties.”

That sounds nice, but hardly foolproof. Casey conceded as much to Reuters.

“Can I tell you with 100 percent certainty that it’s absolutely impossible for anything to happen?” he said. “No.”

There is, perhaps, an obvious solution.

If the security concerns are mainly with the Yahoo IDs tied to Yahoo Mail addresses, and such IDs are truly only 7 percent of the potential stock of dormant IDs, then why doesn’t Yahoo remove IDs tied to Yahoo Mail addresses from the pool of recyclable IDs altogether?

That way, Yahoo would have 93 percent of what it needs — and there wouldn’t be much of a downside.

TechNewsDaily reached out to Yahoo for comment. In response, a Yahoo representative sent us the same statement the company had previously given to Honan.

This story was provided by TechNewsDaily, a sister site to Follow Paul Wagenseil @snd_wagenseil. Follow us @TechNewsDailyFacebook or Google+.

Email* (will not be published)
*Indicates required field
Submit Comments

All Product Types Accessories Cars Digital Camcorders Digital Cameras eReaders GPS Laptops MP3 & Video Players Projectors Smartphones Software Storage Tablets / MIDs VoIP Wi-Fi
All Subcategories
All Subcategories All-Purpose Budget Business Desktop Replacement Gaming Multimedia Netbook Nettop Rugged Student Tablet PCs Ultraportable
Acer Alienware Apple Archos ASUS Averatec BenQ CTL Corp. Dell Digital Storm eMachines Emtec Everex Fujitsu GammaTech Gateway General Dynamics Getac Gigabyte Hercules HP HTC iBuyPower Intel Lenovo MSI Nokia Nvidia OCZ OLPC OQO Origin Panasonic Sager Samsung Sony Sylvania Systemax TabletKiosk Toshiba Verizon Viewsonic Viliv VooDoo Workhorse PC ZT Systems
Minimum Rating
Any Rating 4.5 Stars 4.0 Stars 3.5 Stars 3.0 Stars
Screen Size
10 11 12 13 14 15 16 17 18 20 4 5 6 7 8 9
1024x576 1024x600 1024x768 1200X800 1280 x 720 1280x1024 1280x768 1280x800 1366x678 1366x768 1440x1050 1440x900 1600x768 1600x900 1680x1050 1680x945 1920x1080 1920x1200 800x400 800x480
Weight Range
10.1 - 12.0 pounds 12.1 - 14.0 pounds 14.1 - 16.0 pounds 2 lbs 2 pounds and under 2+ lbs 2.1 - 4.0 pounds 4.1 - 6.0 pounds 6.1 - 8.0 pounds 8.1 - 10.0 pounds Over 16 pounds Under 2 pounds
more options