

Log in to Yahoo by July 15th to keep your email address - uladzislau
http://yahoo.tumblr.com/post/52805929240/yourname-yahoo-com-can-be-yours/?

======
midnitewarrior
This is a terrible idea!

I have a month to compile a list of the most popular first and last names and
popular e-mail names and get a bot ready to register them all.

Once registered, I can then attempt password recovery for these @yahoo.com
email addresses at the most popular web sites across the Internet that rely on
established identities (ebay.com?).

If JamesSmith@yahoo.com ever used his yahoo id to register an account on
EBAY.com, or with another online service, now is my chance to try to steal his
online accounts by requesting password resets on these services and assuming
his identity.

Now, to build a bot that will do this thousands of times!

Sites with 2 factor authentication may be immune to this, but these identities
will now be unrecoverable to somebody who has used his @yahoo address as his
recovery e-mail address, even if he doesn't check it often.

~~~
harryh
The people that work at Yahoo are not stupid. They will surely have a process
in place to prevent a single person from sucking up all the short/popular
email names.

Even if that person wasn't doing it for nefarious purposes that would
completely defeat Yahoo's whole goal here of getting these names in the hands
of users who actually want to use them.

~~~
dmoney
Never attribute to stupidity that which can be explained by indifference.

------
joshfraser
This is terrible idea. People will be able to claim Yahoo IDs and use them to
take over other people’s identities with a few password resets. I have a Yahoo
email address simply as a backup for GMail. Just because I don't sign in very
often doesn't mean that it is safe to hand over to someone else!

~~~
purephase
But a year? Come on.

~~~
raldi
What if, five years ago when you signed up for purephase1234@gmail.com, you
listed purephase1234@yahoo.com as your recovery address?

Now, thanks to this move by Yahoo, your Google account is in danger of being
compromised.

~~~
purephase
Which, honestly, it kind of a dumb move on Google's part. I was never a fan of
that recovery address process. The 2-factor auth they've implemented since is
much better.

------
brianwillis
This is a fantastic idea, and I wish other services (I'm looking at you
Twitter) would follow suit. Your Yahoo ID becomes a part of your identity when
using their service, so it seems reasonable that people will feel happier and
be more inclined to use Yahoo's stuff when they have an ID that they feel good
about and aren't embarrassed to share with their friends.

~~~
michaelmior
Twitter used to do this upon request. I assume they stopped because a manual
process was too time-consuming.

~~~
UVB-76
I emailed Twitter four years ago with such a request, and got this response:

 _> Twitter is not currently releasing inactive user names. Unless your user
name issue involves Terms of Service violations, you'll have to wait until all
inactive user names are released. We're working on a better long term solution
for this, and we should have more news soon._

Four years later, the username I want(ed) has had no more activity, and that
"long term solution" is nowhere to be seen.

~~~
michaelmior
Weird. I could have sworn it was sometime within the past four years that I
emailed Twitter asking for a username and they granted it to me pretty much
instantly.

------
numbers
Let me be the only one who thinks this is actually not a bad idea. I have a
very typical name, very commonly used and if almost on every popular email
service (gmail, hotmail, yahoo), I've tried registering a few varieties of my
first.last@gmail.com or even first.last.birthyear@gmail.com and it's almost
always taken.

If you think your identity could be stolen because of an unused email address,
it might be your fault that's going to happen. Why would you register with an
inactive email address and not check it? Email address seem like the main way
for most people to login, if you have multiple, you must at least check them
for something once every six months.

This announcement only says that they will remove those that haven't logged
into their account in the last 12 months. Seems like a very long time in
internet time.

~~~
cecilpl
In 2002 I made a paypal account with my yahoo email address. I attached my
bank account to it, the same one I still use.

I haven't used that paypal account or that email address in years. A while
back I realised the folly of this and removed as much information as I could
from the account.

But, what if I'd just forgotten about it? Now anyone who registers my (common)
yahoo email, attempts a password reset on the popular websites, can drain my
bank account.

------
austenallred
If this isn't the sign of a product with declining use, I don't know what is.
Of course it isn't news that few people use Yahoo mail anymore, but the fact
that it's worth it to Yahoo to turn those emails off is interesting.

~~~
tagold
This is a way worse then just disabling unused old accounts and, say, deleting
emails stored there. Yahoo is going to "resell"(1) these accounts. This will
create all kind of privacy problems, and potential for abuse: gaining access
to other services through resetting passwords there, impersonating users,
people receiving private communications not intended for them, etc. And all
this for what purpose? Give few lucky ones get a coveted email address like
jonny@yahoo.com instead of jonny_m35@yahoo.com?

(1) "Resell" is the not quite accurate word here as they are going to give it
for free, but I can't come with a better word.

~~~
rgbrenner
reuse

~~~
tagold
Thought about it, but doesn't sounds quite right too: Yahoo didn't use these
identities, it provided them to the users. Anyway I don't want to be pedantic
here, just as long as it was clear what I tried to say, and nobody
misunderstood that I accuse Yahoo literary selling its user accounts to the
third party, I am happy. :)

------
tsm
I'm now terrified about what 7-year old accounts I have that used an @yahoo
for password resets. Bank: clear. Facebook: clear. Gmail: clear. Guess it
won't be too bad.

I thought about snagging something short and nice (like my initials) just for
kicks, but...am really not sure what I'd do with the account after I had it.

------
purephase
Seems reasonable to me. It's a free service and if you haven't used it in over
a year then it's up to you to preserve it.

I think the title of this post could be amended to make it a little more
reflective of the actual post.

------
fps
I logged in and, after re-activating my long dead email address, was greeted
by two full height tower animated banner ads. I clicked around for a few
seconds and got a nearly full screen animated ad. Yep, now I remember why I
stopped dealing with Yahoo.

------
daimyoyo
I feel conflicted about this. On one hand, I haven't logged in to my yahoo
account for several years so I clearly don't "need" it but on the other I
don't want to have someone steal my username. I think the fact that yahoo is
so desperate to get people back on their platform that they're willing to
resort to this tactic should be very unsettling to anyone with a vested
interest in the company as a long term investment.

~~~
pdb123
Yahoo should be desperate. After fading into irrelevance for the past decade
they need to make unusual/risky decisions to have any hope of turning that
around.

------
neilkelty
Any recommendations on how I can identify any accounts that I've registered on
Yahoo over the years? I don't _think_ that I've sent anything important to
them that would still be emailing sensitive information, but can't be sure -
as I never planned for the scenario in which they'd essentially turn access to
my email over to a third party.

------
neilkelty
Won't this mean that anyone with the new account will immediately be drowned
with all the spam of whoever had that account before?

~~~
humbledrone
What's much much worse than the spam from the original account holder is the
fact that you might receive private personal communications from them. E.g.
some long-lost friend could conceivably have you in their address book and
choose to get back in touch.

Also, what about other accounts on the web that are linked to the email
address? Many web sites allow you to reset your password by proving that you
own the email address a user was originally registered with.

This seems like a spectacularly bad idea on Yahoo's part. I can't make any
sense of it.

------
gus_massa
A few years ago Yahoo! Erased my mail account because I hadn't logged for 3
month. It was my secondary mail account, so I in some periods I didn't use it.
It happened twice! After the second time I never bothered to create the email
account again, I went to Gmail. They continue to do this kind of things, so
it's difficult to trust Yahoo!.

------
nano111
I have lost my Rocketmail email address this way after it was purchased by
Yahoo in 1997.

------
laureny
I wish web sites would allow me to specify a separate email address
specifically for password recovery. This would make my account much more
secure.

Regular: foo@gmail.com

Password recovery: foo.special.admin.email@gmail.com

------
darrenkopp
What about other services that use Yahoo! ID? What happens to flickr accounts?
I don't care about yahoo mail, but I do care about flickr.

~~~
ebabcock1
Unused Yahoo ids are going to be recycled. Yahoo Mail is just one of the
services tied to your Yahoo id. Just sign in to Yahoo with your Yahoo id to
save it and your email from being recycled.

------
Esifer
Microsoft already does this with hotmail.

------
parennoob
I wonder if this could lead to an open invitation for people to hack into
accounts based on services that use your email address as a primary key for
your identity.

e.g. Joe Public hasn't logged into joe.public@yahoo.com for a year because he
has taken a year off to live in a Buddhist monastery. So Eve goes in and signs
up for that address, without any malicious intent.

Fast forward to a week later, when Eve signs up for CatNip, a website for
sharing cat pictures. It says "You are already signed up for this service.
Click here to send a password reset link to your email!" Eve can't resist the
allure, and clicks through.

One click later, Eve has access to all of Joe Public's cat pictures on CatNip.
(Even though she didn't really sign up for the address with the express
intention of getting them.)

------
MostAwesomeDude
This is quite common in large online games where accounts often sit unused,
having only a few hours of total hours logged over years.

~~~
midnitewarrior
This is a great strategy for gaming systems, a terrible strategy for accounts
used as identity management and password recovery vectors.

Let's say JamesSmith@yahoo.com used this email address long ago as his ebay
recovery address, but really doesn't use his @yahoo account any more. I can
register JamesSmith@yahoo.com, and use ebay's account recovery option to
assign the ebay account a new password for an ebay account I have now stolen.

This scenario isn't possible with an online game account name, as game
accounts aren't used to recover bank passwords or other important account
passwords.

