
Thanks For The Identity Theft, Yahoo - b0ing
http://b0ing.me/thanks-for-the-identity-theft-yahoo/
======
crazygringo
I agree that this is a _terrible_ move, in theory. But in actual practice, I'm
not convinced it will be so bad.

Because if you're not using that Yahoo account for e-mail anymore, then you're
probably not using it as a sign-in or password recovery e-mail for your
banking, Facebook, or anything else important -- because the whole point is,
everything that's actually important to you, you're using your current e-mail
address. After all, that's where important account notifications go, credit
card receipts, bank statements, password resets, etc. -- things which are
necessary for you to see.

Of course you'll likely have a bunch of accounts you forgot even existed on
random sites you signed up for in the past, with your old Yahoo e-mail
address. Most of them will be harmless -- who cares if someone gets access to
some random sports forum you once posted on.

The biggest risk I can see is that 1) the new owner chooses to be malicious,
2) successfully locates a site that sends out password-recovery emails with
the original passwords in plaintext, which the specific user has an account
on, 3) knows the original user's current valid address, 4) tries the old
password on the user's new address they use with banking/etc., and it works.
But the risk of this would appear to be so small, that it's just lumped in
with all the other kinds of "identity theft" weaknesses that already exist
(guessing security questions, etc.).

(And then, there's scamming on whatever social networks or forums the old
e-mail address had an account on. Although it seems like Facebook etc. is
protecting against that? And it's not like spoofing e-mails/accounts is
anything new.)

As long as Yahoo is giving significant heavy warning to the e-mail accounts
themselves, and months' worth of time -- well if you never check your free
e-mail account, it's not unreasonable to expect that it might be deactivated
someday. Annoying, but not unreasonable. And if you use the same password for
your Facebook, banking, etc. as you did for other random sites you signed up
for years ago, then that's a security risk regardless of what Yahoo does.

~~~
reginaldo
What about when someone uses their old email address as the password recovery
email for the _new_ email address? I agree with _Silhouette_ in that I hope
they follow through with this... It will surely be fun to watch, and also
people will become a little bit more security conscious.

------
jonahx
I clicked on the link expecting it be alarmism, but this legitimately boggles
the mind.

~~~
b0ing
I definitely did a little title baiting, but I think it's justified in this
case. This is a monumental cock-up.

~~~
rlwolfcastle
Sure, a few people will lose their identity, but millions will get good email
addresses!

~~~
michaelxia
and don't forget: access to yahoo's amazing webmail client, IMAP and SSL/TLS
support, free mail forwarding, and much more!

------
Silhouette
I am always wary of collateral damage arguments, but in a greater-good sense,
I almost hope Yahoo do go ahead with this. It's such an obviously bad idea,
and enough people probably would suffer significantly as a result, that it
might just raise public awareness of why things like good security practices
and privacy and data protection matter, and that it _can_ "happen to them",
even many years in the future, if they don't take care of how they behave and
who they trust today.

Hopefully, Yahoo would also find themselves vulnerable to at least one of the
obvious legal attack vectors and wind up paying out a small fortune in
compensation to make good on losses due to identity theft and/or frauds
committed using false identities they supported. This could be an educational
lesson for a lot of businesses that don't take privacy and data protection
seriously today because collecting everything you possibly can about everyone
is seen almost pure upside with little real cost or risk.

------
somesay
Well, the Internet is dynamic isn't it? Other services are already freeing
inactive accounts, email or e.g. Twitter handles, and think of changing mail
service owners and domain changes, too. And why should a service hold an email
forever, just because someone registered it and maybe was never even using it?

Isn't the real problem that users and services put too much trust in plain
email addresses? Especially when accounts are outdated? Crypto might help here
someday in the future.

We could even say: Isn't it your fault that you didn't keep track on which
services you used that email? Or that you lost your password? Why blame Yahoo
for that?

~~~
nolok
Because for better or worse, email has become the defacto identity identifier
on the web. If you allow people to grab emails that used to be owned by
someone else, you effectively allow them to own their identity on every
website where they registered with that email in the past.

And while some other email providers do the same, it's particularly bad with
yahoo because they are such a huge and longstanding provider, they have tons
of email, some that are a decade old, and a lot owned by people who are not
very technical or who don't check their email very often.

~~~
somesay
Still, we can't blame Yahoo for that, right? We can't blame them for peoples
Internet incompetence. We can't blame them for the limited scope most service
developers have.

As I user, I have to update my email address I use and other services should
delete inactive accounts, too. Or at least notify inactive users. I know,
especially the latter option is more or less inexistent. But although think of
all the data that users have no access to, because of lost passwords etc. I
rather see that deleted.

Also, if Yahoo is doing things right, they would only delete accounts with no
activity for a serious amount of time, e.g. no access, not even POP3 since
over 2 years.

~~~
nolok
You can't blame Yahoo as-in "they are technically and legally allowed to do
that".

But on the other hand, Yahoo is a falling behemoth that is trying to earn
itself a new image; and doing such a stupid move can and will earn them the
mark that they still "don't get it", and rightly so.

~~~
somesay
I never talked about the legal part. Of course it is legal since their terms
might likely allow this.

I just don't see it that wrong like you do. I wonder, if there is an
argumentation to really call them stupid. And I don't even think this is
relevant referring to their image.

As you said, this only affects people who aren't either informed about
computer topics, don't know they had a Yahoo mail at all or who simply
reregister their old mail address.

------
eksith
Yahoo of all companies should know what type of users still retain their
emails and what type has moved on.

I had setup my mom's email on Yahoo (cause Gmail didn't exist and Hotmail,
freshly bought by MS, was rubbish). She had a habit of entering it to
everything and was soon unusable. We went over online browsing and safety, but
not before her private info ended up on a dozen or so spammy sites. That was
more than 10 years ago.

There's no way to reset the password for that thing, since backup emails
weren't present plus IT WAS MORE THAN 10 YEARS AGO! Also, she doesn't have a
Facebook page, doesn't want a Facebook page and will likely never get one in
the future. She's done handing out her info to people she doesn't know.

I'm sure some of her info is still on it, but if Yahoo goes through with this,
there will be hell to pay.

------
mvikramaditya
Am I missing something? You only lose accounts which you are not using,
correct? It is easy enough to avoid losing the account by logging into it
once. If you have lost access to the account, you can go ahead and reclaim the
same account back through this scheme, if I am not mistaken. Could someone
please explain why people are getting so worked up about this issue?

~~~
Silhouette
_Could someone please explain why people are getting so worked up about this
issue?_

Because having your identity stolen can pretty much destroy your life, or at
the very least cause you a great deal of suffering for many months. This
change would mean a tiny oversight from many years ago could allow those
things to happen.

It's also a paradise for fraudsters and charlatans, who will have a bountiful
source of new identities to build on if they can just find someone who has
since died or can otherwise be assumed not to need an old account any more.

------
natch
To top it off, their password reset for existing users is completely broken
now. I don't mean "poorly designed," I mean it is simply not working.

When I tried to reset a password recently, I got "your password is too weak"
for every password I tried, including very long randomly-constructed not-
previously-used passwords resembling line noise. This after carefully making
sure both entries of the password matched. Multiple times. The form simply
does not allow the user to proceed, and it gives false reasons. It is broken.

~~~
smutticus
I just changed my Yahoo password without any issue. It was incredibly straight
forward for me.

~~~
natch
That's great that it worked for you, thanks so much for sharing. I'll try
again.

------
10dpd
Wow imagine this scenario:

I sign up for a service using my Yahoo email account. I don't use my Yahoo
account for a year. Someone gains access to my email address. That person
enters my email address into a forgot password field. _Boom_ They now have
access to my service.

As another poster stated, the mind boggles.

~~~
ams6110
It's a valid scenario, but I was starting to think quite unlikely. If I get a
a new jrandom@yahoo.com address, I would have to know who that account used to
belong to and on which online services it might have been used. If I'm in
Boston and the old "jrandom" was in Atlanta, I'd have to first figure that out
and then figure out what bank he used, and be lucky enough that he had not
updated his email there. And websites like banks and other financial services
require more than just an email address to get a password reset. You need to
answer some "secret questions" etc.

But I grew up before Facebook and other social networking fads. I still don't
use those services. So I sometimes forget how easy it is to get a very good
life history on someone by just searching their email address, very possibly
including the answers to typical "secret questions" like your pet's name,
where you went to elementary school, etc. and maybe I can even get some clues
about what bank they use.

So it really might not be too far-fetched a concern. Still I think it somewhat
unlikely that an email account tied to a lot of social networking activity is
itself going to be dormant. But it's possible. Maybe the person has the
account forwarded to another address and never logs in directly. Would that
count as "dormant" ??

Before issuing an account, Yahoo themselves should be sure it's not forwarded,
and search for any associated internet content, especially on social media. If
an account has not been used in years, AND internet searches for that account
turn up nothing, it might be safe to reissue it.

~~~
jiggy2011
A lot of websites send "monthly newsletter from <site>.com" type emails.
Ironically it's the avoidance of such emails that often causes people to use
throwaway yahoo accounts.

Once these start appearing in the inbox, the new owner can just do a password
reset on these sites.

------
harywilke
This is gobsmackingly awful. Their 'relax we won't let people use this to
hijack accounts on other services solution is to check incoming email for a
new header. a new header that yahoo invented.[1] good luck getting every web
based sign up site with email password reset to update their email service.

1\. [http://www.wired.com/threatlevel/2013/07/yahoo-
email/](http://www.wired.com/threatlevel/2013/07/yahoo-email/)

------
pdevr
1\. Yahoo has official email ids which no longer work (but were functional in
the past). Are these also up for grabs? Or, are some email ids "more equal
than others"?

2\. Websites with paid access. There are people who sign up and do not access
these sites for a long time. If the person who signed up with his Yahoo email
id no longer uses it (the email id) now, there is the danger of someone
claiming that email id and then using the "Forgot password" option on one of
these paid websites. Most of them send your password to your email id, or send
a link to reset it.

Boom. You now have access to their personal information (and possibly credit
card/bank details) as well.

Edit: Even free websites quite often store personal information, for that
matter.

------
johnchristopher
The freaking problem with that is that I couldn't retrieve in time my lost
password to my old yahoo account I used for flickr.

Don't care that much about the yahoo account but I don't know what'll happen
to my flickr pics and contact I use once in a year. And yes, I still use it.

The daisy-chaining of email addresses that may or may not be active anymore
(some due to ISP going out of business) and stupid security questions that I
can't remember (who was my freaking favourite author in 2002 ?!) turned this
into a real clusterfuck.

~~~
johnpowell
As far as I know logging into Flicker will keep your account activated.

~~~
johnchristopher
Problem is: I can't login into Flickr because I don't have the credentials to
the yahoo account that I need to sign in to Flickr.

------
mdbennett
This isn't the first time they've taken this type of action with email account
names.

I had an @att.net email address from when I had U-Verse that was essentially
Yahoo mail with an ATT address. I thankfully didn't do anything on that
account, but I kept it since it was the same user name I have registered on
most major webmail services.

I got an email about a year ago that those addresses would be merging with
Yahoo, and that my address would now be @yahoo.com. Fine with me, I thought,
perfect if I ever wanted to try out Yahoo mail for a spell.

A few months later a get an email about my password being changed. Not good.
From there I had about a 15 minute back and forth with someone else trying to
get their information(alternate email address, password, security questions,
phone number for 2-factor) on the account to lock me out. I prevailed, and in
double checking how that person could have gotten access, found something
disturbing. This was not my email account. It was mostly dormant, but there
were legitimate emails from years ago sent by another person who shares my
name.

I contacted Yahoo through their form about such matters, but they never
answered. So now I've held on to the address, which I value for preserving my
internet identity, but someone else is out of luck in trying to access an
account they used sparingly years ago.

This is obviously much worse, as it's intentionally going to result in these
types of account ownership issues, but it certainly seems reflective of
Yahoo's attitude towards the importance of holding an email address.

------
b0ing
I think this could be way worse than the AOL search results debacle... I guess
we'll see.

------
michaelwww
Is it just me or is that an awesomely designed blog page. I'm a fairly decent
programmer, but when I see a beautiful page like that I give up all pretenses
that I'll ever be more than a barely adequate designer.

~~~
b0ing
:') you just made my day

~~~
michaelwww
Glad too! My designs look utility functions ;-)

------
falcolas
Thanks for posting this. I've got several accounts on autopay attached to my
yahoo address, but nothing else of note. Re-captured my account after 2 years
away.

This would not have been good if it had been given away.

~~~
crazygringo
Legitimate question: how can you have accounts on autopay attached to an
e-mail address you haven't checked in 2 years?

You have literally not looked at any of the receipts in 2 years? If you've
cancelled any of the credit cards, you had no idea that there was an autopay
problem? The merchants had no way of contacting you, because you never checked
that email?

That doesn't make any sense to me. Or was it just forwarding the emails to the
account you do use, or whatnot? In which case, I assume that Yahoo would be
sending emails warning of the upcoming account closure, which you could
receive and act on?

~~~
mjn
_You have literally not looked at any of the receipts in 2 years? If you 've
cancelled any of the credit cards, you had no idea that there was an autopay
problem? The merchants had no way of contacting you, because you never checked
that email?_

For me, this is done through the web interface in almost all cases. Did my
hosting account try to charge my credit-card and it was declined? It'll show
up in the account dashboard. Do I want to look at my Amazon receipts? They're
under Your Account -> Your Orders.

I'm updating some old emails now since I was reminded of it, but generally I
don't care about receiving email from websites, so I typically send them to an
account I don't check in order to keep them out of my way, and to ensure that
if they sell my email, the spam will go there too (in my case it's an old AOL
account). A number of sites won't even send you anything via email except
"please log in" anyway. For example, when my bank sends me a "bank statement"
by email, all it contains is a notification that there is a new bank statement
waiting online, if I want to log in and read it. So the email is not needed or
useful for services where I already log in regularly.

------
ldng
Yahoo could append a text header in the mail body reminding it's a recycled
email so caution has to be taken and it should not be trusting it upfront. It
adds it to the first 10000 mails sent or the first 6 month whichever comes
_last_

That will sufficiently annoying so that only people that really wants back
their email and commit to it will stay.

It's not without flaws but it's a tad better than their current plan.

~~~
14113
Imho, the main problem with this is people gaining the accounts, then using
them to reset account passwords for services that are not dormant. For
example, I use a @msn.com password for my facebook - I haven't used that email
address in years, and haven't checked it in months. If microsoft announced
something similar tomorrow, I would be totally screwed unless I can access the
msn.com address, as facebook doesn't allow you to change email addresses.

This isn't a huge problem for me, as I try to keep up with tech news, but
imagine that I'm not subscribed to hacker news, and don't realise what's about
to happen to my account, in that case there's no possible way for me to rescue
my email in time, and every account I've used it for is compromised.

~~~
ams6110
Facebook doesn't allow you to change email addresses? Really? REALLY? That
seems completely unbelievable.

------
davidvaughan
So the internet doesn't "never forget" after all.

Are the advocates of "right to be forgotten" supporting this?

~~~
denzquix
This is the right to be misremembered.

------
peterkelly
Just put in my request for jerryyang@yahoo.com on their "wish list" site.

This could be interesting.

~~~
eksith
Cheeky. But I doubt they'll include that. More than likely, they've
whitelisted all Yahoo CEOs/employees/associates/minions and people with
"allah" in the name somewhere.[1]

[1]
[http://en.wikipedia.org/wiki/Yahoo!_Mail#Username_bans](http://en.wikipedia.org/wiki/Yahoo!_Mail#Username_bans)

------
moocowduckquack
I picked up the mail from my yahoo address through forwarding, so have now
lost that account. Am not going to bother setting up another.

------
thedrbrian
Why is the text on that page so enormous on an iPad ?

[http://imgur.com/1gzE8qE](http://imgur.com/1gzE8qE)

~~~
b0ing
I like it that way (and I don't have an iPad to test it on)

------
tater
Hope someone grabs Palin's old (compromised) email. This decision by Yahoo is
a troll's wet dream.

~~~
ceejayoz
I'm fairly certain grabbing an unused address doesn't give you the old
e-mail...

~~~
mieses
But you can do password recovery on every service they've ever used with that
email and get any private info from that service. Yahoo should define
"dormant" as an email that hasn't RECEIVED email in over X years. Also they
should lock the dormant email addresses for 5 years before releasing them to
new users.

------
re_todd
I thought it was going to say after 10 years, but it's just 1 year. Someone at
yahoo is on LSD.

------
Splendor
> _"...and haven’t changed EVERY service they used..."_

shudder

------
_sabe_
And how about all "forgot your password" forms that might be exploited on
other services. An other service you not been using for long sends you a "long
time no see" promotion and your old account is in someone else's hands.

I think there's been a lot of lessons lately about why Internet should not be
centralized...

