Yahoo Recycled Emails: Users Find Security Surprises

Original source : http://www.informationweek.com/security/vulnerabilities/yahoo-recycled-emails-users-find-securit/240161646?pgno=1

Some Yahoo users who took advantage of recycled IDs report they’re getting emails intended for the old account holders — including personal data.

by Kristin Burnham – Senior Editor, InformationWeek.com

Terry Cutler CTO Digital Locksmiths Certified Ethical HackerWhen Tom Jenkins, an IT security professional, learned in June that Yahoo planned to free up abandoned account IDs, he jumped on the opportunity to request a nickname he’s had since high school. He was thrilled when Yahoo emailed him in August to say the ID was available.

“I had tried periodically to obtain this email address, but I was never able to do it,” Jenkins said in an interview. “I was aware that these Yahoo IDs were once owned by someone else, but I was pretty surprised by the types of emails I immediately started getting.”

In less than a day, emails intended for the original account owner hit his inbox. Among them were marketing emails from retailers and catalogs, which were a nuisance, he said. But then came the emails with sensitive personal information: messages from the former Yahoo account holder’s Boost Mobile service, which included the account and pin numbers; emails from a Fidelity investment account; Facebook emails; Pandora account information; and more.

[ Need new ways to lock down your smartphone? See 9 Android Apps To Improve Security, Privacy. ]

Jenkins and other users who have obtained recycled Yahoo email IDs say, based on what they see in their inboxes, that identity theft concerns exist.

“I can gain access to their Pandora account, but I won’t. I can gain access to their Facebook account, but I won’t. I know their name, address and phone number. I know where their child goes to school, I know the last four digits of their social security number. I know they had an eye doctor’s appointment last week and I was just invited to their friend’s wedding,” Jenkins said. “The identity theft potential here is kind of crazy.”

Neil Harris, a software executive, also signed up for a recycled Yahoo ID. A Yahoo user for many years, Harris wanted a new username that was easier to remember than the one he currently had.

On the first day he logged into the account, he found that Yahoo merged his former account with the new one, giving him one inbox that funneled emails from both accounts. That wouldn’t have been a problem, Harris said, if it weren’t for the misdirected emails he suddenly started receiving.

“I immediately got email addressed to the [former] account owner and the nature of them made me uncomfortable,” Harris said in an interview, noting that a number of emails were from men looking to meet up with a woman.

In the following weeks, Harris was sent emails from department stores, including emailed receipts from recent purchases at Nordstrom. He also received timecards that detailed mileage reimbursements and included the former account holder’s name and address.

“It seemed odd to me that this email was coming from all over. It’s clear that while the owner supposedly hadn’t logged in in a while, she was still actively giving out that email address,” Harris said.

They’re not alone: Scott Newman, a Web developer, also signed up for one of Yahoo’s recycled IDs. “I thought it was a cool idea because when you’re standing at Williams-Sonoma and they ask for your email address it would be easier to give them something that made more sense than what I had,” he said.

Personal emails intended for someone else began arriving within the first day of account usage, Newman said.

“It started off with some stuff from catalogs and clothing companies and I thought, ‘That’s fine, I’ll just unsubscribe.’ I figured I’d have to deal with a little of that,” Newman said in an interview. “But then I started getting emails with court information, airline confirmations, a funeral announcement saying someone had just died — it was nuts.”

Yahoo’s initiative to free up dormant accounts began in mid-June when the company first announced its plan. “Today, I’m excited to share with you our next big push: We want to give our loyal users and new folks the opportunity to sign up for the Yahoo ID they’ve always wanted,” wrote Jay Rossiter, senior VP of platforms, on the company’s Tumblr. A Yahoo ID is a user name that lets you access all of the company’s personalized services, such as messenger, email and more.

Yahoo said it would alert users who had been inactive for at least 12 months and instruct them to login to their accounts if they wanted to keep them. Accounts that remained dormant would be recycled and up for grabs.

In July, Yahoo opened up a wish list where users could name their top five choices for a username. Come August, Yahoo would contact them if one of their IDs was available and send them instructions to claim it within 48 hours.

Almost immediately, privacy advocates and security analysts criticized Yahoo’s initiative. Some called it “an underhanded and risky way to get people to re-engage with Yahoo,” while others called attention to the real potential for others to take over people’s identities via password resets and other methods.

Following the criticism, Yahoo released a statement reaffirming its confidence in the initiative and shedding more light on the steps it would take to ensure privacy and security. The company said that personal data and private content associated with the accounts would be deleted and would not be accessible to the new account holder.

“To ensure that these accounts are recycled safely and securely, we’re doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we’ll send bounce-back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others. Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties.”

In July, Yahoo followed up with more details about its security efforts. The company said it would work with businesses to implement a “Require-Recipient-Valid-Since” (RRVS) header. If you submit a Facebook request to reset your password, for example, Facebook would add the RRVS header to the reset email, and the new header would signal to Yahoo to check the age of the account before delivering the mail. If the values don’t match, the email would bounce.

Yahoo’s security measures appeared sound in theory, said Gant Redmon, general counsel and VP with privacy and security company Co3 Systems, but failed in practice.

Yahoo’s idea was problematic from the start, Redmon said. “I can understand why Yahoo would want to do it: It’s a legacy email service that they’re trying to turn around and generate more interest in. But the initiative is troublesome,” he said in an interview. “Email has become a primary identifier because no two people are supposed to have the same email address. When you sign up for it, you think it’s yours for life.”

However, Terry Cutler, chief technology officer at IT security company Digital Locksmith, said he’s surprised that Yahoo’s security measures allowed for such a slip in the examples of Jenkins, Harris and Newman. “Yahoo seems to have done it right,” Cutler said in an interview. “They did the right thing by shutting down accounts for a period of time, which should have helped to clean them up. But something’s clearly not working, and that’s a big problem.”

Though Yahoo’s security measures weren’t effective for everyone, Redmon said the company isn’t liable for the misdirected personal emails. “Businesses are in trouble when they lose personal information they collected and were entrusted with, but that doesn’t fit the Yahoo scenario,” he said. “Yahoo hasn’t lost or disclosed information they shouldn’t have. They’re not responsible for the fact that it was disclosed to a third party — the user is.”

Yahoo performed what Redmon calls a “risk shift”: Yahoo transferred the burden of responsibility to the customer by requesting that the person log in to ensure the account remained active.

In a statement to InformationWeek, Dylan Casey, senior director of platforms at Yahoo, said that the company has received minimal complaints from recycled-account holders. “We take the security and privacy of our users very seriously. We have heard from a very small number of users who have received emails through other third parties which were intended for the previous account holder,” he said. “We are continuing to work with companies to implement the RRVS email header standard that we published to the [Internet Engineering Task Force].”

Today, Yahoo charges $1.99 for you to request up to five usernames on Yahoo’s Watch List. Jenkins, who signed up when it was free, said that the hassle of dealing with the misdirected email — which totals between six and 10 messages a day, in addition to the “boatloads” of junk email — hasn’t been worth it. He’s considering shutting down his account.

Harris, whose two Yahoo accounts were merged into one, said it took four phone calls and about four hours with Yahoo customer service to separate the two accounts and close the recycled one. “They were really helpful considering it’s a free service, but they had a lot of trouble figuring out how to do it.”

Newman said he’s actively filtering the former account holder’s email with hopes that the volume will eventually decrease. “I’m using the new account mostly for unimportant email because I’d probably go crazy trying to figure out what email is supposed to be mine and theirs,” he said. “It’s kind of disappointing because it’s a great username to have, but I don’t want to work this hard for it. Plus, getting someone else’s mail just feels gross.”

Those peeks into other people’s personal lives leave Newman and Jenkins uneasy about Yahoo’s continuation with recycled accounts, and concerned for others whose accounts may have closed.

“The most distressing part for me is that because I’m a Web developer, I know how easy it could be to reset all their passwords. It’s scary to think about the damage I could do,” Newman said. “Just yesterday I got an email confirmation for an apartment application. I could have canceled someone’s apartment.”

Jenkins said the opportunities for hackers are his biggest concern. “In some ways, the former user should be lucky that I’m getting this email because I would never do anything bad with it. But this whole situation made me nervous about my other email addresses. What happens when I stop using them?”


Terry Cutler

Terry Cutler

Founder and Chief Technology Officer at Digital Locksmiths, Inc.
Terry Cutler is the founder of Digital Locksmiths, Inc. - an IT security and data defense firm based in Montreal - and serves as the company's Chief Technology Officer. Terry is a Certified Ethical Hacker who has learned the mindset of hackers and trained in the techniques of "the bad guys" who seek to do harm to corporations and individuals alike.He is responsible for staying on top of the latest trends in cybersecurity and being an advocate for best practices in the identification and eradication of vulnerabilities that leave the customers of Digital Locksmiths susceptible to the most dangerous threats.Another one of Terry's roles is to be a thought leader for Digital Locksmiths by sharing his expert insights about effective digital security strategies and countermeasures through his writings, speaking engagements, and media interviews.

Connect with Terry on Google +
Terry Cutler