In June this year Yahoo announced that it will be deactivating the email accounts which haven’t been used for past 6 months and will make them available to other users. Although their intention was all nice and noble, this however couldn’t stop security analysts from raising some critical security concerns and anticipating seeing them in coming days. For instance, what if the previous account holder had signed up for various services. Will the new account holder will get those emails? Unfortunately those recycled accounts have exhibited positive for such problems and proved the analysts right.
An IT security professional Tom Jenkins, received this in an email, reports NakedSecurity.
I can gain access to their Pandora account, but I won’t. I can gain access to their Facebook account, but I won’t. I know their name, address and phone number. I know where their child goes to school, I know the last four digits of their social security number. I know they had an eye doctor’s appointment last week and I was just invited to their friend’s wedding.
Yahoo was rather very quick to respond to this issue as their senior director of Consumer Platforms said,
We take the security and privacy of our users very seriously. We have heard from a very small number of users who have received emails through other third parties which were intended for the previous account holder.
The problem is that the giant firm wasn’t quick enough to acknowledge such problems before rolling out this feature. Notably, Yahoo has offered all its users to make a watch-list comprising of 5 email IDs they would like to have for a nominal amount of $1.99. They would will be informed as soon as their desired email IDs become available.
As a solution, which makes this whole mechanism even sillier is that Yahoo wants other companies to implement Require-Recipient-Valid-Since (RRVS) email headers, which supposedly let the companies know when to pull the plugs of an account. Lo and behold, they don’t have any other effective way to tackle with this situation just yet.
If you have an email ID, and you have linked it to your bank accounts or as a password recovery option for any of your other accounts, please make sure to log-in to it every once in a while.