Security loophole emerges in Yahoo recycled Email IDs

In June this year Yahoo announced that it will be deactivating the email accounts which haven’t been used for past 6 months and will make them available to other users. Although their intention was all nice and noble, this however couldn’t stop security analysts from raising some critical security concerns and anticipating seeing them in coming days. For instance, what if the previous account holder had signed up for various services. Will the new account holder will get those emails? Unfortunately those recycled accounts have exhibited positive for such problems and proved the analysts right.

Security Loophole Emerges in Yahoo Recycled Emails


An IT security professional Tom Jenkins, received this in an email, reports NakedSecurity.

I can gain access to their Pandora account, but I won’t. I can gain access to their Facebook account, but I won’t. I know their name, address and phone number. I know where their child goes to school, I know the last four digits of their social security number. I know they had an eye doctor’s appointment last week and I was just invited to their friend’s wedding.

Yahoo was rather very quick to respond to this issue as their senior director of Consumer Platforms said,

We take the security and privacy of our users very seriously. We have heard from a very small number of users who have received emails through other third parties which were intended for the previous account holder.

The problem is that the giant firm wasn’t quick enough to acknowledge such problems before rolling out this feature. Notably, Yahoo has offered all its users to make a watch-list comprising of 5 email IDs they would like to have for a nominal amount of $1.99. They would will be informed as soon as their desired email IDs become available.

As a solution, which makes this whole mechanism even sillier is that Yahoo wants other companies to implement Require-Recipient-Valid-Since (RRVS) email headers, which supposedly let the companies know when to pull the plugs of an account. Lo and behold, they don’t have any other effective way to tackle with this situation just yet.

If you have an email ID, and you have linked it to your bank accounts or as a password recovery option for any of your other accounts, please make sure to log-in to it every once in a while.

Posted by with Tags
Susannah Lindsay quit her job a few years back to settle down in a life of domesticity. She has been living in Los Angeles for the last three years, and enjoys following new gadget releases and the latest happenings on the technological front.


  1. Dan

    Um, is there a particular reason places like Yahoo couldn’t simply just delete/erase accounts from servers if nobody’s using them and a platform is making them available to anyone who wants them…complete with last-known personal details?

  2. That should have logically happened, but for some strange reason, Yahoo decided to released the unused email IDs & usernames.

  3. jensenjs

    There’s no special reason that Yahoo shouldn’t just delete dead accounts.
    They are showing a decent behaviour by alerting the owners of these accounts.
    It shows some kind of good costumer care, even though they do not need to with the free accounts.

Leave a Reply

Your email address will not be published. Required fields are marked *

8 + 7 =