I have a month to compile a list of the most popular first and last names and popular e-mail names and get a bot ready to register them all.
Once registered, I can then attempt password recovery for these @yahoo.com email addresses at the most popular web sites across the Internet that rely on established identities (ebay.com?).
If [email protected] ever used his yahoo id to register an account on EBAY.com, or with another online service, now is my chance to try to steal his online accounts by requesting password resets on these services and assuming his identity.
Now, to build a bot that will do this thousands of times!
Sites with 2 factor authentication may be immune to this, but these identities will now be unrecoverable to somebody who has used his @yahoo address as his recovery e-mail address, even if he doesn't check it often.
You're absolutely right. Other services view email as non-transferrable (the "recover my password" feature of almost every website with a login ever is evidence of this). Think of what someone could do if they had access to your email account, even if it's one you haven't used in years.
Someone could turn my life upside down if they had access to the hotmail account that I use to sign up for services that I know will spam me.
Is there anything people can do about that on the service-provider side of it, to limit account compromise via the Yahoo-email-password-reset vector? Short of something like disabling password reset emails to Yahoo addresses, which would cause a different kind of collateral damage?
I've actually run into a few services that won't accept signups from any "free webmail" provider, usually listed as Hotmail/Outlook, Yahoo, and Gmail. I suspect the reason for such policies is worries about spammy new accounts, but the risk of account lapse followed by impersonation might be another reason to favor such a policy. On the other hand, it would also lock out a number of legitimate users who use one of those services as their main or even only email.
Yahoo better act like they know what they are doing. I'm sure their technical team does, but management doesn't always listen to the engineers, sometimes management just says "MAKE IT HAPPEN."
The people that work at Yahoo are not stupid. They will surely have a process in place to prevent a single person from sucking up all the short/popular email names.
Even if that person wasn't doing it for nefarious purposes that would completely defeat Yahoo's whole goal here of getting these names in the hands of users who actually want to use them.
Yes, Yahoo attempting to do this makes me seriously question their trustworthiness. I know they are trying hard to reinvent themselves, but this is a serious misstep unless they've got a magic trick to somehow deal with these issues that I am unaware of.
At the very least it will cause confusion. At worst, accounts will get hacked.
This is terrible idea. People will be able to claim Yahoo IDs and use them to take over other people’s identities with a few password resets. I have a Yahoo email address simply as a backup for GMail. Just because I don't sign in very often doesn't mean that it is safe to hand over to someone else!
Which, honestly, it kind of a dumb move on Google's part. I was never a fan of that recovery address process. The 2-factor auth they've implemented since is much better.
.. and Yahoo or any other similarly priced services should know this how?
Meaning, you get what you paid for and if your usage of said service falls outside of an expected range then don't be surprised if your service is suspended.
It's 2013. I feel like this particular lesson should be well established, public domain knowledge but here it is again:
Free data, storage and associated services means that you are the product. If a provider decides to discontinue a particular product line, that really is their prerogative. If you want otherwise, then pay for the services you use and rely on and then you'll have a valid complaint if they are suspended.
They are not discontinuing their product line or even canceling service for some of its customers.
What they do is effectively transferring online identities they granted from less deserving, from their perspective, users to more deserving ones.
There is a lot of problems with this from both from security and moral points of view.
This is a fantastic idea, and I wish other services (I'm looking at you Twitter) would follow suit. Your Yahoo ID becomes a part of your identity when using their service, so it seems reasonable that people will feel happier and be more inclined to use Yahoo's stuff when they have an ID that they feel good about and aren't embarrassed to share with their friends.
I emailed Twitter four years ago with such a request, and got this response:
> Twitter is not currently releasing inactive user names. Unless your user name issue involves Terms of Service violations, you'll have to wait until all inactive user names are released. We're working on a better long term solution for this, and we should have more news soon.
Four years later, the username I want(ed) has had no more activity, and that "long term solution" is nowhere to be seen.
Weird. I could have sworn it was sometime within the past four years that I emailed Twitter asking for a username and they granted it to me pretty much instantly.
I went to sign up for Twitter and found that my usual username was taken by someone with exactly one tweet, from 4 years ago! It's definitely frustrating.
Let me be the only one who thinks this is actually not a bad idea. I have a very typical name, very commonly used and if almost on every popular email service (gmail, hotmail, yahoo), I've tried registering a few varieties of my [email protected] or even [email protected] and it's almost always taken.
If you think your identity could be stolen because of an unused email address, it might be your fault that's going to happen. Why would you register with an inactive email address and not check it? Email address seem like the main way for most people to login, if you have multiple, you must at least check them for something once every six months.
This announcement only says that they will remove those that haven't logged into their account in the last 12 months. Seems like a very long time in internet time.
In 2002 I made a paypal account with my yahoo email address. I attached my bank account to it, the same one I still use.
I haven't used that paypal account or that email address in years. A while back I realised the folly of this and removed as much information as I could from the account.
But, what if I'd just forgotten about it? Now anyone who registers my (common) yahoo email, attempts a password reset on the popular websites, can drain my bank account.
If this isn't the sign of a product with declining use, I don't know what is. Of course it isn't news that few people use Yahoo mail anymore, but the fact that it's worth it to Yahoo to turn those emails off is interesting.
This is a way worse then just disabling unused old accounts and, say, deleting emails stored there.
Yahoo is going to "resell"(1) these accounts. This will create all kind of privacy problems, and potential for abuse: gaining access to other services through resetting passwords there, impersonating users, people receiving private communications not intended for them, etc.
And all this for what purpose? Give few lucky ones get a coveted email address like [email protected] instead of [email protected]?
(1) "Resell" is the not quite accurate word here as they are going to give it for free, but I can't come with a better word.
yahoo is trading a sliver of goodwill from people that can now get their name of choice for incredibly pissed off former users that lost emails they relied on. Just because they havn't logged into them, doesn't mean they weren't using them. EX: i use a yahoo email for an ebay account I regularly use, but because of ebay's messaging I never log into yahoo. If i'm not the only person on earth that does this, there will be bad results from this 'house cleaning'.
The point is email address arent just for getting emails, they're used as identities online.
How horrible and shortsighted. Yahoo is actively inviting ill will and complexity.
Thought about it, but doesn't sounds quite right too: Yahoo didn't use these identities, it provided them to the users.
Anyway I don't want to be pedantic here, just as long as it was clear what I tried to say, and nobody misunderstood that I accuse Yahoo literary selling its user accounts to the third party, I am happy. :)
Maybe. My perspective is that Yahoo! did some research on why people left, stopped using, or never considered Y! as their mail service. I presume one of the responses is that people dislike non-vanity addresses. Instead of [email protected], the only variations that remain include thomasted110@ or tedthomasemail@. Ugh.
A simple query would show that these vanity addresses are sitting stagnant. A touch of PR and awareness instills or revives interest.
I think an optimistic view is that Yahoo! is willing to cut the fat and take chances on reuniting strayed in addition to inviting new users.
Even leaving all negative conservatives of this decision aside for now, it hardly does solves anything.
If thomasted110 is the best what's available for now at yahoo, there will be, simplifying a bit, 109 another unhappy users (thomasted1..thomasted109) + tedthomas_xx users + other unhappy Ted Thomases settled for different username at yahoo.com.
None of them is aware if tedthomas will be available. Most of them will not even know that this grand redistribution will take place. In the end if tedthomas will be "reused" only one of them will be moderately happy, while others are no better of.
yahoo mail was my first mail 15 years ago. But the product hasnt evolved much yet. In my opinion , Yahoo lacks of the proper agile culture where products evolve gradually (like google products ). Look at yahoo groups , feels like 1999 ...
So they can buy start-up all they want , yahoo has a cultural problem. definetly , at least if they want to look relevant.
I'm now terrified about what 7-year old accounts I have that used an @yahoo for password resets. Bank: clear. Facebook: clear. Gmail: clear. Guess it won't be too bad.
I thought about snagging something short and nice (like my initials) just for kicks, but...am really not sure what I'd do with the account after I had it.
I logged in and, after re-activating my long dead email address, was greeted by two full height tower animated banner ads. I clicked around for a few seconds and got a nearly full screen animated ad. Yep, now I remember why I stopped dealing with Yahoo.
I feel conflicted about this. On one hand, I haven't logged in to my yahoo account for several years so I clearly don't "need" it but on the other I don't want to have someone steal my username. I think the fact that yahoo is so desperate to get people back on their platform that they're willing to resort to this tactic should be very unsettling to anyone with a vested interest in the company as a long term investment.
Yahoo should be desperate. After fading into irrelevance for the past decade they need to make unusual/risky decisions to have any hope of turning that around.
Any recommendations on how I can identify any accounts that I've registered on Yahoo over the years? I don't think that I've sent anything important to them that would still be emailing sensitive information, but can't be sure - as I never planned for the scenario in which they'd essentially turn access to my email over to a third party.
What's much much worse than the spam from the original account holder is the fact that you might receive private personal communications from them. E.g. some long-lost friend could conceivably have you in their address book and choose to get back in touch.
Also, what about other accounts on the web that are linked to the email address? Many web sites allow you to reset your password by proving that you own the email address a user was originally registered with.
This seems like a spectacularly bad idea on Yahoo's part. I can't make any sense of it.
A few years ago Yahoo! Erased my mail account because I hadn't logged for 3 month. It was my secondary mail account, so I in some periods I didn't use it. It happened twice! After the second time I never bothered to create the email account again, I went to Gmail. They continue to do this kind of things, so it's difficult to trust Yahoo!.
Unused Yahoo ids are going to be recycled. Yahoo Mail is just one of the services tied to your Yahoo id. Just sign in to Yahoo with your Yahoo id to save it and your email from being recycled.
I wonder if this could lead to an open invitation for people to hack into accounts based on services that use your email address as a primary key for your identity.
e.g. Joe Public hasn't logged into [email protected] for a year because he has taken a year off to live in a Buddhist monastery. So Eve goes in and signs up for that address, without any malicious intent.
Fast forward to a week later, when Eve signs up for CatNip, a website for sharing cat pictures. It says "You are already signed up for this service. Click here to send a password reset link to your email!" Eve can't resist the allure, and clicks through.
One click later, Eve has access to all of Joe Public's cat pictures on CatNip. (Even though she didn't really sign up for the address with the express intention of getting them.)
This is a great strategy for gaming systems, a terrible strategy for accounts used as identity management and password recovery vectors.
Let's say [email protected] used this email address long ago as his ebay recovery address, but really doesn't use his @yahoo account any more. I can register [email protected], and use ebay's account recovery option to assign the ebay account a new password for an ebay account I have now stolen.
This scenario isn't possible with an online game account name, as game accounts aren't used to recover bank passwords or other important account passwords.
I have a month to compile a list of the most popular first and last names and popular e-mail names and get a bot ready to register them all.
Once registered, I can then attempt password recovery for these @yahoo.com email addresses at the most popular web sites across the Internet that rely on established identities (ebay.com?).
If [email protected] ever used his yahoo id to register an account on EBAY.com, or with another online service, now is my chance to try to steal his online accounts by requesting password resets on these services and assuming his identity.
Now, to build a bot that will do this thousands of times!
Sites with 2 factor authentication may be immune to this, but these identities will now be unrecoverable to somebody who has used his @yahoo address as his recovery e-mail address, even if he doesn't check it often.