Yahoo has gone on the defensive this week, responding to critics who have concerns about a heightened risk for social engineering scams and identity theft that could result from the company’s forthcoming plan to recycle inactive user IDs.
The Sunnyvale, Calif. search engine announced plans last week to clean house and reset IDs that have been inactive for the last 12 months. Under the current plan, on July 15 the company will allow users to claim these old, previously taken usernames.
Critics point out the potential for identity theft being harshly simplified for attackers. For example, if an attacker wanted to compromise a Google account and that account was linked to a Yahoo account, all they’d have to do is send a password reminder email from Google to that Yahoo account to reset the password and gain access.
Dylan Casey, Yahoo’s senior director for consumer platforms, told Reuters that Yahoo is “aware” of the potential identity theft implications with its plan but has “gone through a bunch of different steps to mitigate that concern.” Casey added that only seven percent of the IDs that are inactive are tied to actual Yahoo email accounts.
“[Yahoo] put a lot of thought, a lot of resources dedicated to this project” according to Casey, who went on to rationalize that most of the inactive accounts are linked to user accounts on Yahoo’s Fantasy Sports site and therefore don’t have email addresses.
Casey asserts the company has gone to “extraordinary lengths to ensure that nothing bad happens to our users” and that Yahoo has coordinated with Google and Amazon – companies whose accounts may already be linked with Yahoo users – to try to prevent any potential identity theft cases that may arise.
The company also insists it plans to use a 30-day waiting period between deactivation and when the new IDs are recycled, according to a Yahoo spokesperson Thursday.
“During this time, we’ll send bounce-back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others,” the spokesperson added. “Upon deactivation, we will send notification for these potentially recycled accounts to merchants, ecommerce sites, financial institutions, social networks, email providers and other online properties.”