Yahoo ID Recycling Raises Identity Theft Fears

Security experts worry Yahoo’s plan to recycle inactive user IDs will increase the risk for identity theft.

Yahoo has gone on the defensive this week, responding to critics who have concerns about a heightened risk for social engineering scams and identity theft that could result from the company’s forthcoming plan to recycle inactive user IDs.

The Sunnyvale, Calif. search engine announced plans last week to clean house and reset IDs that have been inactive for the last 12 months. Under the current plan, on July 15 the company will allow users to claim these old, previously taken usernames.

Critics point out the potential for identity theft being harshly simplified for attackers. For example, if an attacker wanted to compromise a Google account and that account was linked to a Yahoo account, all they’d have to do is send a password reminder email from Google to that Yahoo account to reset the password and gain access.

Dylan Casey, Yahoo’s senior director for consumer platforms, told Reuters that Yahoo is “aware” of the potential identity theft implications with its plan but has “gone through a bunch of different steps to mitigate that concern.” Casey added that only seven percent of the IDs that are inactive are tied to actual Yahoo email accounts.

“[Yahoo] put a lot of thought, a lot of resources dedicated to this project” according to Casey, who went on to rationalize that most of the inactive accounts are linked to user accounts on Yahoo’s Fantasy Sports site and therefore don’t have email addresses.

Casey asserts the company has gone to “extraordinary lengths to ensure that nothing bad happens to our users” and that Yahoo has coordinated with Google and Amazon – companies whose accounts may already be linked with Yahoo users – to try to prevent any potential identity theft cases that may arise.

The company also insists it plans to use a 30-day waiting period between deactivation and when the new IDs are recycled, according to a Yahoo spokesperson Thursday.

“During this time, we’ll send bounce-back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others,” the spokesperson added. “Upon deactivation, we will send notification for these potentially recycled accounts to merchants, ecommerce sites, financial institutions, social networks, email providers and other online properties.”

Suggested articles

Newsmaker Interview: Scott Helme on Securing the Web

Threatpost sat down with Helme to discuss the state of web security, including certificate transparency, HTTPS deployment, Let’s Encrypt, content security policy and HTTP strict transport security.

Discussion

  • Kurt on

    If you respond, please use my 1st name as listed and I will then know that you are not a bad guy. How do we as microsoft owners get the nsa,cia and every other backdoor snooping bastard out of our computers. How do we close the "backdoor" entry that gates gave them... Best Of Regards
07/18/18 5:55
LabCorp investigates a potential #databreach that could affect millions: https://t.co/SiurmhxV71

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.