25 Sep, 2013 No Comments Bobby Email Security

Yahoo has done something extremely stupid from the perspective of security. They’ve taken dormant email accounts (by Yahoo’s definition, that means accounts that have not been logged into in the last year) and reclaimed them for re-use. That means if you have an old Yahoo account that you haven’t used in a while, it may belong to someone else, now.

It’s old news and the deed has already been done. And Yahoo has ensured us that it’s doing this in a very secure fashion. But that’s just PR talk, because in reality, it’s not something that could ever be done securely. It’s not how they’re doing it, it’s that they’re doing it at all. They’re giving someone else your email address. There’s absolutely no way that could be a good thing.

For instance, a cyber crook might be able to use someone’s old email account to request a password change at some website, thus gaining access to that website account through the normal built-in password recovery system. There are already reports of security issues in which new owners of the accounts are receiving very personal information about the previous owners. Here is an excerpt from that article:


Tom Jenkins, who was given a new Yahoo name in August, says he quickly started receiving emails from common services like Facebook and Pandora, which still had the address on file. “I know their name, address and phone number. I know where their child goes to school, I know the last four digits of their social security number,” he says. “I know they had an eye doctor’s appointment last week and I was just invited to their friend’s wedding.” Even if someone is no longer signing into their email address, it may still be attached to services that they use frequently. Another user describes getting an email confirmation for an apartment application. “I could have canceled someone’s apartment,” he says.

So what in the world can we do about it? Well, unfortunately, the deadline to reactivate your old account was last July. If you’ve missed it then you no longer have access to that account. But there are some steps you can take to minimize any potential damage.

What To Do About Your Old Yahoo Account

Get your account back

It’s possible that your old email is still up for grabs if someone hasn’t nabbed it yet. Go to Yahoo’s registration page and see if your old username is still available. If it is, create a new account with it right away.

Update your email address on all your accounts

If there are still websites out there that have your old email on file, go update them right away. Especially if those sites have your personal information stored, like social networking sites and online retailers.

DO NOT change your passwords

If there are websites with your old address on file, do not change your password on those sites until the address has been updated to your current one. If you do, it will notify the new owner that the password was changed, giving them information about what sites are linked with that email address. And depending on the site, it could even send the new password in the email.

Change your email recovery address

Check to make sure that the old Yahoo address isn’t the recovery address for your current email account. The recovery address is the secondary address that you use for password recovery of your main email account. If you don’t have another email address to use, create one.

Cancel your old subscriptions

Cancel any subscriptions that are continually sending emails to your old address. Probably easier said than done since you may not remember any accounts that used the old Yahoo address. But try your best to remember.

What To Do About Yahoo

In this security guy’s opinion, Yahoo just committed an unforgivable offense. The company understood this would be an issue; it’s impossible that they couldn’t have considering that everyone else did. It’s clear that the company is more interested in getting new users than in protecting their current ones. This was such an obvious mistake that it’s hard to believe it even happened. I won’t pull any punches here: it was a moronic thing to do. My recommendation is to steer clear of any Yahoo user services in the future. I’m sure that’s not a surprising recommendation, considering their infamous history of security problems.