Yahoo: When recycling is not a good idea
After Marissa Mayer’s team recently decimated Flickr with its new gaudy and garish interface and completely alienated professional photographers in the process, her team is now aiming its sights on a new, but unnecessary, problem: recycling of long expired user IDs. Yahoo had been collecting user IDs for years. That is, people sign up and use the account for a while, then let the account lapse without use for longer than 30 days. Yahoo marks the ID as ‘abandoned’ (or similar) and then locks it out forever, until now. Some employee at Yahoo offered up the incredibly bad idea to recycle IDs. Unfortunately, this decision to recycle IDs may actually become the demise of Yahoo. Let’s explore.
I’m guessing that Yahoo has decided to make it look like it’s doing something good by recycling something, anything. That is, Yahoo is now letting people Wishlist long-closed user IDs that had been previously locked. Hurry, though, you only have until Aug 7, 2013 to wishlist that long forgotten ID. The trouble is, these old abandoned IDs are clearly second-hand goods. Let’s understand what exactly that means and why you really don’t want one (unless, of course, it was previously yours).
1) Obviously… Spam
Clearly, you aren’t asking for this old ID so you can jump onto that horrendous new Flickr interface or because you intend to read Yahoo News or OMG. The most obvious reason to want that ‘primo’ ID is for the email address. Unfortunately, you have no idea how that account was formerly used or what baggage might be associated with it! So, unfortunately, you will have no idea what exactly you’re getting into by re-using someone’s old ID. The person might have signed up for it just to divert tons of spam into it. Yes, this happens. That means, you could open the account and find it filled with spam in only 5-10 minutes, literally. Who’s to say someone wasn’t using it for illegal purposes and it was shut down for that purpose?
Yeah yeah.. Yahoo claims they will ‘unsubscribe’ the old ID from newsletters and so forth and these will have been ‘idle’ for at least 12 months (the first batch), but they’ve outlined no way in which they plan to accomplish this unsubscribe piece. Are they really going to hire a bunch of people to sit around clicking unsubscribe links and filling out unsubscribe forms? I think not. It’s all song and dance with no substance. Not to mention unsubscribing legitimate email subscriptions only accounts for about half (or less) of the total email volume that ends up in an inbox. So, don’t expect any miracles from Yahoo. If they can stop email, the best they can stop is about 40-50% at most. All of the rest will still show up merely by you having signed into your ‘new’ account.
A new email header?
Oh yeah, Yahoo is also trying to rush through the IETF RFC process a new header called require-recipient-valid-since that takes a date as an argument. This header basically requires marketers to know the exact acquisition date of every email address in their lists. Assuming email marketers know this date, which is a huge and incorrect assumption for Yahoo to make, when the email marketers send email containing this date, the email will supposedly end up in the correct account (or not) depending on the date. Because of this date header, that could lead real email to go missing or spam to show up. Unfortunately, as I said, this is an incorrect assumption. Most email marketers barely know the source of their leads, let alone when they acquired it. No, this date thing simply won’t work. And even then, this header will only work with email marketers willing to follow the rules. Spammers that don’t care won’t bother.
Worse, Yahoo is planning on handing out these newly freed old accounts in mid-August. Like every email marketing firm will simply drop whatever business plans they currently have to retool their applications to support this rushed and nearly useless header. Is Yahoo really that asleep at the switch?
2) Fraud, Account and/or Identity Theft
If you happened to have owned one of these long abandoned accounts or you otherwise lost your Yahoo account long ago, you’ll want to be very careful here. You can be guaranteed that there are already people scouting for popular long dead accounts to resurrect and phish for accounts, theft and identities. These thieves know that banks and other legacy institutions keep email addresses on file until you explicitly change them. Even then, they can have issues even updating this information in their systems even when you do request the change. So, someone who obtains a long dead account and then browses to Wells Fargo or Bank of America’s web site to request a password reset, they could abscond with your account credentials and your money assuming you still have (or ever had) any old Yahoo accounts hooked up to any financial accounts.
Yahoo claims to have ‘security’ mechanisms planned, but good luck with relying on that. I can’t even see that working. Granted, if banks fill in ‘require-recipient-valid-since’ with the appropriate acquisition date in every email they send, the banks can help prevent this issue (assuming the header works as expected). But, that also assumes the bank has an email address acquisition date to fill in this header. That also assumes that the bank can even roll out this header change in the time allotted before Yahoo starts doling these old IDs out. The clock is ticking and Yahoo hasn’t even gotten the RFC completed.
Fraud and identity theft is a very likely outcome of recycling old Yahoo accounts. If you’re reading this article and you have ever used a now-long-closed Yahoo ID for email, I urge you to go through all of your important accounts and make sure you have deleted all references to your old Yahoo email address immediately! Otherwise, some random person could come to own your old ID and can then cycle through sites requesting password resets just to find what sites your old ID may have used. This is the number one security threat that Yahoo can’t easily get around or easily address. Note, that a hacker who obtains an old ID only needs to get access to one of your accounts that will email your real plaintext password back to them and then they’ll work their way up to your bigger accounts. This is one of the biggest reasons this is an incredibly bad idea from Yahoo.
I’d also suggest that for any accounts you do have (i.e., Facebook, Gmail, etc), make sure to add alternative email addresses other than your Yahoo address for password resets and other security related emails. If you can, remove all your Yahoo addresses outright even if they are live. Use Gmail or Windows Live Mail instead (at least until they decide to go down this stupid ID recycling road).
3) Yahoo Mistakes
Ooops.. we didn’t actually intend to give away your live account. Sorry, ’bout that.
And then you’re stuck without an account. Yahoo is not publishing what accounts are under consideration specifically. They only say that these ‘dead accounts’ have been idle longer than 12 months in the first batch. Thereafter, any account that has been not accessed for 30 days is up for reissue consideration. There is nothing to say that Yahoo won’t make a mistake and re-issue a live and active account to some random person wbo signed up on the Wishlist. I can easily see this becoming one of the biggest blunders that Yahoo makes in this process. Unless the Yahoo staff is incredibly careful with this process, it would be super easy to accidentally give some random schmo access to an active live Yahoo account by mistake. For this reason alone, I’d consider closing out all of my Yahoo accounts except for one thing. They would recycle my account string name in 12 months (0r 30 days) and I’d be right back here in this situation again worrying about what of my other accounts were tied to this email address.
Basically, I can’t close my Yahoo account because it’s too great of a security risk. If I leave it open, I risk Yahoo accidentally giving it away in this stupid ‘wishlist’ process. It’s really a no-win situation. After Flickr, I have less and less trust in Yahoo and this is now leaving every Yahoo user in the lurch. This basically means you can NEVER EVER close your active Yahoo account if you want to keep your other accounts secure.
4) Missing Email
Even if you do manage to get your hands on one of these ‘prized’ IDs, Yahoo claims to be putting technical measures into place to prevent security issues. That could very well mean that for recycled accounts your mail delivery will be spotty, if it even works. Meaning, Yahoo may so heavily scrutinize emails heading to these recycled IDs that legitimate mail may simply never show up that’s been marked as ‘a security risk’. So, for emails like password resets to accounts, you may find that these emails simply never show up at all. Basically, anything that Yahoo’s email system construes as a security risk could simply just go missing. This is the most likely outcome of this recycling. Note that this problem could end up extending to every Yahoo account which could make Yahoo Mail a very problematic place for any email purposes.
If after reading the above, you are still considering an ‘old used account’, I really can’t understand why. Taking on someone else’s old email and Yahoo baggage isn’t something I’d want to deal with (are they going to be sure to clear off all old comments and Yahoo answers for this old ID?). So, someone pops up from years past not knowing that Yahoo ID has been reissued and then you get some old boyfriend email, or someone who hated the previous owner of that ID. Then what? So, then you’ll be left with a mess to clean up. Why would you want to deal with this excess baggage when you can get a new account that’s never been issued and not have to deal with this problem at all? However, knowing that any account you create at Yahoo would be recycled later, how could you rely on it for any kind of security? You can’t. So, I might suggest Gmail or Windows Live Mail (or any other free email service not recycling IDs) instead of Yahoo.
Unfortunately, I don’t see any other alternatives with Yahoo at this point. This is an incredibly stupid decision from Yahoo. I have no idea what the folks at Yahoo are even thinking. It’s not like a telephone number. You give that up and no one thinks twice that someone could use that old phone number nefariously. Unfortunately, nearly every site now uses email addresses to know if you ‘own’ your accounts. So, password resets, pin codes, and all manner of secure information traverses through email addresses.
One thing that Yahoo may inadvertently cause from this change is for Banks and other financial institutions to rethink how they validate a user’s identity. Clearly with this change, email addresses can no longer be trusted as secure or even know that it’s owned by only one person. This throws security surrounding email addresses into complete turmoil for any site that uses email addresses as validation.
Based on the previous paragraph, sites may start preventing use of @yahoo.com email addresses for their services. Knowing that you could lose your Yahoo account and then have it turned over to someone else 30 days later could easily lead to site compromises. To simply avoid this situation entirely, sites that rely on security may simply stop letting @yahoo.com email addresses sign up for service. So, one of the biggest benefits of using Yahoo Mail will end. I’d expect a mass exodus to Gmail or Windows Live Mail after the dust settles here. In fact, this decision may kill Yahoo Mail as any kind of a real email service. Does Marissa have any idea what the hell she’s doing? If I were on the Yahoo board, I’d be seriously considering right about now of ousting this one.
If I were in a position at Yahoo to make this decision, I would have killed this idea before I’d ever left the conference room. That Yahoo is even contemplating making this move at this time is completely questionable. Let’s just hope that when someone’s account is compromised and/or has identity theft as a direct result of this bad Yahoo decision, that someone will sue the pants off of Yahoo. That will at least teach other ISPs that this is not, in any way, an acceptable practice.
This decision has disaster written all over it. This is also a huge liability risk for Yahoo. Yes, Yahoo may have written in their Terms and Conditions that they have the right to reissue account names. But, since they hadn’t been doing this from the beginning and they’re now choosing to do this without proper preparations, this is a huge legal risk. It only takes a handful of users who’s accounts get compromised or who’s identities get stolen as a result of Yahoo’s new policy that this will end in courtroom dates. I can’t even fathom what benefit Yahoo derives from reissuing old IDs, but I can definitely see huge legal liabilities and black clouds looming over this now floundering company. In fact, the liabilities so outweigh the potential benefits to Yahoo, I have to completely question the purpose of this decision. Let’s hope Yahoo is all lawyered up as I can see the court dates piling up from this very very bad decision.