Yahoo Recycled Email Program Faces Security Problem

A few days ago, Yahoo announced that they would roll out a new tool that allowed people to claim accounts that were going to be up for grabs after the purge. Yahoo believed they had fixed the issue that allowed emails with private information to slip through the cracks, but in fact, they had not.

A few days after previous accounts had been granted to new users, several concerns appeared from a handful of users that had received emails meant for the previous owner that contained private information, such as bank and wireless account data. While this handful of users was quick to report the problem, countless others may not have done the same.

As a response to this obvious security problem, Yahoo introduced a new button to their email accounts called “Not My Email”. This button will be easy to spot under the “Actions” tab in your inbox, even if you haven’t claimed someone else’s email as your own. The button can be selected when a user receives an email that isn’t their own. This will eventually train the inbox to reject any email that isn’t intended for the current user.

Yahoo is also rolling out plans to help users who were simply inactive. Yahoo users who have inactive accounts will be notified a month in advance via the inactive email as well as any email that was listed as an alternate email address. If possible, they will also be alerted via SMS if a phone number is listed. All someone has to do is log into their account before 30 days is up and the account will remain active. Otherwise, the name will be scrubbed clean, and everything will be reset.

“We will then bounce emails to it and after a period of time open it up for anyone to register for,” a Yahoo spokesperson said in a statement. “At that time, the earlier account owner could try to register for it — but their content wouldn’t be in there. Alternatively, if someone else registers the account, the earlier account owner could go to watchlist.yahoo.com and pay $1.99 to get put on the watchlist for that name and 4 others.”

In addition to the new button, the Require-Recipient-Valid-Since protocol will continue. This detects the special header that some senders include in emails that check to make sure that the age of the account is consistent before a message gets delivered. If not, the message is bounced. Yahoo has been reaching out to large companies, such as Amazon and eBay, to see if they will include the header in their emails to help protect from fraud.

Some of the other emails that have been reported received are timecards with social security numbers, airline confirmations, and rental home application confirmations. Hopefully, with the new button, this private information will be protected – and stop winding up in an inbox in which it doesn’t belong.