When Marissa Mayer first became CEO of Yahoo, she got flak for telling Yahoo employees that they couldn’t work from home. She wanted Yahoo workers in the office, seeing each other, and collaborating to help the tech dinosaur get its groove back. Those who
weren’t up for visiting the office on a regular basis got the boot. Now Yahoo is doing something similar to Yahoo users, telling those that haven’t stopped by a Yahoo property in a year that they have to make an appearance within the next month or say farewell to their account. The company announced the “use it or lose it” policyon its official Tumblr last week where it was spotted by Mat Honan of Wiredwho called it “every bad idea Yahoo has ever had [multiplied] by 10x.”
Why? Because it could be a security disaster.
In the Tumblr post — firstname.lastname@example.org Can Be Yours!– Yahoo’s SVP for platforms, Jay Rossiter, writes, “[W]e want to give our loyal users and new folks the opportunity to sign up for the Yahoo! ID they’ve always wanted…. We’re freeing up IDs, that have been inactive for at least 12 months, by resetting them and giving them a fresh start. In mid July, anyone can have a shot at scoring the Yahoo! ID they want. In mid August, users who staked a claim on certain IDs can come to Yahoo! to discover which one they got. What if you haven’t logged into Yahoo! for over a year, but want to keep your Yahoo! ID? It’s easy. All you have to do is log on to any Yahoo! product before July 15th.”
assume desperately hope Yahoo will be arbitrarily deleting all of the information associated with these defunct accounts; sorry Flickr users who haven’t visited their albums in over a year. That will be a sad loss of digital property for affected persons, but is better than giving access to private emails and photos to whoever signs up for email@example.com (R.I.P.).
Security expert Graham Cluley, who calls Yahoo’s plan “a terrible idea,” points out the remaining security risks inherent in this email address free-for-all:
- “So, imagine years ago you created yourself a Yahoo address but you subsequently decided to use GMail or Hotmail instead, but maybe – prior to that – you registered some of your third-party web accounts using your Yahoo address,” writes Cluley in an email. “What happens when you forget your password, and you ask the site to send your registered email address a password reset/reminder? Potentially it could fall into the wrong hands.”
- “Also, what if people have kept their old email address as an archive – they may not have needed it in the last year, but who’s to
say that they might not want to access some of its content (emails and photos from since-deceased relatives and the like) in the future?” he writes. “Yahoo is forcing anyone who doesn’t want their Yahoo ID to expire to log into their account before July 15th (if they haven’t checked in for a year). Of course, many people will *never* realise that the clock is ticking and that they could be about to lose control of their Yahoo ID.”
- There are people who may have a Yahoo email address as a back-up for signing into various sites around the Web. For example, it could be a back-up address for recovering your Gmail password. “Bad news if you only have a Yahoo address as your emergency alternative,” says Cluley. “Who knows if a bad guy is rubbing his hands in glee hoping to snatch it come mid-July…”
It also undercuts anyone who has astro-turfed for the sake of protecting their reputation in the first place. Privacy folks often advise people to nab firstname.lastname@example.org on all possible services so that others can’t impersonate them, even if they don’t plan to use that particular service.
“It’d be akin to the post office allowing someone to take over your physical mailing address because you haven’t gotten mail for a while,” says security researcher Ashkan Soltani. “It could make it much easier to hijack someone’s identity.”
Cluley thinks Yahoo is going about it the wrong way. He suggests that Yahoo offer users the right to opt in to relinquishing their Yahoo identities for other people to use.
“Of course, Yahoo knows it will have a lot fewer email addresses available to offer afresh if it does that,” he says.
I’ve emailed Yahoo to ask if they’ve thought through the security implications of this, but haven’t heard back yet. I understand why they may want to clean out the stables and get rid of inactive users (and all of the information stored on their behalf) but this comes across as an underhanded and risky way to get people to re-engage with Yahoo properties.
In the meanwhile, all you people who have abandoned your Yahoo accounts, now’s the time to sign back in if you want to hold onto them, assuming Yahoo doesn’t back down on this misguided plan.
Update: Yahoo got back to me at the end of the day. They say:
“Our goal with reclaiming inactive Yahoo! IDs is to free-up desirable namespace for our users. We’re committed and confident in our ability to do this in a way that’s safe, secure and protects our users’ data. It’s important to note that the vast majority of these inactive Yahoo! IDs don’t have a mailbox associated with them. Any personal data and private content associated with these accounts will be deleted and will not be accessible to the new account holder.
Yahoo says it does have
security plan. It’s going to have to notify countless sites that it has jacked these email addresses:
To ensure that these accounts are recycled safely and securely, we’re doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we’ll send bounce back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others. Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties.
Brought to you by easi News – Online News Directory
Courtesy of Forbes