Yahoo recycled ID users warn of security risk

Users of Yahoo's recycled ID names say they are receiving the former owner's sensitive information through their new accounts.

Donna Tam Staff Writer / News
Donna Tam covers Amazon and other fun stuff for CNET News. She is a San Francisco native who enjoys feasting, merrymaking, checking her Gmail and reading her Kindle.
Donna Tam
2 min read
James Martin/CNET

Yahoo users who got recycled account IDs said they've found a security risk -- they are receiving emails containing the personal information of former account owners, InformationWeek.com reported Tuesday.

The users told the news site that initially, they were receiving junk mail for the Yahoo ID's previous owner, but then other mail with sensitive information started showing up. This included account information, confirmation for appointments and flights, and event announcements. It appears the old owners must still be giving out the email address without knowing they no longer have access to the account.

One user, an IT security professional named Tom Jenkins, described the potential for identity theft as, "kind of crazy":

I can gain access to their Pandora account, but I won't. I can gain access to their Facebook account, but I won't. I know their name, address, and phone number. I know where their child goes to school, I know the last four digits of their social security number. I know they had an eye doctor's appointment last week and I was just invited to their friend's wedding.

We've contacted Yahoo for a comment and will update if we hear back.

Yahoo told InformationWeek that it takes the "security and privacy of our users very seriously," and has received complaints from "a very small number of users who have received emails through other third parties which were intended for the previous account holder." It continues to ask other companies, the ones sending the emails, to verify accounts by adding a date-specific marker.

Yahoo began releasing recycled IDs in late August, aftergiving users a month to log in to their accounts and stake their claim. Yahoo shut down any accounts that hadn't been logged in for more than a year, and then put the usernames up for grabs.

After the initial announcement the company adamantly defended its security processfor the switch, with Dylan Casey, Yahoo's senior director of Consumer Platforms, telling CNET that it was "very, very foolproof."

Casey said that the recycled accounts were inactive and "a very small number" were receiving emails at all. He described a processes that stopped password retrieval emails from being sent to accounts, but did note that there's no guarantee it could stop everything from going through. While Yahoo can prevent former users from accessing their old accounts, it has to reply on third-party companies to put in measures to prevent new users from seeing emails meant for the original ID owners.

"We're going through a significant amount of work prior to giving that ID to the new user to basically signal to anybody that might be sending to that ID that this is no longer the person that you think it is...I don't think there's any 100 percent guarantees but we're very confident that the work we're doing is going to prevent any type of abuse," he told CNET in July.