SAN FRANCISCO (KPIX 5) – Former Yahoo email users may face a privacy issue now that the company has begun recycling inactive email accounts.
Yahoo is giving away email addresses that have gone unused for at least 12 months. This poses security problems when sensitive information intended for the original user is sent to the addresses.
Leslie Litzenberger of San Jose was on the receiving end of some of these security-sensitive emails when she got a recycled Yahoo ID, one with her childhood nickname, ‘rosebud.’
“Yahoo contacted me, letting me know they were releasing abandoned email addresses,” Litzenberger said. “I thought, ‘Well, now is my opportunity to get rosebud@yahoo,’ whoever had it before had abandoned it, so it was available.”
It turns out the account wasn’t completely abandoned. Litzenberger quickly began receiving hundreds of emails intended for the previous “rosebud@yahoo” and many of them were quite personal.
Contained in the emails was information about the school the former ‘rosebud’s’ children attend, the last four digits of her social security number, her Verizon account number and billing information, as well as the ability to reset passwords for accounts with Facebook, Twitter, Instagram, Monster and even a dating site.
“I’m not a bad person, so I’m not going to do anything with it,” Litzenberger said. “But if I was, I mean, I could really mess things up for her.”
Yahoo says they “took many precautions” to ensure this kinds of problems would not arise. They began a 30-60 day period of deactivation for each recycled account in which Yahoo unsubscribes to mailing lists. Any personal emails sent to the old account during this month will be responded to with bounce-back emails explaining that the former user no longer has control of the email address.
Lee Tien, of the Electronic Frontier Foundation, acknowledges that Yahoo tried to notify its users of their recycled accounts but is not surprised people like Leslie are receiving emails not intended for them.
However, Yahoo is not alone. Microsoft has engaged in similar practices of email recycling, as have many colleges.
Yahoo’s Senior Director, Platforms, Dylan Casey, gave an explanation of the email recycling problem which he likened to moving to a new house:
“If you move into an apartment and you get mail addressed to the former renter, you can either throw it away or you can let the sender know that you’re not the intended recipient, telling them that the person no longer is at this address,” said Casey. “If you get mail that’s meant for your neighbor, you walk it over them.”
One issue with this explanation is that when you receive a former renter’s mail, you have to open it before learning the sensitive information about the person, and opening someone else’s mail without their permission is a federal offense. Opening an email intended for someone else is not illegal when you are the new owner of a recycled address, and is only a click away.
“When you move, you know you moved. When they take your email address and recycle it, it’s usually because you didn’t know anything about it,” Tien said.
The former “rosebud” had no knowledge that her email belonged to someone else. She continually tried to reset the Yahoo email password, and the “rosebud” inbox filled with the password resets for other accounts as well.
Tien said this should serve as a warning to the industry, which often operates under the assumption that your email address will always belong to you.
“Obviously, when you’re recycling email addresses, it no longer becomes a useful authentification tool,” said Tien.
The former ‘rosebud’ now knows that her account belongs to someone else, but Litzenberger said she no longer wants the address.
Though Yahoo will not comment specifically on the ‘rosebud’ case, they did release a statement addressing the more general security problems surrounding recycled email accounts:
“As part of our account recycling effort, we took many steps to make sure this as done in a safe and secure manner. First, the accounts that were recycled hadn’t been active for more than 12 months. Before recycling inactive accounts we attempted to reach the account owners multiple ways to notify them that they needed to log in to their account or it would be subject to recycling. Before recycling these accounts, we took many precautions to ensure this was done safely – including deleting any private data from the previous account owner, sending bounce-backs to the senders for at least 30-60 days letting them know the account no longer existed and unsubscribing the accounts from commercial mail. In addition, we published a new email header to the IETF with Facebook for email senders to implement to reduce the risk of a new user receiving emails intended for the previous owner. We also collaborated with email service providers, merchants and other large email senders so they were aware of this effort, and worked extensively to get the word out directly to our users. Additionally, we’ve rolled out a feature in Yahoo Mail called ‘Not My Mail’ where users can report that an email is not intended for them. We continue to look for ways to protect our users.”
(TM and © Copyright 2013 CBS Radio Inc. and its relevant subsidiaries. CBS RADIO and EYE Logo TM and Copyright 2013 CBS Broadcasting Inc. Used under license. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed.)