Thursday, June 27, 2013

Yahoo’s Email Address Plan Called ‘Trash’ By Security Expert

Yahoo has raised a pretty good amount of concern regarding account security with arecently announced move to shut down inactive Yahoo IDs and email addresses and give them to other users that desire them.

As previously reported, security experts and others in the industry have been criticizing the company, calling the move names like “stupid,” “moronic,” and “a terrible idea”. You can see the kinds of things they were saying here.
Yahoo has not ignored its critics, telling Reuters that only 7% of the IDs in question are even tied to Yahoo email accounts, for example. The company also gave the following statement to Wired:
Our goal with reclaiming inactive Yahoo! IDs is to free-up desirable namespace for our users. We’re committed and confident in our ability to do this in a way that’s safe, secure and protects our users’ data. It’s important to note that the vast majority of these inactive Yahoo! IDs don’t have a mailbox associated with them. Any personal data and private content associated with these accounts will be deleted and will not be accessible to the new account holder.
To ensure that these accounts are recycled safely and securely, we’re doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we’ll send bounce back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others. Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties.
Well-known security expert Graham Cluley, who has worked for security giants like McAfee and Sophos, was particularly critical of Yahoo’s move. We picked his brain to see what he had to say about Yahoo’s defense of its actions. Suffice it to say, it didn’t make him feel much better about the whole thing.
“Yahoo’s response doesn’t reassure me one bit,” Cluley tells us. “If the ‘vast majority’ of IDs covered by this action don’t have associated email addresses, why not exclude all of the ones which do have email addresses from the guillotine?”
“I saw them say elsewhere that they would contact third party websites that might have accounts registered with one of the email addresses, which gave me the biggest laugh of all,” he adds. “I mean, there aren’t that many websites out there, are there? :) The whole thing sounds utterly impossible to pull off competently, so they should throw the idea away in the trash can where it belongs.”
“I’d like to see yahoo provide a list of all the sites they plan to contact with their list of email addresses potentially up for grabs,” Cluley says. “I imagine that’s quite a long list of websites that could have had accounts created on them. After all, yahoo wouldn’t forget to include any sites would it… I mean, it’s a search engine so it probably has a grasp on how many websites there are out there, right?”
“And, umm, isn’t there some slight risks in contacting – lets say, x hundred million – websites with a long list of yahoo ids and email addresses that will shortly be deactivated and available for anyone to claim?” he adds. “They just haven’t thought this through at all.”
Users who are concerned about losing their Yahoo IDs only need to log in before July 15th if they want to keep them.

Chris Crum

Chris Crum is a staff writer for SecurityProNews and WebProNews