Yahoo defended its plan to recycle user IDs this week, saying that it had put in place safeguards to prevent the recycled usernames being used for identity theft.
The internet company claimed that only 7% of inactive IDs are tied to Yahoo! email accounts. The company also said that it had worked with major technology companies such as Google to reduce the risk the IDs could be used for fraud.
David Harley, Senior Research Fellow at ESET, says, “What Yahoo is missing here is that it isn’t just about deleting data formerly associated with a Yahoo account – I wouldn’t expect anything else from a ‘reset’. But Yahoo can only do that with data that it actually stores itself. Where an account is – or has been – linked with data that Yahoo doesn’t control, the risk will increase that those data are potentially exposed to a new user, possibly even a malicious user targeting a specific account.”
“In a statement to Wired, Yahoo acknowledges some of these issues, and gives the impression of confidence that it can obviate those risks by bouncing emails, unsubscribing accounts from newsletters, and notifying various service providers of deactivation. How will it do that? By trawling through past emails to and from that account? That sounds ethically challenged to me in itself. I don’t suppose they’re going to do it manually, but it sounds impractical to me to automate the process fully effectively. I’m just glad I don’t have a Yahoo account. (I hope: you can acquire and forget a lot of email accounts over decades in the IT business!)”
Dylan Casey, a senior director for consumer platforms at Yahoo said, “Can I tell you with 100 percent certainty that it’s absolutely impossible for anything to happen? No. But we’re going to extraordinary lengths to ensure that nothing bad happens to our users.”
Casey, speaking to Reuters, said that the risk of identity theft was “something we are aware of and we’ve gone through a bunch of different steps to mitigate that concern. We put a lot of thought, a lot of resources dedicated to this project.”
Author Rob Waugh, We Live Security