Yahoo! recently began recycling “inactive” user accounts, in an effort to woo new customers – but some customers who have acquired these “second-hand” email addresses say they are receiving a “bonus” of personal emails for to the old owners, some of which offer information that could be used in identity theft.
Yahoo has begun to put in place technical measures aimed at dealing with the problem.
Speaking to Information Week, users said that they received junk mail aimed at the ID’s previous owner – but also sensitive information such as appointment details and flight confirmations, and invitations to weddings.
Yahoo! has responded by introducing a new “Not My Email” button to help users get rid of unwanted emails, and which will eventually reject such unwanted mail. The company also said that it would introduce a programme to allow users to “reclaim” unused accounts.
Speaking to Information Week, one IT security professional, Tom Jenkins, said that the “recycled” addresses offered a “crazy” level of potential for identity theft.
“I can gain access to their Pandora account, but I won’t. I can gain access to their Facebook account, but I won’t,” Jenkins said. “I know their name, address, and phone number. I know where their child goes to school, I know the last four digits of their social security number. I know they had an eye doctor’s appointment last week and I was just invited to their friend’s wedding.”
Yahoo said that it had received complaints from”a very small number of users who have received emails through other third parties which were intended for the previous account holder.”
Yahoo! said prior to the scheme’s launch that it had put in place safeguards to prevent the recycled usernames being used for identity theft.
The internet company claimed that only 7% of inactive IDs are tied to Yahoo! email accounts. The company also said that it had worked with major technology companies such as Google to reduce the risk the IDs could be used for fraud.
Dylan Casey, a senior director for consumer platforms at Yahoo! said, “Can I tell you with 100 percent certainty that it’s absolutely impossible for anything to happen? No. But we’re going to extraordinary lengths to ensure that nothing bad happens to our users.”
Author Staff Writer, ESET