Thursday, June 27, 2013
Yahoo raising security concerns for 'recycling" old e-mail addresses.
Yahoo has announced a plan to "recycle" old e-mail addresses, a move meant to free up accounts for folks who want them but that has sparked privacy concerns.
In a blog post, senior vice president Jay Rossiter announced that Yahoo e-mail accounts that have been dormant for more than a year will be reset so that active users can have access to them.
"If you're like me, you want a Yahoo! ID that's short, sweet, and memorable like firstname.lastname@example.org instead of email@example.com," he wrote.
The one-year period will officially begin July 15, when users can "claim" a dormant account name. They'll find out in mid-August if they got the account they wanted.
It's clearly an effort by Yahoo, which has been working to redefine and rejuvenate itself under new CEO Marissa Mayer, to re-engage older users and reward active ones. But it has security experts nervous.
Security analyst Graham Cluley doesn't mince words.
"In short: as an idea it sucks, and it shows Yahoo's lack of respect to customers who created accounts with them in years gone by," Cluley wrote Wednesday.
Cluley lists several scenarios where the plan could backfire. They include situations in which a user has another primary e-mail account, but has given their Yahoo address as a backup in case of security situations, lost passwords and the like.
He said the move appears to be "an underhanded way to get people to re-engage with the site" and that people who may not actively use their Yahoo mail, but use it to store old messages and other documents, could lose them without ever realizing it.
Mat Honan of CNN content partner Wired, himself the recent victim of a high-profile hack, called the move "a spectacularly bad idea."
In the wake of such complaints, Yahoo released a followup statement saying it's sure the transition can be made without compromising security.
"We're committed and confident in our ability to do this in a way that's safe, secure and protects our users' data," the company said.
The vast majority of inactive Yahoo IDs don't have a mailbox associated with them, the company said, and any personal data associated with the accounts will be deleted.
During a 30-day deactivation period, bounce-back e-mails will alert senders that the deactivated account no longer exists and Yahoo will unsubscribe those accounts from newsletters, commercial e-mail alerts and the like.
Businesses, financial institutions, social networks and other e-mail providers will be sent notifications about e-mail addresses that have been deactivated.