Sep 24, 2013 (05:09 AM EDT)
Yahoo Recycled Emails: Users Find Security Surprises

Read the Original Article at InformationWeek

1   2   3  
10 Ways To Fight Email Overload
10 Ways To Fight Email Overload
(click image for larger view and for slideshow)
When Tom Jenkins, an IT security professional, learned in June that Yahoo planned to free up abandoned account IDs, he jumped on the opportunity to request a nickname he's had since high school. He was thrilled when Yahoo emailed him in August to say the ID was available.

"I had tried periodically to obtain this email address, but I was never able to do it," Jenkins said in an interview. "I was aware that these Yahoo IDs were once owned by someone else, but I was pretty surprised by the types of emails I immediately started getting."

In less than a day, emails intended for the original account owner hit his inbox. Among them were marketing emails from retailers and catalogs, which were a nuisance, he said. But then came the emails with sensitive personal information: messages from the former Yahoo account holder's Boost Mobile service, which included the account and pin numbers; emails from a Fidelity investment account; Facebook emails; Pandora account information; and more.

[ Need new ways to lock down your smartphone? See 9 Android Apps To Improve Security, Privacy. ]

Jenkins and other users who have obtained recycled Yahoo email IDs say, based on what they see in their inboxes, that identity theft concerns exist.

"I can gain access to their Pandora account, but I won't. I can gain access to their Facebook account, but I won't. I know their name, address and phone number. I know where their child goes to school, I know the last four digits of their social security number. I know they had an eye doctor's appointment last week and I was just invited to their friend's wedding," Jenkins said. "The identity theft potential here is kind of crazy."

Neil Harris, a software executive, also signed up for a recycled Yahoo ID. A Yahoo user for many years, Harris wanted a new username that was easier to remember than the one he currently had.

On the first day he logged into the account, he found that Yahoo merged his former account with the new one, giving him one inbox that funneled emails from both accounts. That wouldn't have been a problem, Harris said, if it weren't for the misdirected emails he suddenly started receiving.

"I immediately got email addressed to the [former] account owner and the nature of them made me uncomfortable," Harris said in an interview, noting that a number of emails were from men looking to meet up with a woman.

In the following weeks, Harris was sent emails from department stores, including emailed receipts from recent purchases at Nordstrom. He also received timecards that detailed mileage reimbursements and included the former account holder's name and address.

"It seemed odd to me that this email was coming from all over. It's clear that while the owner supposedly hadn't logged in in a while, she was still actively giving out that email address," Harris said.

They're not alone: Scott Newman, a Web developer, also signed up for one of Yahoo's recycled IDs. "I thought it was a cool idea because when you're standing at Williams-Sonoma and they ask for your email address it would be easier to give them something that made more sense than what I had," he said.

Personal emails intended for someone else began arriving within the first day of account usage, Newman said.

"It started off with some stuff from catalogs and clothing companies and I thought, 'That's fine, I'll just unsubscribe.' I figured I'd have to deal with a little of that," Newman said in an interview. "But then I started getting emails with court information, airline confirmations, a funeral announcement saying someone had just died -- it was nuts."