Yahoo's recycled ID system throws up security troubles

Ever since Yahoo! announced it would be recycling old, unused IDs with the aim of luring in new users, the tech world had been skeptical about how well the system would work. Turns out, their fears were not unfounded after reports have emerged that there are severe security problems with the recycled ID system.

A report by Information Week details accounts of users who opted in to take over recycled IDs, only to receive emails meant for past owners of the address. While common emails from marketing accounts and social networking websites didn’t pose that much of a security threat, some users revealed that they received emails with bank account details, PIN numbers, social security numbers and more.

Sitting on a time-bomb

A Yahoo! user who opted to have a recycled email address, Tom Jenkins gave a chilling description of how this procedure exposed details of past owners. “I know their name, address and phone number. I know where their child goes to school, I know the last four digits of their social security number,” he says. “I know they had an eye doctor’s appointment last week and I was just invited to their friend’s wedding.”

Yahoo! does try to set up measures before handing over a recycled ID to a new user. It unsubscribes the account from all mailing lists but there is a great possibility that emails addressed by regular users to the email ID will still go through, despite the 30-day deactivation period.

On the other hand, realising that this problem could only mushroom into something bigger, Yahoo! seems to be making amends. According to a TechCrunch report, the company is all set to unveil the “Not My Email” button for users of recycled IDs. When hit on a particular email, it will train the system to funnel out such mails from the inbox.

While this is all good, it raises the alarming question of whether refurbishing old email IDs is a smart move in the first place. While Yahoo! seems to be going to “extraordinary” lengths to ensure wrong emails do not end up in new inboxes, the system is not watertight and leaves room for error. It could very well be a disaster waiting to happen.