Yahoo ID-Recycling Plan 'Stupid,' Say Security Experts
CREDIT: Yahoo! Inc.
Yahoo's recently announced plan to recycle unused IDs has stirred up a hornet's nest in the security community, with one tech journalist predicting a "gold rush" of identity theft.
However, most of the concern revolves around email addresses, which are often tied in to other accounts around the Internet and hence could be used to take over those accounts.
Yahoo insists that, in fact, only 7 percent of the potential stock of dormant IDs is tied to Yahoo Mail accounts. The rest, a company spokesman told Reuters, is for non-email Yahoo services, such as fantasy sports leagues.
"We're going to extraordinary lengths to ensure that nothing bad happens to our users," Yahoo director Dylan Casey told Reuters.
The ID-recycling plan, unveiled last week, would clean the stables of unused accounts to free up desirable ID names for current users.
"If you’re like me, you want a Yahoo! ID that’s short, sweet and memorable, like [email protected] instead of [email protected]," wrote Jay Rossiter, senior vice president of platforms, in a posting on recent Yahoo acquisition Tumblr.
"So how are we making these Yahoo! IDs available? We're freeing up IDs that have been inactive for at least 12 months by resetting them and giving them a fresh start."
Owners of dormant Yahoo IDs have until July 15 to log in and keep their IDs active. Otherwise, the dormant IDs will be released to new users Aug. 15.
Security experts pointed out that the interconnectedness of Internet accounts makes this, in the words of former Sophos security researcher Graham Cluley, "a terribly stupid idea."
"Imagine that years ago, you created yourself a Yahoo address, registered some third-party Web accounts using your new Yahoo address, but subsequently decided to use Gmail or Hotmail as your primary email account instead," Cluley said.
"So what is going to happen when you forget the password for one of those third-party Web accounts, and you ask it to send your registered email address a password reset/reminder?" he asked. "Tough luck. Yahoo has given your email account to someone else, and potentially they might be able to get up to mischief with your other Web account."
Such a scenario did in fact happen to Wired writer Mat Honan, whose entire online life melted down in August 2012 when hackers tricked Apple into revealing his Apple ID, then leveraged that to take over his Google and Twitter accounts as well.
Honan, too, had few kind words for the Yahoo scheme, calling it "a spectacularly bad idea."
"Someone who uses a Yahoo email address solely as a backup for Gmail, and thus hasn't logged into it for a long time, would be vulnerable to having that address taken over by a malicious individual who only wanted to ultimately get into the active Gmail address," Honan wrote. "You can see a chain of events where that could lead to taking over online banking accounts, social media accounts and the like."
"Unless [Yahoo] rethinks this policy," Honan concluded, "this is going to lead to a social engineering gold rush come mid-July."
In response to Honan, the company outlined steps it would take to deter identity theft.
"We will have a 30-day period between deactivation and before we recycle these IDs for new users," Yahoo's statement said. "During this time, we’ll send bounce back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others.
"Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties."
That sounds nice, but hardly foolproof. Casey conceded as much to Reuters.
"Can I tell you with 100 percent certainty that it's absolutely impossible for anything to happen?" he said. "No."
There is, perhaps, an obvious solution.
If the security concerns are mainly with the Yahoo IDs tied to Yahoo Mail addresses, and such IDs are truly only 7 percent of the potential stock of dormant IDs, then why doesn't Yahoo remove IDs tied to Yahoo Mail addresses from the pool of recyclable IDs altogether?
That way, Yahoo would have 93 percent of what it needs — and there wouldn't be much of a downside.
TechNewsDaily reached out to Yahoo for comment. In response, a Yahoo representative sent us the same statement the company had previously given to Honan.