I have a month to compile a list of the most popular first and last names and popular e-mail names and get a bot ready to register them all.
Once registered, I can then attempt password recovery for these @yahoo.com email addresses at the most popular web sites across the Internet that rely on established identities (ebay.com?).
If [email protected] ever used his yahoo id to register an account on EBAY.com, or with another online service, now is my chance to try to steal his online accounts by requesting password resets on these services and assuming his identity.
Now, to build a bot that will do this thousands of times!
Sites with 2 factor authentication may be immune to this, but these identities will now be unrecoverable to somebody who has used his @yahoo address as his recovery e-mail address, even if he doesn't check it often.
You're absolutely right. Other services view email as non-transferrable (the "recover my password" feature of almost every website with a login ever is evidence of this). Think of what someone could do if they had access to your email account, even if it's one you haven't used in years.
Someone could turn my life upside down if they had access to the hotmail account that I use to sign up for services that I know will spam me.
The people that work at Yahoo are not stupid. They will surely have a process in place to prevent a single person from sucking up all the short/popular email names.
Even if that person wasn't doing it for nefarious purposes that would completely defeat Yahoo's whole goal here of getting these names in the hands of users who actually want to use them.
This is terrible idea. People will be able to claim Yahoo IDs and use them to take over other people’s identities with a few password resets. I have a Yahoo email address simply as a backup for GMail. Just because I don't sign in very often doesn't mean that it is safe to hand over to someone else!
This is a fantastic idea, and I wish other services (I'm looking at you Twitter) would follow suit. Your Yahoo ID becomes a part of your identity when using their service, so it seems reasonable that people will feel happier and be more inclined to use Yahoo's stuff when they have an ID that they feel good about and aren't embarrassed to share with their friends.
I went to sign up for Twitter and found that my usual username was taken by someone with exactly one tweet, from 4 years ago! It's definitely frustrating.
Let me be the only one who thinks this is actually not a bad idea. I have a very typical name, very commonly used and if almost on every popular email service (gmail, hotmail, yahoo), I've tried registering a few varieties of my [email protected] or even [email protected] and it's almost always taken.
If you think your identity could be stolen because of an unused email address, it might be your fault that's going to happen. Why would you register with an inactive email address and not check it? Email address seem like the main way for most people to login, if you have multiple, you must at least check them for something once every six months.
This announcement only says that they will remove those that haven't logged into their account in the last 12 months. Seems like a very long time in internet time.
In 2002 I made a paypal account with my yahoo email address. I attached my bank account to it, the same one I still use.
I haven't used that paypal account or that email address in years. A while back I realised the folly of this and removed as much information as I could from the account.
But, what if I'd just forgotten about it? Now anyone who registers my (common) yahoo email, attempts a password reset on the popular websites, can drain my bank account.
If this isn't the sign of a product with declining use, I don't know what is. Of course it isn't news that few people use Yahoo mail anymore, but the fact that it's worth it to Yahoo to turn those emails off is interesting.
This is a way worse then just disabling unused old accounts and, say, deleting emails stored there.
Yahoo is going to "resell"(1) these accounts. This will create all kind of privacy problems, and potential for abuse: gaining access to other services through resetting passwords there, impersonating users, people receiving private communications not intended for them, etc.
And all this for what purpose? Give few lucky ones get a coveted email address like [email protected] instead of [email protected]?
(1) "Resell" is the not quite accurate word here as they are going to give it for free, but I can't come with a better word.
Maybe. My perspective is that Yahoo! did some research on why people left, stopped using, or never considered Y! as their mail service. I presume one of the responses is that people dislike non-vanity addresses. Instead of [email protected], the only variations that remain include thomasted110@ or tedthomasemail@. Ugh.
A simple query would show that these vanity addresses are sitting stagnant. A touch of PR and awareness instills or revives interest.
I think an optimistic view is that Yahoo! is willing to cut the fat and take chances on reuniting strayed in addition to inviting new users.
yahoo mail was my first mail 15 years ago. But the product hasnt evolved much yet. In my opinion , Yahoo lacks of the proper agile culture where products evolve gradually (like google products ). Look at yahoo groups , feels like 1999 ...
So they can buy start-up all they want , yahoo has a cultural problem. definetly , at least if they want to look relevant.
I'm now terrified about what 7-year old accounts I have that used an @yahoo for password resets. Bank: clear. Facebook: clear. Gmail: clear. Guess it won't be too bad.
I thought about snagging something short and nice (like my initials) just for kicks, but...am really not sure what I'd do with the account after I had it.
I logged in and, after re-activating my long dead email address, was greeted by two full height tower animated banner ads. I clicked around for a few seconds and got a nearly full screen animated ad. Yep, now I remember why I stopped dealing with Yahoo.
I feel conflicted about this. On one hand, I haven't logged in to my yahoo account for several years so I clearly don't "need" it but on the other I don't want to have someone steal my username. I think the fact that yahoo is so desperate to get people back on their platform that they're willing to resort to this tactic should be very unsettling to anyone with a vested interest in the company as a long term investment.
Yahoo should be desperate. After fading into irrelevance for the past decade they need to make unusual/risky decisions to have any hope of turning that around.
Any recommendations on how I can identify any accounts that I've registered on Yahoo over the years? I don't think that I've sent anything important to them that would still be emailing sensitive information, but can't be sure - as I never planned for the scenario in which they'd essentially turn access to my email over to a third party.
What's much much worse than the spam from the original account holder is the fact that you might receive private personal communications from them. E.g. some long-lost friend could conceivably have you in their address book and choose to get back in touch.
Also, what about other accounts on the web that are linked to the email address? Many web sites allow you to reset your password by proving that you own the email address a user was originally registered with.
This seems like a spectacularly bad idea on Yahoo's part. I can't make any sense of it.
A few years ago Yahoo! Erased my mail account because I hadn't logged for 3 month. It was my secondary mail account, so I in some periods I didn't use it. It happened twice! After the second time I never bothered to create the email account again, I went to Gmail. They continue to do this kind of things, so it's difficult to trust Yahoo!.
Unused Yahoo ids are going to be recycled. Yahoo Mail is just one of the services tied to your Yahoo id. Just sign in to Yahoo with your Yahoo id to save it and your email from being recycled.
I wonder if this could lead to an open invitation for people to hack into accounts based on services that use your email address as a primary key for your identity.
e.g. Joe Public hasn't logged into [email protected] for a year because he has taken a year off to live in a Buddhist monastery. So Eve goes in and signs up for that address, without any malicious intent.
Fast forward to a week later, when Eve signs up for CatNip, a website for sharing cat pictures. It says "You are already signed up for this service. Click here to send a password reset link to your email!" Eve can't resist the allure, and clicks through.
One click later, Eve has access to all of Joe Public's cat pictures on CatNip. (Even though she didn't really sign up for the address with the express intention of getting them.)
This is a great strategy for gaming systems, a terrible strategy for accounts used as identity management and password recovery vectors.
Let's say [email protected] used this email address long ago as his ebay recovery address, but really doesn't use his @yahoo account any more. I can register [email protected], and use ebay's account recovery option to assign the ebay account a new password for an ebay account I have now stolen.
This scenario isn't possible with an online game account name, as game accounts aren't used to recover bank passwords or other important account passwords.
[+] [-] midnitewarrior|12 years ago|reply
I have a month to compile a list of the most popular first and last names and popular e-mail names and get a bot ready to register them all.
Once registered, I can then attempt password recovery for these @yahoo.com email addresses at the most popular web sites across the Internet that rely on established identities (ebay.com?).
If [email protected] ever used his yahoo id to register an account on EBAY.com, or with another online service, now is my chance to try to steal his online accounts by requesting password resets on these services and assuming his identity.
Now, to build a bot that will do this thousands of times!
Sites with 2 factor authentication may be immune to this, but these identities will now be unrecoverable to somebody who has used his @yahoo address as his recovery e-mail address, even if he doesn't check it often.
[+] [-] austenallred|12 years ago|reply
Someone could turn my life upside down if they had access to the hotmail account that I use to sign up for services that I know will spam me.
[+] [-] ryandrake|12 years ago|reply
2. Claim as many of those E-mail addresses as you can
3. Hold your newly acquired domains hostage for $$$
[+] [-] harryh|12 years ago|reply
Even if that person wasn't doing it for nefarious purposes that would completely defeat Yahoo's whole goal here of getting these names in the hands of users who actually want to use them.
[+] [-] weaksauce|12 years ago|reply
[+] [-] joshfraser|12 years ago|reply
[+] [-] b_emery|12 years ago|reply
[+] [-] nsmartt|12 years ago|reply
[+] [-] purephase|12 years ago|reply
[+] [-] brianwillis|12 years ago|reply
[+] [-] michaelmior|12 years ago|reply
[+] [-] nkorth|12 years ago|reply
[+] [-] numbers|12 years ago|reply
If you think your identity could be stolen because of an unused email address, it might be your fault that's going to happen. Why would you register with an inactive email address and not check it? Email address seem like the main way for most people to login, if you have multiple, you must at least check them for something once every six months.
This announcement only says that they will remove those that haven't logged into their account in the last 12 months. Seems like a very long time in internet time.
[+] [-] cecilpl|12 years ago|reply
I haven't used that paypal account or that email address in years. A while back I realised the folly of this and removed as much information as I could from the account.
But, what if I'd just forgotten about it? Now anyone who registers my (common) yahoo email, attempts a password reset on the popular websites, can drain my bank account.
[+] [-] austenallred|12 years ago|reply
[+] [-] tagold|12 years ago|reply
(1) "Resell" is the not quite accurate word here as they are going to give it for free, but I can't come with a better word.
[+] [-] timmins|12 years ago|reply
A simple query would show that these vanity addresses are sitting stagnant. A touch of PR and awareness instills or revives interest.
I think an optimistic view is that Yahoo! is willing to cut the fat and take chances on reuniting strayed in addition to inviting new users.
[+] [-] camus|12 years ago|reply
[+] [-] tsm|12 years ago|reply
I thought about snagging something short and nice (like my initials) just for kicks, but...am really not sure what I'd do with the account after I had it.
[+] [-] purephase|12 years ago|reply
I think the title of this post could be amended to make it a little more reflective of the actual post.
[+] [-] fps|12 years ago|reply
[+] [-] daimyoyo|12 years ago|reply
[+] [-] pdb123|12 years ago|reply
[+] [-] neilkelty|12 years ago|reply
[+] [-] neilkelty|12 years ago|reply
[+] [-] humbledrone|12 years ago|reply
Also, what about other accounts on the web that are linked to the email address? Many web sites allow you to reset your password by proving that you own the email address a user was originally registered with.
This seems like a spectacularly bad idea on Yahoo's part. I can't make any sense of it.
[+] [-] gus_massa|12 years ago|reply
[+] [-] nano111|12 years ago|reply
[+] [-] laureny|12 years ago|reply
Regular: [email protected]
Password recovery: [email protected]
[+] [-] darrenkopp|12 years ago|reply
[+] [-] ebabcock1|12 years ago|reply
[+] [-] Esifer|12 years ago|reply
[+] [-] parennoob|12 years ago|reply
e.g. Joe Public hasn't logged into [email protected] for a year because he has taken a year off to live in a Buddhist monastery. So Eve goes in and signs up for that address, without any malicious intent.
Fast forward to a week later, when Eve signs up for CatNip, a website for sharing cat pictures. It says "You are already signed up for this service. Click here to send a password reset link to your email!" Eve can't resist the allure, and clicks through.
One click later, Eve has access to all of Joe Public's cat pictures on CatNip. (Even though she didn't really sign up for the address with the express intention of getting them.)
[+] [-] MostAwesomeDude|12 years ago|reply
[+] [-] midnitewarrior|12 years ago|reply
Let's say [email protected] used this email address long ago as his ebay recovery address, but really doesn't use his @yahoo account any more. I can register [email protected], and use ebay's account recovery option to assign the ebay account a new password for an ebay account I have now stolen.
This scenario isn't possible with an online game account name, as game accounts aren't used to recover bank passwords or other important account passwords.
[+] [-] neilkelty|12 years ago|reply