Yahoo! announced plans to recycle unused user IDs back in June. Though the majority of those accounts weren't attached to Yahoo! email addresses, a small percentage of the recycled IDs were attached to emails, and those were the accounts people were most concerned about. The potential for identity theft was obvious and it's little surprise that new Yahoo! users are now receiving emails meant for other users.
Amazon said in June that it was working with major web companies (including Google and Amazon) to minimize the risk of identity theft and that it would unsubscribe accounts being readied for recycling from commercial emails (newsletters, alerts, etc.). The company also said it would send emails to financial institutions, social networks, email providers, and others, notifying them that the email address was about to be recycled. It also requested that users log into their account if they wanted to keep it.
However, now that new users are all set up with their recycled IDs (the recycling process saw IDs dished out in mid-August), no fewer than three people have told Information Week of how they possess a lot more than the user ID of an old Yahoo! user. One man reported receiving Facebook emails, as well as various messages from the older user's phone provider (which included their account number and a pin), emails regarding an investment account, and their Pandora account information.
"I can gain access to their Pandora account, but I won't. I can gain access to their Facebook account, but I won't. I know their name, address and phone number. I know where their child goes to school, I know the last four digits of their social security number. I know they had an eye doctor's appointment last week and I was just invited to their friend's wedding," IT security professional Tom Jenkins told Information Week. "The identity theft potential here is kind of crazy."
Jenkins isn't alone. Others have received everything from funeral announcements to airline confirmations, as well as more mundane (but still annoying) emails like newsletters and catalogs. Yahoo! told IW that it's received minimal complaints from users of these new, recycled IDs, but that it's continuing to work with companies to ensure they implement an RRVS email header in any correspondence. This would check the age of an account before delivering an email and cause messages sent to the recycled account to bounce.
TechCrunch reports that Yahoo! is also planning the introduction of a 'Not My Email' button that users can click when they receive an email meant for the former user (or anyone else). It also plans to reach out to users of old accounts by phone and email, extend the grace period for inactive accounts, and offer users a way to reclaim their old accounts.
Though Yahoo! is clearly working hard to mitigate the damage and reduce the risk of identity theft, anyone with an old Yahoo! account would be forgiven for feeling uneasy. It's not uncommon for folks to have an 'throwaway' email account that they use for things like newsletters or signing up for web services, and they probably don't log into those accounts very often. Now they have to worry about how many accounts are attached to that address. What's more, if someone else already has access, they need to cross their fingers that the new account holder is a decent human being and won't act on any of the new information before Yahoo! has time to rectify the situation.