Yahoo! Recycled Email Exposes User Data

Yahoo! of my eye

A few months ago when Yahoo! announced plans to “recycle” email addresses which had seemingly been long abandoned, some people rejoiced and others cringed.

Rejoicers included those who saw the opportunity to grab a unique “” email address – maybe something very distinct or identifying to them personally, like “bob.smith”, but long taken by someone else.  Getting a straight-forward user name at a major online service is something typically reserved for early adopters, employees and other cool cats.  This was directly the angle Yahoo! presented to users as their reasoning for the change.

Seemingly, Y! had a well-thought out process in mind – covering everything – including working with email technology firm Return Path, who provided information for commercial mailers and marketers on how to deal with the situation.

The best laid plans however… Kristin Burnham at InformationWeek is one of the first to be reporting issues with “mis-directed” mail arriving to the newly reassigned accounts.

Hat tip to @EmailKarma for the heads up on this one.

In short – it appears that Yahoo! mail users, who for whatever reason had long ceased accessing their Yahoo mail accounts, are still receiving mail to the account.  Yahoo! apparently considered patterns of access to the messages to determine inactivity, but possibly not so much – or at all, the actual mail traffic flowing to (or from) the account.

As InformationWeek reports, a number of folks pointed out the potential for this data sharing.

Yahoo! reportedly was prepared to address these issues, indicating:

To ensure that these accounts are recycled safely and securely, we’re doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we’ll send bounce back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others. Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties.

Apparently their identification of messages as commercial is falling short.  Latest report I’ve seen, from Bryan Bishop at, is that Yahoo! is creating a “not my mail” button for users to report the misdirection.  Not sure how that addresses access to the messages by miscreants, but it’ll help the nuisance factor for good actors.

For me this is a bit reminiscent of the AOL Search Data release – an event in 2006 which is notorious enough to have it’s own wikipedia page.  In that case, AOL voluntarily released “anonymous” search data for public benefit – however, while it seemed anonymous as individual entries with seemingly meaningless numerical id numbers, the combination of the data through analysis led to identification of individuals.

This led to an eventual Class Action Settlement.  The released data continues to live on the interwebs through numerous mirrors.

This Yahoo! issue is going to be interesting to watch as it unfolds.

photo by: Yahoo! Inc

One thought on “Yahoo! Recycled Email Exposes User Data”

Leave a Reply

Your email address will not be published. Required fields are marked *