What Happens to Inactive Email Accounts?
If you have an email account that you've not logged into for quite a while, it could go poof, and possibly be re-assigned to someone else. That might make sense, but the way that Yahoo is handling their recent announcement about inactive accounts has some people shaking their heads in disbelief. Find out why hackers and scammers are rejoicing, and what this means for you...
Is Yahoo Going to Recycle Your Username?
On June 12, 2013, Yahoo announced plans to recycle Yahoo IDs whose users have not logged in for over a year. The reclaimed IDs will be made available for newcomers to register on July 15. This housecleaning should be no big deal, but Yahoo handled its announcement so poorly that it’s created unnecessary alarm and criticism based upon unfounded speculation. The result has been a gigantic public relations backfire for Yahoo.
Mat Damon, a Wired Magazine writer who’s been traumatized by ID theft, immediately hit the panic button. He wrote, in part:
“It means that people will be able to claim Yahoo IDs and use them to take over other people’s identities via password resets and other methods. For example, someone who uses a Yahoo email address solely as a backup for Gmail, and thus hasn’t logged into it for a long time, would be vulnerable to having that address taken over by a malicious individual who only wanted to ultimately get into the active Gmail address. You can see a chain of events where that could lead to taking over online banking accounts, social media accounts and the like.”
Note that Damon assumed a Yahoo ID is a Yahoo email address. In fact, a Yahoo ID can be any username, without the domain "@yahoo.com" attached. In a response to Damon and other critics, Yahoo revealed that only 7 per cent of Yahoo IDs have a Yahoo email address associated with them. Yahoo also explained some extraordinary steps it is taking to reduce the possibility of exploits such as Damon vaguely describes, and some that he didn’t; that statement reads in part:
“Any personal data and private content associated with these accounts will be deleted and will not be accessible to the new account holder. To ensure that these accounts are recycled safely and securely, we’re doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we’ll send bounce back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others. Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties.”
Yahoo might have avoided a lot of backlash by explaining all of the above in its first announcement; instead, the company hyped only the positive (“Hey, you can get a shorter, catchier Yahoo ID!”) and failed to address obvious questions like, “What happens to my stuff?” That was dumb.
The followup explanation only gave security wonks more ammunition after they were put in the mood to take shots at Yahoo. The company will never be able to contact all of the firms that may have a user’s email address, they say. They say that if Yahoo gives to “hundreds of millions” of third parties a list of Yahoo email addresses that are vulnerable to exploitation, what are the odds that someone with nefarious intent will get that handy list?
The Too-Nice Landlord
Yahoo’s third mistake was to assume this massive responsibility for protecting inactive users. That’s far above and beyond the call of duty, and a source of potential liability.
Imagine yourself abandoning a rented home, providing no notice to your landlord, paying no rent for a year, leaving all your stuff behind, and failing to file a change-of-address notice with any of your correspondents. What is the landlord’s duty to you? None; he can throw away your abandoned stuff and any new stuff that arrives in the future. He doesn’t even have to write “return to sender” on mail and hand it to a postman.
But if your landlord states in writing that he will file change-of-address forms for you, he’s potentially liable for failure to file even one if that failure results in damages to you. That’s why you will never get such an offer from a landlord with an ounce of brains!
How Do Other Email Providers Handle Inactive Accounts?
Other email and Web service providers have policies that allow them to reclaim inactive accounts. Microsoft claims the right to deactivate accounts after 270 days of inactivity. Google gives you nine months, effectively the same as Microsoft. AOL will deactivate accounts after just 90 days of inactivity. You then have a 30-day grace period, after which AOL will delete all your stored messages, photos, etc.
None of them make any promises to protect you against the potential consequences of account deactivation. They don’t publicly announce plans to deactivate accounts. It’s just quietly done on a case by case basis (if it’s done at all).
If you haven’t logged in to your Yahoo account in over a year, do so before July 15 and it will remain active. That said, Yahoo may be failing to let inactive account holders reactivate. Upon reading of this recycling plan, I went to Yahoo.com and tried to log in by guessing my ID and password. It appeared that I guessed correctly.
“We need additional information in order to reactivate your account,” the next page said. So I answered some simple security questions. The response was,
“Success! We are initiating the process of reactivating your account…” That’s not my idea of “success” in reactivating my account; more like, “We’re working towards success.”
Now, more than a week later, I still cannot log in to Yahoo using the ID and password that I guessed and Yahoo apparently confirmed were valid. I get, “Invalid ID or password.” But apparently my ID is registered with Yahoo. A variation of it yields a different message: “That ID is not yet taken.” So is the “invalid” ID mine, or is it someone else’s with a different password?
Oh, well; I can’t even remember why I got a Yahoo ID, if I did. I can’t see why I would want one now. The company seems to be a total shambles. Marissa Mayer, Yahoo’s new CEO, may be missing her old job at Google.
Got something to say about this topic? Post your comment or question below...
This article was posted by Bob Rankin on 25 Jun 2013
|For Fun: Buy Bob a Snickers.|
SnapChat and Your Personal Privacy
The Top Twenty
Geekly Update - 26 June 2013
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- What Happens to Inactive Email Accounts? (Posted: 25 Jun 2013)
Copyright © 2005 - Bob Rankin - All Rights Reserved