|Sat June 15 2013 15:56:29|
Yahoo Email Policy Poses Risk to eBay and Etailers
By: Ina Steiner
Haven't logged in to your Yahoo email account in the past year? You're at risk of losing the account, as Yahoo is expiring inactive email addresses. But as inconvenient as it may be for users to lose their Yahoo identity, it could also pose a major security risk to users, especially in the world of ecommerce, since Yahoo will give those expired email addresses to someone else - as early as August 15th.
Companies such as eBay allow users to recover their User IDs as long as they have their email address, and then similarly retrieve their passwords. It seems quite feasible that users who signed up to eBay (or other etail sites) with Yahoo email address could find third-parties hijacking their accounts if they haven't signed in to their Yahoo accounts lately.
And since many people use the same password across multiple services, this leaves them vulnerable to multiple account takeovers.
What about services and shopping sites that require users answer security questions to retrieve passwords? In this age of social networking sites, many of the answers to those questions can be easily found on Facebook (in what city were you born, what's the name of your pet, what's the name of your first child,...).
Yahoo is giving inactive accounts only a month to sign in to reactivate their account. If they miss the July 15th deadline, a new user could claim their ID just one month later. We're waiting for a response from Yahoo's public relations department, but it told USA Today that it would shut inactive accounts for 30 days before releasing them to new owners "and will unsubscribe the accounts from commercial e-mail. All incoming e-mails will receive bounce-back messages."
Do companies like eBay, Amazon.com and online merchants automatically deactivate an account if they receive a bounce-back message? It seems hardly likely, and it's not a given that a retailer or marketplace would send all of their users an email between July 15 - August 15 - and some users set their preferences so they don't receive marketing emails from etailers and marketplaces.
Asked about the Yahoo policy on Friday, eBay spokesperson Ryan Moore said, "We're reviewing their actions to determine what, if any, changes need to be made to ensure we maintain a trusted and safe eBay marketplace."
Asked whether eBay removes User IDs after a certain period of inactivity, and if so, what length of time that is, Moore said he would have to get back to me next week, and promised to share further information as it becomes available.
Yahoo Mail doesn't exactly have a sterling reputation when it comes to security. The Telegraph reported at the end of May that BT dumped Yahoo as an email provider to its six million broadband customers "following months of customer complaints over hacking."
A search of Twitter on Saturday shows a surprising number of users complaining that they can't log in to their Yahoo account because it's asking security questions to which they don't know the answer.
An employee of the ecommerce arm of a brick-and-mortar retailer told EcommerceBytes they've been strategizing on how to deal with the security risks Yahoo's new policy is posing, as a number of their customers have signed up with Yahoo email addresses, but the employee would not go on the record.
The problem that expired email addresses pose to sites like eBay isn't a new one, but in the case of Yahoo emails, it promises to be of a scale never seen before. In 2003, we wrote about the a similar danger posed to eBay users.
We'd purchased a domain name that had recently become available after its original owner let the registration expire. After activating the domain and setting up a mailbox, we began to receive hundreds of Spam messages addressed to former employees of the site - over 20 different email addresses in all.
Copying and pasting some of these email addresses into eBay's "Search by Seller" search box allowed us to pull up IDs of people who had previously worked for the site originally owning the domain name. These employees had never bothered to change their contact email address on eBay when the company dissolved.
In its rather perky announcement last week about the new policy, Yahoo wrote, "we want to give our loyal users and new folks the opportunity to sign up for the Yahoo! ID they've always wanted." You can read the full announcement on Yahoo's Tumblr page.