CC photo by Darwin Bell

The Ghost Messages of Yahoo’s Recycled IDs

Without some policy to reclaim them, good usernames are a dwindling non-renewable resource. But re-using names is not without risks.

Eva Chan knows the value of a good username. She’s had @EC on Twitter “longer than Twitter has had vowels.” So when Yahoo started offering recycled user IDs, she put a few names on her wishlist. A little later, Yahoo gave her one of those names.

Then she started getting emails about a stranger’s cancer.

On the Internet, good names are precious. Within every namespace—whether it’s a new top-level domain, social network, web forum, email provider, or other service—one of the big benefits of being an early adopter is you can pick a cool monicker. Late adopters find themselves living with something horrid like sallysmith234 or buying a good name from someone else, as when Mark Zuckerberg paid $75,000 for

At the same time, all services experience user churn, and some of those people with great names go away and never come back. There are plenty of great Twitter IDs belonging to people with zero tweets and an egg for a user image. There are lots of defunct Tumblrs with great URLs gathering digital dust.

Without some mechanism to re-claim them, usernames are in effect a non-renewable resource. The longer a service is around, the more great names are taken and the more of those are dormant or dead. People have been signing up for Yahoo IDs since 1997.

Your username is how we personalize your experience across Yahoo! including Mail, Flickr, Fantasy Sports among others. And, so it’s probably as important to you as it is to us. ~Yahoo!

In an effort to address this problem, Yahoo recently announced they’d be making defunct usernames available to users like Chan who filled out a wishlist. “Over the years a lot of people have created Yahoo! usernames that they’re no longer using,” says Dylan Casey, Senior Director, Platforms at Yahoo. “We want to reclaim that valuable namespace so that we can free it up for loyal and new users.”

The process began in June when they announced they’d be resetting IDs that had been inactive for a year. In July, they opened a wishlist to the public and on August 26, they started handing out the freed-up IDs. For those late to the party, there is now a username watchlist. For $1.99, you can list up to five dream Yahoo IDs. If one becomes available, Yahoo will transfer it over to you; a first come, first served.

“When it comes to technology, I’m naturally curious,” says Chan. “So, when Yahoo sent out the Yahoo ID recycled email sign up program, I put in a couple of user IDs on my wishlist and forgot about it.”

An account is deemed inactive if a user has gone a year without ever logging in, Casey says. A notification is sent to the account one month prior to the anniversary to warn users that they’re about to lose the name.

Yahoo acknowledges that there may be some privacy concerns with turning over old IDs to new users. Their main worry is people who rely on old addresses for account security with other services. They’ve created a new email header standard, “Require-Recipient-Valid-Since”. The idea is that if services like Facebook implement the standard, when someone with an old ID that’s been given to a new user tries to reset their password, Yahoo will be able to match the dates with the header and reject the message, letting the service know they need to find another way to communicate with their wayward user.

Facebook has implemented the new standard, Casey says, as have other companies like PayPal and LinkedIn. Assuming they can get the rest of the Internet to sign on, Yahoo’s measures may protect services from sending password resets to a transferred account, but there is still the problem of regular email.

“As part of this recycling process, if an inactive account is listed within a Yahoo! address book, it is automatically removed when the account is recycled,” says Casey. “This is so that we can ensure that email is sent to the intended recipient. Any other information such as phone numbers, mailing addresses, or alternate email addresses within the contact remains.”

The issue is that Yahoo’s reach only extends to people who are using Yahoo as their address book provider. If someone using, say, Gmail has an entry listing an old Yahoo address, mail could go to an unexpected recipient. In fact, it already has.

“The day after I received my new Yahoo recycled ID, I received an email that was for the old user,” says Chan, “It was an email for a small circle (I think about 5 people) that had updates about a relative’s cancer status.” Shortly after, she says, her account was BCC’d on a thank-you note from a job interviewer. “This email had salary negotiations, and showed that the interviewee listed the old [username] as a professional reference.”

“That is extremely alarming and demonstrates why recycling accounts is a very bad idea,” says Eva Galperin, Global Policy Analyst with the Electronic Frontier Foundation.

If people have your old address, no technical solution will prevent this kind of problem, she says. “There is no way of getting around that if they’re recycling old accounts. If people have old emails for you, they’re going to continue to send things to that address.”

Fail yahoo of the day: mortgage sent to my new yahoo ID cuz recycling. Had passport information,address aka a blackhats wet dream. ~@Tojan7Sec

Galperin says users should be careful about what they use their Yahoo accounts for, and that they should be extremely cautious about ensuring that their address is updated with everyone who might communicate with them before letting the account go dormant.

“After my experience receiving someone else’s mail,” Chan says, “I can’t imagine myself ever using the new Yahoo ID for any personal communications or to sign up for anything, ever.”

Now she’s in a Catch-22. She doesn’t want to use Yahoo, but if she cancels her account then her username will become available for someone else to take and possibly accidentally intercept communications meant for her. “So, I’m stuck logging into a Yahoo account at least once a year, or else I’ll lose some comfort over my own sense of privacy.”

How big a problem this might be is hard to say. Yahoo doesn’t disclose how many Yahoo IDs there are, nor how many names are on the watchlist, nor how many have been transferred so far. But given that the top 100 requests were largely for first names, the possibility of further mistaken identity seems high.

Galperin says she understands that Yahoo is trying to rebuild engagement and lure people back to the brand but this is not the way to go. “It’s at the expense of a tremendous risk to people’s privacy and security,” she says.

As for how Yahoo might address this problem, Galperin is unequivocal. “I think Yahoo should not have recycled accounts in the first place. They should stop immediately.”

CC photo by Darwin Bell