Yahoo is releasing inactive Yahoo IDs so that users can score a better email address. This means you can finally have albert@yahoo.com instead of albert9330399@yahoo.com, for example. Sounds great, right? It’s actually a spectacularly bad idea.
In a Tumblr post, the company announced that on July 15, it will be “freeing up” Yahoo email addresses that have been inactive for a year or more. But it’s not just deactivating these accounts, it’s going to offer them to other people.
In mid July, anyone can have a shot at scoring the Yahoo! ID they want. In mid August, users who staked a claim on certain IDs can come to Yahoo! to discover which one they got.
This may have seemed like a good way to get people to log in again, or to try to convert new users to a groovy Yahoo address. But it’s a terrible idea. It means that people will be able to claim Yahoo IDs and use them to take over other people’s identities via password resets and other methods.
For example, someone who uses a Yahoo email address solely as a backup for Gmail, and thus hasn’t logged into it for a long time, would be vulnerable to having that address taken over by a malicious individual who only wanted to ultimately get into the active Gmail address. You can see a chain of events where that could lead to taking over online banking accounts, social media accounts and the like.
Nor would it be hard to discover some of these inactive addresses. You could, for example, find a dormant Flickr account, which previously required a Yahoo email address.
The bottom line is that unless it rethinks this policy, this is going to lead to a social engineering gold rush come mid-July. Wired has reached out to Yahoo for comment.