Within many organisations offering online services to the public, there must be a great temptation to expire redundant user accounts that occupy desirable user IDs but which are never used by their users. Presumably the user IDs have been registered by someone, used on a couple of occasions, and then forgotten about. Expiring and recycling these user IDs and offering them to new users allows the organisation to better manage the quantity of unique User IDs, and also allows new users to potentially own the user ID that they desire.

On 20th June, Yahoo! announced that they will be expiring user IDs that have been unused for over 12 months in order to offer them to users.

you want a Yahoo! ID that’s short, sweet and memorable, like albert@yahoo.com instead of albert9330399@yahoo.com”, described Jay Rossiter, SVP of Platforms at Yahoo! [1].

Yahoo! is not the only webmail provider that expires inactive users and recycles their email addresses. Recently, researchers at Rutgers University identified that Hotmail also reissues email addresses that have been dormant for some time [2]. Yahoo! should be applauded for publicly raising the issue, describing their criteria for expiring accounts, and calling for users to access their accounts if they wish to prevent this happening.

Webmail providers will almost certainly delete all private data from the account and provide a period where received messages to the terminated account are bounced back to the sender before the account is reallocated. However, this assumes that the email address that the bounce message is sent to is both valid and monitored. If this is not the case, then the sender of the email will not be able to update their records, and the new owner of the account will continue to receive the emails of the previous holder.

It is easy to imagine a scenario where someone uses their webmail account as the email address for a web service, such as social networking, but rarely receives email and rarely checks the account. The account expires, and is allocated to someone else who can now take over the previous owners social network account by resetting the password to the email account that they now control.  Indeed, the paper from Rutgers showed how such an attack could be used to compromise large numbers of social network users [2].

Currently, operators of web services are able to assume that email addresses are assigned to single individuals and remain associated with the same person. This has important implications for data privacy. Operators can legitimately argue that they are fulfilling their legal obligations under article 17 of the EU Data Protection Directive to prevent “unauthorized disclosure or access” to confidential data [3], by resetting passwords to registered email addresses, since the email address can be assumed to be under the control of the individual who created the account. However, if this is no longer the case and it becomes common practice for providers of email services to reallocate email addresses, then providers of web services must rethink how they distribute passwords and allow access to private data or potentially fall foul of data protection laws.

Much current practice on the web for resetting passwords assumes that users protect their email addresses and that the owner of an email address is still the same person who registered to use a service. Changing this assumption puts an onerous burden on developers to reconfigure how passwords are reset and to rethink the information can be sent to an email address.

Yahoo! may have anticipated such an issue, according to Wired’s Matt Honan, Yahoo has responded the concerns by promising:

Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties”[4]

But this raises further questions: In what format will these notifications be sent? Will providers be able to change registered email addresses without the consent of the account owner? How will providers authenticate that these notifications are genuine? How will the webmail provider know what other providers to notify and be certain that they have notified all relevant providers? Do such notifications breach the expectation of privacy of the previous owner of the account?

Within the anti-spam community, expired domain names are sometimes repurposed as honey pots for the collection and study of spam emails. To prevent legitimate email being sent to the previously used email addresses at the domain, messages are rejected over a prolonged period of time, often in excess of several months before the domain and all the email addresses are repurposed. Nevertheless, legitimate messages are still often sent to spam trap domains despite much effort in dissuading the senders. This demonstrates just how difficult it can be to inform legitimate senders that email addresses are no longer valid.

Providers of internet services need to consider methods of giving access to confidential information other than assuming that the current owner of a previously registered email address is always allowed full access. Many providers require users to answer a series of previously chosen questions before resetting a password, or may send a password reset request as a SMS message to mobile phone number. In any case, providers need to be able to justify that they have considered the fact that a registered email address may have been recycled and is now used by a third party.

In conclusion, what seems at first glance to be a good way of managing unused accounts may have wider effects in changing the assumption that the owner of an email address never changes. Many websites rely on this assumption to maintain the privacy and the confidentiality of the user data that they hold. Recycling email addresses may not only expose individuals to having their personal data compromised, but also expose the providers of web services to the risk of being held accountable for not protecting their users from a reasonably foreseeable problem. Rather than rewriting systems, providers may prefer to require users to register with anything other than a webmail email address.



[1] “yourname@yahoo.com Can Be Yours!”, Yahoo! Blog. http://yahoo.tumblr.com/post/52805929240/yourname-yahoo-com-can-be-yours

[2] “How to Hack into Facebook without being a Hacker”, Parwani et al., Proceedings of the 22nd international conference on World Wide Web companion. p.751-754. 2013. http://precog.iiitd.edu.in/events/psosm2013/9psosm3s-parwani.pdf

[3] “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.”. Official Journal L281 23/11/1995  http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML

[4] “Yahoo’s Very Bad Idea to Release Email Addresses”, Wired 19/6/2013 http://www.wired.com/threatlevel/2013/06/yahoos-very-bad-idea/


Martin Lee

EMEA Lead, Strategic Planning & Communications

Cisco Talos