Yahoo is facing claims its decision to recycle inactive email addresses has resulted in some users receiving personal messages intended for the previous owner.
The internet giant announced plans earlier this year to recycle Yahoo usernames, or IDs, that had not been used for more than 12 months to free up long-held ones that others might want.
Before recycling inactive accounts we attempted to reach the account owners [in] multiple ways to notify them that they needed to log in to their account or it would be subject to recycling.
Users were told to fill out a wish list, detailing their top five potential usernames. Yahoo would then inform them if their top picks were available and, if so, users were given 48 hours to claim it.
At the time, the company assured users it was working with social media and e-commerce sites to update them about the change in ownership of certain usernames to prevent personal information being passed on about the previous owner.
However, in a recent Information Week article, several Yahoo email users said they had received marketing newsletters, Facebook messages and digital receipts for purchases the former address holders had made.
Dwayne Melancon, chief technology officer at security software vendor Tripwire, said he wasn't surprised by the reports.
"After all, if you change mobile numbers your phone number goes back into the pool of available numbers at some point. Anyone who still has your old number will reach the new mobile phone subscriber, rather than you. With recycled emails, it's no different," he said.
"From a security perspective, this is a great case for using email encryption when transmitting sensitive information. With encryption, even if a new owner takes over your contact's old email address, they will be unable to read the sensitive data because they will not have the encryption key required to decipher the message," he added.
In a statement to IT Pro, a Yahoo spokesperson said the firm has done a lot of work to secure users' personal information as part of its email recycling efforts.
"Before recycling inactive accounts we attempted to reach the account owners [in] multiple ways to notify them that they needed to log in to their account or it would be subject to recycling," the statement read.
"Before recycling these accounts, we took many precautions to ensure this was done safely including deleting any private data from the previous account owner, sending bounce-backs to the senders for at least 30-60 days letting them know the account no longer existed and. unsubscribing the accounts from commercial mail."
The company also undertook marketing campaigns and worked closely with other email service providers, merchants and third parties to make them aware that some addresses would be switching owners.
It is also in the throes of rolling out a system that will allow users to flag when they receive an email that is not intended for them.
"We continue to look for ways to protect our users," the statement concluded.
