Yahoo is taking action to clean up inactive accounts, but some fear they may be opening up a new door to clever attackers.
On July 15, any Yahoo email account or Yahoo ID that has not been logged into for more than a year will be freed up to be acquired by another user. The idea is to give Yahoo's ‘‘loyal users and new folks’‘ the chance to sign up for the Yahoo ID they want.
‘‘If Yahoo reuses inactive ID, the most damage will be done through the password reset feature which is implemented on many sites on the Internet,’‘ said Tommy Chin, technical support engineer at CORE Security. ‘‘To steal an account, register a yahoo account that’s inactive which is already being used as a registered e-mail address on a third party site. Then, search for a variety of popular third party website and utilize the password reset feature to send the password to a reused yahoo account.’‘
‘‘Accounts around the web will get owned in very little time once a script gets developed to automate this attack,’‘ he said.