Yahoo gifts me the keys to someone else's life -- and details relating to the US Nuclear Regulatory Commission
Three months ago, Yahoo announced plans to recycle email addresses. The addresses, which the tech giant said had all been inactive for 12 months or longer, were to be offered on a first come first served basis. In covering the story, my colleague Brian Fagioli pointed out some worrying privacy flaws, but Yahoo said it was confident its plans would not compromise user security.
Despite the fact I already have five email addresses I use on a regular basis, and a couple more I dip into occasionally, I applied for one of these recycled addresses, and at the end of August Yahoo emailed me to say "Great news! The username you wanted is yours". I was surprised and delighted, then promptly forgot all about it until yesterday when I logged into my new email account for the first time and… OMG!
There was, naturally, a fair amount of junk mail already there. It’s an existing email address, so that was to be expected, and fortunately Yahoo filed it all away neatly in a Spam folder for me to browse through and delete. But in my inbox I also found a selection of emails meant for the previous owner, not me.
Two of the messages relate to a new prepaid card which has been sent -- presumably -- to my predecessor, along with details of how to log into the linked account. There isn't much interesting information in the messages, except for the address the card was mailed to, and the name of the person. I couldn’t log into the account without the card details (had I wanted to), but I did use the name and address to look up the person on the web. However, the name didn’t seem to match the occupant I found, and so I moved on to the much more interesting second set of emails.
These are work messages, and have confidential Excel spreadsheets for a major multinational corporation attached. I downloaded and virus scanned a couple before opening them. They contain details of quotes -- including hundreds of contact names, addresses, and revenue details -- for some of the USA’s largest businesses. I won’t go into details, but one of the clients listed is the US Nuclear Regulatory Commission, another is Delta Airlines.
It isn't old data either -- it covers quotes relating to October, November and December this year.
Whether the information contained in these documents could be used for nefarious purposes, I’m not sure. It’s really nothing more than a contact database for lots of major corporations, with some pricing details. But if I was in the same business as the spreadsheet owner, I could certainly use the details to try and undercut it and woo away its clients. Or I guess I could sell the details to a rival firm.
Those emails also give me the (presumably) previous email address owner’s work email. Using the details I had, and the power of the Internet I was able to find out his full work address, job title (and the length of time he’d been there), and get a photo of him -- we don’t look very alike (that's not him in the picture above). I also found out his age, and numerous other details.
Admittedly, once you know the basics -- name and where someone lives or works, for example -- finding the rest of the details is easy. Yahoo didn’t really give me the keys to someone else’s life, but it did provide me with an interesting insight into who once used the account that is now mine, and also made me realize that if I ever lose a web mail account in a similar recycling session, just how much of my personal information could potentially end up trickling through to the new owner.
Yahoo says it will this week begin offering a new "Not My Email" button that will give owners of newly claimed user names, like myself, the ability to send back messages not meant for them. That’s all well and good, but not everyone is going to be honest enough to do that. Armed with someone’s email address, name and details of accounts linked to the former, a fraudster could potentially do some serious damage.