This is kind of weird, so somebody can sign up for mydefunctemail@yahoo.com and basically start reading emails that are meant for me?
Edit:
Consider a scenario. You know of an old rich eccentric who has been hospitalized in a nursing home or some such, you've interacted with them in the past and they have a Yahoo email.
They haven't logged in for a year, you grab it, now you appear be them to all the people they've emailed with in the past. Including their bank.
I get emails intended for other people all the time. Including financial data, addresses, phone numbers, tons of names and emails in CC fields, etc. I know a guy with a more common name who has made up a ranty blog post that he sends to companies who don't do proper email validation: https://news.ycombinator.com/item?id=5870692
A grandmother who has barely learned how to use email died in 2012.
Her friends are all in their 80s and only send 1 email a year.
Someone new registers the account and then... Then, the Holiday season in 2013 roles around and all of a sudden a new person is receiving emails from another person's friends.
At that point, the scams they could pull off would be insanely easy.
Additionally: Any sensitive material intended for the original person would instantly be compromised.
Yahoo is playing a somewhat dangerous game. The better option would have been to buy a domain name similar to Yahoo.com and use that.
[ADDED] Now I'm really mad. I tried logging in and it requires me to send an email to an account I had when I signed up for yahoo 10 years ago to log in because it "doesn't recognize my device". Just like Google there is no way to email them or contact them. Unacceptable. There is no way for me to log in to my account.
This could also lead to targeted attacks. there are probably a lot of no-longer-used yahoo emails still listed on people's facebook profiles which could possibly be used to pw reset.
I don't think it would be a bad idea for facebook to display a notice to people w/ yahoo emails at some point before this come into effect.
Same here. In this case the device is the same browser I've been logging in with daily. The back-up email is one that hasn't existed for a decade, and the "secret questions" for which I generated random number answers and carefully saved don't match.
That's on a mostly throw-away account, so I don't care too much. On a more regularly used account I just checked I was able to log in fine. My email inbox is page upon page of spam that should be easily filtered on their end, but at least I can get in.
I can give a real example of this that happened to me. I have a Steam account. Many years ago I created it using a Hotmail email account. I never used Steam for a couple of years. One day last fall I decided I wanted to do a little gaming, but I could not remember my account. I did the password reset but it never came through. I tried logging into my old Hotmail account, but they said it didn't exist. I re-created it, resubmitted the Steam password recovery form, and recovered my account _with_ saved credit card information.
Thanks for sharing. This is terrifying and it's the reason releasing the email addresses is a horrible idea.
The web runs on the assumption that you have access to an email address and you'll never lose control of it. Ignoring that assumption and opening up your old users to identity theft just because you want to reissue short usernames that will again be squatted on is kind of crappy.
Was your credit card still valid? Most cards aren't good for longer than 4 years, and chances are you had a few years on it when you signed up for Steam.
You changed addresses but forgot to update your bank to the new email address. Then someone resets the password using the new one and empties your bank account. Passwords are tied to email addresses unfortunately.
Exactly, this is analogous to your home address. Bad things can happen if people send mail to an address you don't live at anymore; it comes with the territory. I think a year is actually a bit short, but there should absolutely be some expiration date on accounts like email addresses. Five years seems like it would be more appropriate. Five years on the internet is an eternity.
Not sure about the home address analogy. I don't know about you, but I don't open mail that doesn't have my name on it, even if it has my address.
Maybe I'm just being naive, but it seems to me that someone getting a letter addressed to you is much less of an issue than someone getting your email.
Microsoft does this with Outlook/Hotmail, all accounts auto expire after 12 months. It's always struct me as a really big security issue. If you associate and account with one of these addresses and it expires, someone can come along, grab it, and receive any email that goes to that account, for example password reset emails.
Always wondered why more companies don't do this. If AOL had released screen names in the early 2000s it may have stayed relevant a little longer. Twitter could stand to do the same.
I've been wishing there was an alternative to Gmail (because they keep making the interface worse). Yahoo seems promising but you can't get a good name... this solves that, bravo!
Someone should write a cron job that logs into your yahoo account once a month so it doesn't go inactive.
You'll probably want the logs mailed to you, or put somewhere you'll look at regularly, because Yahoo's login interface is probably a moving target and you want to know when you need to rewrite your script due to Yahoo's changes.
Or does Yahoo have stable, published API's you could use for this?
This should be open-source, there's no way I'm giving my Yahoo ID and password to some third-party product I can't inspect.
I can see this going sideways quickly: with active accounts accidentally being deleted, people's mail being read by others who registered them in August, people who thought they would log in on July 15th only to find Yahoo is using a different time zone for this criteria, people who are on vacation until after then, people who never receive this notification...
If there is one thing I learned over the years it's that nothing will ever go the way it's intended to go. This might get messy.
Well, true, that's what we've grown up with: handles that are clever and reflect something about us (or deflect everything about us). But who wants to use john.basketball.expert@gmail.com as a professional contact address? Unless your full name is John Basketball Expert, which is sort of what I'm getting at. I wouldn't change my kid's middle/surname to Basketball Expert, but I'd consider something like Emily Clementine Raptor Mitchell. Seems silly now, but I like the idea that my child could turn on and off her searchability, or at least tune it up or down.
Two namespace wars in the email address: the part before @, which is where we fight over who gets to be "johnsmith", and the domain, where we fight to get either johnsmith.com, the most neutral, popular name like gmail.com, or a short, memorable, personal, pronounceable, and easy to spell domain.
And then we pitch headfirst into the coming TLD clusterfuck! It all makes for fun times and cash money.
What does it mean to be inactive? For example, I have an old yahoo email address that still receives email when I interact with some non-yahoo properties. I haven't logged into yahoo in many years. Is my account active or inactive?
> What if you haven’t logged into Yahoo! for over a year, but want to keep your Yahoo! ID? It’s easy. All you have to do is log on to any Yahoo! product before July 15th.
I logged into my account for the first time in a couple years in order to make sure it didn't get deleted. It looks like Yahoo also too the liberty of deleting all of my archived emails during that time as well.
Why not? Notice that in "Country" they don't ask you if you've declared yourself the King of Sealand and are living on a platform in the ocean. For birthday they don't offer you anything less than 1900, even though there are people alive who are more than 113 years old. You simply can't serve all people's needs with any product.
Maybe they don't want weirdos who claim to be something other than Male or Female using the service.
Also, note I'm using a throwaway account to say this. If I dare to offend the gay lobby by suggesting that homosexuality is a choice [1], or that companies should be able to refuse to do business with queers, for example, even a normally respectful community like HN is going to react as if I said we need someone like Hitler to run this country.
I'm even fearful that I might be refused employment [2] or otherwise discriminated against for my beliefs, if this comment is linked to my real-life identity.
If someone's best response to an intelligent person who disagrees with their position is calling them names like "bigot" or "hatemonger," and applying sanctions to them, it suggests, to me at least, that the actual argument is weak, and those who adopt these tactics do so because they know their position can't win a debate on its merits.
[1] If who you have sex with is not a choice under your deliberate, conscious control, why is rape a crime?
[2] Even in jobs where my beliefs have no effect on my ability to perform the work. What I think about gay marriage should have nothing to do with my ability to write effective unit tests, but I doubt a Bay-area employer would hire me if they knew I made this comment -- and even if they did, they would receive pressure to fire me from customers, investors, or other organizations they work with.
I'll take the opportunity to break into this conversation and ask a question since discussions on this topic seem to be fairly rare on HN.
If I were to launch a service where providing your gender was required (for the sake of this question), which options would you suggest I include outside the binary for those who feel uncomfortable identifying as such?
I managed to snag <myfullname>@ymail.com during that land rush, but when I gave out my email to people, many thought the "y" was a mistake and would send email to gmail instead. The lack of free IMAP and the supermarket tabloid-style ads plastered all over the place finally drove me away.
Why would Yahoo! want to add a different domain to their email service? They've practically given up on anything except being a "brand" at this point, and email is their #1 way to get their brand in front of people.
Are you sure about this? Microsoft deletes your email after a time but your account is not then up for grabs. It still requires the same user/pass to login.
Are you sure? I had an email address (@hotmail.com) that I used in 2005 - 2006 and needed it again recently to recover an old account, couldn't login (unrecognised) so I went through the registration process and "created" a new account with the same address and a new password.
I accidentally hijacked someone else's hotmail account (and subsequently their abandoned Myspace account) because I was able to register the hotmail they used for it and then use forgot password to send a reset email on Myspace. I assume the same thing could be done for other services.
Well, my last experience trying to recover an old hotmail account was a few years back, so they certainly may have changed their policy since then. I'm surprised I didn't hear about the policy change though, I would have happily used hotmail for a good short name :)
I can confirm this is still the case. Story made me check old hotmail account - said the account did not exist and allowed me to create new account with same address.
Edit:
Consider a scenario. You know of an old rich eccentric who has been hospitalized in a nursing home or some such, you've interacted with them in the past and they have a Yahoo email.
They haven't logged in for a year, you grab it, now you appear be them to all the people they've emailed with in the past. Including their bank.