Yahoo Opens Wishlist For Inactive Usernames, Hopes To Avoid Identity Cataclysm

Yahoo Mail iconIf you have an inactive Yahoo username/email address, it could end up in someone else’s hands about a month from now. And that could create all kinds of havoc if the new owner of your old username decides to use it to try to recover old online passwords of yours that might still be associated with that Yahoo address.

Yahoo announced a new username wishlist tool today that allows existing Yahoo account holders to put in claims on up to five inactive usernames. It comes about a month after Yahoo announced plans to recycle usernames.

There’s no public list of the inactive names; you just provide your top five choices blindly and, if any of them are inactive, you might be in luck. Yahoo will notify “winners” on a first-come, first-served basis in mid-August.


The danger is that new owners of these old Yahoo usernames/email addresses, could use the “Forgot Your Password?” tool on any number of websites to learn passwords associated with the old Yahoo username and/or gain access to websites that are associated with it.

Yikes. That could lead to some serious identity issues. And Yahoo knows it.

So, to minimize the potential identity cataclysm, Yahoo has also announced new email header called Require-Recipient-Valid-Since. It basically means that sites like Facebook would be able to compare the last time they confirmed a user’s email address against the date that the Yahoo email address changed owners.

If a Facebook user with a Yahoo! email account submits a request to reset their password, Facebook would add the Require-Recipient-Valid-Since header to the reset email, and the new header would signal to Yahoo! to check the age of the account before delivering the mail. Facebook users typically confirm their email when they sign up for the service or add new emails to their account, and if the “last confirmed” date that Facebook specifies in the Require-Recipient-Valid-Since header is before the date of the new Yahoo! username ownership, then the email will not be delivered and will instead bounce back to Facebook, who will then contact the user by other means.

It sounds workable, but the main problem is that it’s voluntary. Facebook and other large websites might put this in place, but there are countless smaller websites that won’t. They may not even know about Yahoo’s decision to recycle inactive usernames. And if those are e-commerce sites that … oh, y’know … also happen to store credit card information in user accounts, there could be serious problems ahead.

Postscript From Danny Sullivan: Color me not reassured. I put my own active username into the wishlist box. Yahoo came back with a confirmation that this was added to the wishlist.

This doesn’t mean my name, or any active name, would be granted to wishlist requestors. But you’d think the first step in this process would be to prevent people from even trying to request actual active names.

Related Topics: Channel: Consumer | Yahoo | Yahoo: Accounts & Profiles


About The Author: is Editor-In-Chief of Marketing Land. His news career includes time spent in TV, radio, and print journalism. His web career continues to include a small number of SEO and social media consulting clients, as well as regular speaking engagements at marketing events around the U.S. He recently launched a site dedicated to Google Glass called Glass Almanac and also blogs at Small Business Search Marketing. Matt can be found on Twitter at @MattMcGee and/or on Google Plus. You can read Matt's disclosures on his personal blog.

Connect with the author via: Email | Twitter | Google+ | LinkedIn

Marketing Day:

Get the top marketing stories daily!  


Other ways to share:

Read before commenting! We welcome constructive comments and allow any that meet our common sense criteria. This means being respectful and polite to others. It means providing helpful information that contributes to a story or discussion. It means leaving links only that substantially add further to a discussion. Comments using foul language, being disrespectful to others or otherwise violating what we believe are common sense standards of discussion will be deleted. You can read more about our comments policy here.
  • Pat Grady

    Giving people who abandoned something the chance to reclaim it before the scammers dig for old passwords (passwords many people likely still use) is a very bad idea from a security perspective. When you abandon something, you forget about it, it is lost to the original owner. Y’s solution here assumes the opposite. This is going to be Melissa’s first black eye. Stupid move Y, be better to rebrand to a new domain name (yes, it’s that stupid). Start a new generation of names, that start with a hashtag or something. The number of people who have abandoned a Y account is too large to make this move, imo. Hey Y, next time, stay popular, you’ll largely avoid this problem.

  • Z Dollaz

    They’ve already done this non-publically for years. I’ve personally gotten alerts that mine will expire due to inactivity. I used to steal cool AIM screen names as a kid by registering the recycled Yahoo and Hotmail accounts they had been tied to and requesting the password, then changing the email to mine.

  • Alex

    Yahoo is cheating us, now over mid-August but no one got Yahoo Wishlist links to reset inactive account.

Get Our News, Everywhere!

Daily Email:

Follow Marketing Land on Twitter @marketingland Like Marketing Land on Facebook Follow Marketing Land on Google+ Subscribe to Our Feed! Join our LinkedIn Group Check out our Tumblr! See us on Pinterest


Click to watch SMX conference video

Join us at one of our SMX or MarTech events:

United States


Australia & China

Learn more about: SMX | MarTech

Free Daily Marketing News!

Marketing Day is a once-per-day newsletter update - sign up below and get the news delivered to you!