If you have an inactive Yahoo username/email address, it could end up in someone else’s hands about a month from now. And that could create all kinds of havoc if the new owner of your old username decides to use it to try to recover old online passwords of yours that might still be associated with that Yahoo address.
Yahoo announced a new username wishlist tool today that allows existing Yahoo account holders to put in claims on up to five inactive usernames. It comes about a month after Yahoo announced plans to recycle usernames.
There’s no public list of the inactive names; you just provide your top five choices blindly and, if any of them are inactive, you might be in luck. Yahoo will notify “winners” on a first-come, first-served basis in mid-August.
The danger is that new owners of these old Yahoo usernames/email addresses, could use the “Forgot Your Password?” tool on any number of websites to learn passwords associated with the old Yahoo username and/or gain access to websites that are associated with it.
Yikes. That could lead to some serious identity issues. And Yahoo knows it.
So, to minimize the potential identity cataclysm, Yahoo has also announced new email header called Require-Recipient-Valid-Since. It basically means that sites like Facebook would be able to compare the last time they confirmed a user’s email address against the date that the Yahoo email address changed owners.
If a Facebook user with a Yahoo! email account submits a request to reset their password, Facebook would add the Require-Recipient-Valid-Since header to the reset email, and the new header would signal to Yahoo! to check the age of the account before delivering the mail. Facebook users typically confirm their email when they sign up for the service or add new emails to their account, and if the “last confirmed” date that Facebook specifies in the Require-Recipient-Valid-Since header is before the date of the new Yahoo! username ownership, then the email will not be delivered and will instead bounce back to Facebook, who will then contact the user by other means.
It sounds workable, but the main problem is that it’s voluntary. Facebook and other large websites might put this in place, but there are countless smaller websites that won’t. They may not even know about Yahoo’s decision to recycle inactive usernames. And if those are e-commerce sites that … oh, y’know … also happen to store credit card information in user accounts, there could be serious problems ahead.
Postscript From Danny Sullivan: Color me not reassured. I put my own active username into the wishlist box. Yahoo came back with a confirmation that this was added to the wishlist.
This doesn’t mean my name, or any active name, would be granted to wishlist requestors. But you’d think the first step in this process would be to prevent people from even trying to request actual active names.