Deleted your Yahoo account? Think again.
Several Yahoo users, who last year decided to leave the service, told us that their accounts remained open for weeks or months after the company said they would be closed.
News broke in September of a massive state-sponsored cyberattack that led to the theft of 500 million records — then thought to be the largest theft of records in history. That alone was enough for some to take action and delete their accounts, months before the company admitted it was hacked again — this time taking 1 billion accounts.
David Clarke was one of those departing users, whose dormant account was slowly accumulating junk over the past few years.
“This was an ancient email I had set up, had no personal data in it anymore and had a unique password,” writing about his troubles on Medium. “But it’s a part of my digital footprint that I no longer required and decided, given the horrible security practices going on at Yahoo, to vote with my account and have it removed.”
Yahoo makes the account deletion process straightforward enough, but users have to wait “in most cases… approximately 90 days” for the account to close. The company says this is to “discourage users from engaging in fraudulent activity.”
On day 91, Clarke logged back into his account to find that it was still active. Unbeknownst to him, logging back in simply to check would reset the clock back to zero.
“Yahoo confirmed via email yesterday if you access your account it resets the timer,” he told me. “So, if you login to ensure your account has been deleted and it hasn’t, you have to wait at least another 90 days.”
Clarke may have checked down to the day, but others we spoke to said that their accounts were still active for months longer — even though they hadn’t logged back in.
One user told me that they deleted their account “the day the breach was announced” in late September. But as of the end of January, he was still receiving messages that were automatically forwarded from his Yahoo inbox.
He told me that he hadn’t logged in to his account because he continues “to receive Yahoo-originated mailing list mail,” he said. “This implies that the Yahoo account has not been deleted,” he added.
When we asked him to confirm his account was still active, he told me that his email address was accepted at the login screen.
Users with expired or deleted accounts would see an error message saying that their accounts are “not recognized.”
Another user told me that they thought their account was “supposedly-terminated” days after news of the hack broke, but confirmed his account was still active — when it should have closed by December.
“Since around August, I had a handful of attempted logins from South Korea and India — maybe five or ten of them, he said. “Yahoo appeared to shut out most of them,” he added. “This account had essentially nothing in it — I think a decade-old Flickr account is the only reason I had it — so I wasn’t using two-factor authentication or paying much attention to it at all.”
“According to [Yahoo], my account should have been deleted by the end of December — but I received yet another ‘unexpected sign-in attempt’ email (from South Korea, as usual) on February 1,” he said.
A delay in closing the account coupled with an unauthorized sign-in may be why the account has not closed.
“Why aren’t they at least putting the account into some kind of suspension mode?” the user told me.
A third user told me that that they had also deleted their account around the time of the September breach, but had not logged in since. He confirmed that his account was still active.
However, another two other people confirmed that their accounts, marked for deactivation and deletion earlier in the year, had been successfully deleted and were unable to log in.
It’s not known how widespread the problem is or how many are affected.
The company has faced its fair share of bad security headlines — not only was it hacked on three occasions (in case you count Tumblr), but it’s also faced privacy issues and run-ins over national security, which led to an internal clash that resulted in the company’s chief security officer resigning.
It’s no wonder that some customers want out.
A Yahoo spokesperson did not comment by the time of writing. If that changes, we’ll update.
Source: SANS ISC SecNewsFeed @ February 17, 2017 at 12:06PM