Making Yahoo IDs available for registration again could lead to domain theft.
If you have access to a domain account holder’s email, it’s fairly easy to steal a domain from them.
Which is why domain name registrars should be on high alert about Yahoo’s plan to recycle dormant user IDs.
The company plans to re-offer dormant user IDs to the public in an effort to make better IDs available. Although only a small amount of the IDs are apparently connected to Yahoo email accounts, this is still troublesome.
One way people steal domain names is to get control of the registrant’s webmail accounts. I’ve seen more than one occasion where a thief found a webmail account that had been made “available again”, signed up for the account, and then stole a domain.
It would be fairly simple to do this on a large scale. A thief could scan whois records for administrative contacts with @yahoo.com email addresses, and then set up a system to check for availability. After signing up for the available ones, it won’t be difficult to reset passwords at the corresponding domain registrar. Then they just have to transfer the domain to another account or request the EPP code to transfer the domain.
The very release of a previously owned email account is an identity theft. God only knows how much sensitive information, and not just domain related, will be made available.
This is a security problem for more than just domains. Pretty much anything with an online acct, like online banking, is subject to the password reset link. Not all online accts are sophisticated enough to as security questions.
I’m not even sure if paypal asks security questions if you forget your password.
Cory L says
That’s asinine! I get the thought process but it definitely appears they haven’t thought of the repercussions. Joe is dead on, domains are the tip of the iceberg for email recycling.
On an interesting note, EmailRecycling.com was available and I got it. I think this will be a busy topic online and look forward to making more than my reg fee in traffic to it. More interestingly it turns out EmailRecycling.org was already taken and in use by a real company. I’d like to note for the record that that had nothing to do with my purpose for registering this domain. Although apparently this is a real term for something else someone went and made up, the Yahoo EmailRecycling crisis that will ensue is my reason for registration. As a domainer I find it interesting that this company that at least definitely has a logical reason to do their business on a .org domain rather than a .com would not have at least paid the small registration fee to have both. I left the .net which is also still available out there for whoever wants it.
Andrew Allemann says
@ JP –
A new form of UDRP defense: stating your intention when you register the domain.
Can’t be too careful with all this RDNH going on. Now it is a clear RDNA situation if they come after me. I’ll make sure that no ads on the site conflict with what they do, but seems like nobody is advertising that so shouldn’t be too hard. BTW, did you read on the .org site what they do? Did it make any sense to you? Why would an ISP want to buy arbitrary bits from anything? There is no usable data in what they are selling. Sorry I digress, but I don’t get it.
An update on this which is interesting for another reason and answers the question I posed above. I just checked and it appears it has been registered before and dropped/become available again on about May 25th (less than a month ago). So that would be why the .org didn’t register the .com, because they registered their domain on February 28th and the .com was taken at the time. Now even more interesting it appears that someone tried Tasting the domain under privacy as the whois history shows it registered under privacy on June 11th (9 days ago). It does not show when it was deleted again but we can assume within 3 days as I was able to register it today. The domain has history going back to March 2010 and has pretty much always been private.
Brian Kemp says
The fine print at the bottom of the page spells it out, but there’s a spoiler in the page name – its-a-joke.php
Of course, if anyone else follow Yahoo’s lead, maybe it won’t be 🙂