As we move forward with making unused Yahoo! usernames available to new owners, we’ve always thought about making the process as secure as possible.
I wanted to share one measure we’re taking to protect the privacy of our users who had an e-mail address that may be re-used, which is a very small percentage of the accounts that we will be recycling. We encourage anyone using e-mail to communicate with their users, especially for e-commerce and recovering their accounts, to adopt this measure to ensure the security of their users.
To communicate that a username has a new owner to e-commerce sites like “JoesAntiques.com,” or social networking sites like Facebook, we’ll allow them to “ask” for a new type of validation when sending an email to a specific Yahoo! user. The field, which can be requested via an email’s header is called “Require-Recipient-Valid-Since.”
We feel that our approach, which we’ve worked on with our friends at Facebook, is a good solution for both our users and our partners.
Here’s how it works:
If a Facebook user with a Yahoo! email account submits a request to reset their password, Facebook would add the Require-Recipient-Valid-Since header to the reset email, and the new header would signal to Yahoo! to check the age of the account before delivering the mail. Facebook users typically confirm their email when they sign up for the service or add new emails to their account, and if the “last confirmed” date that Facebook specifies in the Require-Recipient-Valid-Since header is before the date of the new Yahoo! username ownership, then the email will not be delivered and will instead bounce back to Facebook, who will then contact the user by other means.
This example illustrates how Facebook will do this – others will have their rules for determining their age requirement for the recipient / receiving account.
This is a new standard, being published with the IETF, that we’ll be working with partners to implement, and one that other email service providers can adopt for similar efforts of their own.