Yahoo mail has a MAJOR security flaw

1 points by samuelpe12 ↗ HN
an acquaintance told me this:

A while ago I bought a new phone number. I went on Yahoo! mail and typed in the phone number in the login. It asked me if I wanted to receive an SMS to gain access. I said yes, and it sent me a verification key or access code via SMS. I typed the code I received. I was surprised that I didn't access my own email, but the email I accessed was actually the email of the previous owner of my new number.

Yahoo! didn't even ask me to type the email address, or the first and last name. It simply sent me the SMS, I typed the code I received, and without asking me to type an email or first and last name, it gave me access to the email of my number's PREVIOUS OWNER. Didn't ask for credentials or email address. This seriously needs to be revised. At minimum Yahoo! should ask me to type the email address or the first and last name before sending me an SMS which contains an access code. This would mean that new owners of a number could gain access to the email of that number's previous owner without being asked any type of security question, or to even type the email address or at minimum to type the first and last name correctly. Please revise this, Yahoo! I am a concerned Yahoo! user, and no I did not look into the email, I logged out. This has happened before to people's Yahoo! accounts. How can we ask Yahoo! to change this?

Simply requiring users to type the email address/credentials before receiving the SMS would solve the problem.

I have contacted support and though Yahoo! said their engineers have been informed they haven't fixed this so far. How should we get them to fix this? Petitions?

9 comments

[ 2.5 ms ] story [ 33.7 ms ] thread
Today I learned, people still use Yahoo for their email provider.
Thanks for your comment. People don't anymore?
> How should we get them to fix this? Petitions?

Nah, you're doing a full disclosure right here and now; so they better hurry up and fix that.

Else, you can cancel your Yahoo account and go somewhere more security-focused (Protonmail?).

It is a significant issue which I think needs to be fixed. Thanks for your comment!
It is a general issue with recycled mobile phone numbers. Ideally, these numbers should not be recycled.

I would love to see some stats on how many numbers are really abandoned per year.

Some mobile operators make it expensive to keep a prepaid number if you do not make big use of it.

I believe that many SIM card providers recycle numbers that have been inactive for 12-24 months. Yahoo! needs to fix this issue, in any case. Thanks for your comment.
The solution is simple. It is to simply require users to type the email address/credentials before receiving the SMS and it would solve the problem.
Can you please help me to ask Yahoo! to change this?