A 24-hour locksmith for your Yahoo! account

Posted April 14th, 2009 at 12:02 am by Sabari Devadoss, Yahoo! Membership

 29 Comments / Filed in: Trends & News

We’ve all been there. At one point of another, we’ve all signed up for an online site or service and, down the road, completely forgotten what information we gave during the registration process. We’ve heard from many of you that making the account recovery process easier at Yahoo! would make you very happy, so we’re modifying the process and adding some new features. Here’s the low-down on the new process and what you can expect.

Starting this week, we’ll be asking you to update your recovery data. Since the information we collected in the past – such as zip codes or birthdays – has increasingly become part of our public persona online, users will be given the option to provide additional information such as an alternate email address and new secret questions of their choice. U.S. users will also have the option to provide a mobile phone number. This updated information will let us help you faster in the event of a future recovery attempt – whether you’ve forgotten your password or your account has been compromised. It also lets us better protect you by creating a recovery process that includes information and questions that only you should be able to complete, with information only you should know.

Our goal is to have all Yahoo! users update this information. We’ll start prompting some users to update their data this week (note: you’ll only see this after you’ve logged in) and will continue reaching out to more and more users over the next several months. If you want to update your information proactively, visit https://edit.yahoo.com/commchannel/manage.

We hope everyone takes advantage of these new features and that, in the event you do forget your Yahoo! details, you find the recovery process as quick and painless as possible.

UPDATE: We’ve gotten some questions about how exactly you’ll be notified to update your account recovery information. You will NOT receive an email from us, but rather be prompted with a screen after you log in to your account. That said, you will receive an email from us to your Yahoo! and your alternate email address every time you update your data (ie, a new secret question). Please be mindful of any phishing attempts — emails that appear to be from Yahoo! but are not. You can read more about phishing and account security at our Yahoo! Security Center.

Sabari Devadoss
Platforms Product Manager, Yahoo! Membership

Photo from fragglerawker_03

Tagged: news

Post a Comment Bookmark This Digg This

29 Comments Add your own

Jeremy | April 14th, 2009 at 11:29 am

That’s great for all of the people who forget their credentials. What about those who have their accounts hacked and stolen from them. Does this prevent the hackers from changing that verification data, such that only the “real” owner knows the information? Seems like once someone has access to the account, they can view / change all of that information, which Yahoo then will no longer be able to verify against.

This situation happened to my wife several years ago, and after going several rounds with Yahoo! support we finally just gave up on Yahoo.

Hers was a rare but not isolated case – here is a (non exhaustive) list of people who have had their accounts hacked and apparently never re-acquired: http://www.google.com/search?q=site%3Aprofiles.yahoo.com+%22Hack+AZ%22

So how would one of those people go about recovering their account, or can you paradoxically only get your account back if you already have access to your account? In my opinion Yahoo! has a very poor track record in this regard (Sarah Palin, etc) and I cannot see how these changes provide any improvement.

Maybe someone reading should send me an email to help get my wife’s account back.

Sabari Devadoss | April 14th, 2009 at 4:35 pm

@Jeremy – Thanks for your feedback. We’ve added a few enhancements to help users who might have had their accounts hacked or stolen.

1. We’ve added logic that remembers your new account recovery data, even if an attacker deletes it and replaces it with new information. To regain control of your account, you just need to provide your data points (secret questions, alternative email addresses, mobile numbers, etc.). Note that no one will be able to ever see the answers to your secret questions, so be sure that you choose them carefully — both to protect against someone guessing them and to ensure you remember them yourself.
2. You will now receive notifications through your alternate email and mobile numbers when there are changes to your account recovery data. This will give you a heads up if there’s activity in your account that you didn’t initiate.

We’ll continue to roll out new features to aid users who fall under this scenario. We strongly recommend our users to add alternate email addresses and mobile numbers to their account to aid future account recovery attempts as well as receive notifications of critical account changes. You can proactively update this information via this page: https://edit.yahoo.com/commchannel/manage.

Unfortunately the new account recovery process can only help those who are able to enter new information.

Ian T | April 15th, 2009 at 2:00 am

@Sabari – nice features, great to see that you guys have thought this through and addressed the hacking issue in an intelligent way.

Really happy to see that there are some good features now coming through into registration / account management @ Yahoo! (somewhat neglected for a few years despite underpinning the whole show), especially for those long-neglected international users.

All power to you!

an ex-Yahoo.

Tad Miller | April 15th, 2009 at 6:04 am

I to have a Yahoo ID that was stolen from me. I had it for 10 years. When passwords change, you need to send me an e-mail notifying me of the change and most importantly give me a means to say that I did NOT initiate this change and don’t allow it!

Who ever has that id has changed the password several times in the last year and I am helpless to do anything about it. I’ve made several attempts to contact Yahoo about it and never got a single response.

TheAnand | April 15th, 2009 at 6:50 am

I was worried about this, thanks for the awesome reminder. But I logged in to my account with the manage link on this page, but its not letting me edit my birthday. this account of mine is more than 9 years old when I was 11 and I do not remember if I put in my correct birthday or not. My yahoo account does not even display if I have the right address or not!

Any help in this regard will be very much appreciated.

Joy | April 20th, 2009 at 12:09 am

Thank you for reminding us on this. You know it’s really frustrating losing your account. Your post is a help other people like have encountered such a problem.

Ziru | April 20th, 2009 at 9:45 am

I tried to provide an alternative email address (early last week and again today), and I did receive the verification emails. However, whenever I clicked the “Verify xxx@gmail.com” link, I got an “Oops! Looks like our servers are taking a break. Please try again later. (Error: #77315)” error. It didn’t work for one week?

Sabari Devadoss | April 20th, 2009 at 3:45 pm

@Ziru – Some people are experiencing an error during verification but we will be rolling out a patch next week that should address this issue. Apologies for the inconvenience in the meantime.

Sabari Devadoss | April 22nd, 2009 at 2:30 pm

@Ian T – Thanks for the kind words. Keep an eye out for other enhancements not just in Account Recovery but in other Yahoo! Membership products as well.

@Tad – when you reset your password through the account recovery flow, we do send a notification to your email addresses and mobile numbers. We are working on updating our main Password Change page to also send notifications. Our recent changes to the Account Recovery flow should help you update your information. Also, as we move away from data like date of birth to items like email and mobile based recovery, it will make stealing accounts a bit more difficult.

@TheAnand – Our goal is to move away from using the date of birth for account recovery. We recommend our users to attach a mobile # and/or an email address so that they can recover their accounts in the future. This is why you do not see functionality to update your date of birth on the management page. What are you referring to when you state “right address?”

Vuro | April 30th, 2009 at 5:57 am

Hello Sabari,

i want to comment about recovery on yahoo account, 3 days ago my friend cannot login into his Yahoo Messengger and Yahoo mail, then he can’t do recovery password too, the page always says “For Security reason please contact yahoo”, and i try to send email to my his email, and i got mailer daemon, we believe that his account has been deleted by someone that “somehow” get his password, my friends has 2 times fill the form about his yahoo account but always get reply by machine, and he almost frustated to get back his account, because all contact and friends email is in that account, how is he can really really get big help by yahoo?

Thanks…

Sabari Devadoss | May 1st, 2009 at 11:49 am

@Vuro – Sorry to hear about your friend’s difficulties. Since I am unclear on the true cause of the issue, I will provide the following avenues for your friend to pursue:

1. Try the online flow by selecting “I can’t access my account” link from the Yahoo! Login page. After selecting the problem you are experiencing, you will be presented with a page to enter your Yahoo! ID to determine if you are eligible to recover your account online. For a small subsection of our users, we require them to work through our Customer Care organization to recover their account. I am not sure if your friend falls into this category. If not, you should be able to recover online by providing the necessary proofing information (like your date of birth and answer to your secret question).

2. If you receive an error when you enter your Yahoo! ID, then you can work with Customer Care. I would recommend that you click on the Help link on the Account Recovery page to go to the Help area where you can contact Customer Care. You will need to provide the various data points to prove to Customer Care that you are the real owner of the account. Once they are able to verify your information, they should be able to help reset your password.

Sometimes, it takes a little bit of time for Customer care to respond so please be patient, but as long you provided the correct information that was requested on the form, they will be able to help you.

Good luck.

maxim | May 12th, 2009 at 1:44 pm

hello Sabari,
Will yahoo send this account information page again to the user if somebody does not update it on first time and even didnt click the option remind me later?
Thanks!

Sabari Devadoss | May 14th, 2009 at 9:44 pm

@maxim – Yes, you will be prompted with the Data Collection screen if you deferred or navigated away initially. Please note that we randomize the presentation of this screen for security and performance reasons.

Medyum | June 2nd, 2009 at 2:49 am

I to have a Yahoo ID that was stolen from me. I had it for 10 years. When passwords change, you need to send me an e-mail notifying me of the change and most importantly give me a means to say that I did NOT initiate this change and don’t allow it!

Robert / True color | June 8th, 2009 at 4:51 pm

Well this is actualy the first that I have heard of this being legit. the discussion about this change came up in a group on yahoo for group mods.. I think this is a communication issue here. I think that members using yahoo should have been sent an e-mail notifying us of this change. not everyone has time to read yahoos blog I responded to the question reguarding this issue and the first thing I thought was someone was trying to get someone elses information. I see now that beouce of a decision of not to notify members of yahoo of this change by e-mail that I have miss informed someone. I can understand the security issue in why you decided to not send all of us an e-mail but at the same time this causes misscommunication with in groups currently disscussing this issue. Perhaps yahoo should think about incorperating a bi Weekly ele3tronic newsletter to be sent to those wishing to recieve information and updates by e-mail. SO that everyone can be aware of what is going on with out having to go to a blog page just to find it

OldOnliner | June 10th, 2009 at 9:20 pm

I don’t have a secret Q&A and I DON’T WANT ONE! (This account pre-dates the time when such a thing was required.)

I do have an alternate email address and that MUST be used to reset/recover my login information. Like most online login places, that’s the only place the info will forward to, and it should NEVER appear on a Yahoo web page.

I’ve seen the new secret Q&A prompts (AT&T users must be first in line for this?) for my ISP login, and the Q&A’s are LAME to the point they are MEANINGLESS TO ME – as in they do NOT apply to me! Duh! They are a barely closed door to some serious data integrity compromise.

MAKE the new system thusly – IF I use an alternate email address, then I am NOT required to have a secret Q&A! (IOW, keep it like I have now!)

Joe | June 17th, 2009 at 2:52 pm

This is idiotic. I refuse to give any more information to yahoo. What is the worst that they can do if I refuse to fill up their form? Cancel my account?

hikaye | July 7th, 2009 at 7:58 am

I to have a Yahoo ID that was stolen from me. I had it for 10 years. When passwords change, you need to send me an e-mail notifying me of the change and most importantly give me a means to say that I did NOT initiate this change and don’t allow it!

Who ever has that id has changed the password several times in the last year and I am helpless to do anything about it. I’ve made several attempts to contact Yahoo about it and never got a single response.

tenseuser | July 14th, 2009 at 8:17 am

I too had a yahoo id that was stolen using the password recovery mechanism(the person somehow get the answers to my secret questions right). however i got back my id using password recovery, and even changed my secret questions in the subsequent forms. however still the person again hacked my id as the previous secret question is still not removed. i am in helpless as the person gains access to my id again and again..please help me

RS | July 23rd, 2009 at 8:27 pm

Am I missing something? It seems like you want even more personal info just in case we get hacked…so that it will be there for the hacker to look at when they do…um…

I’m not seeing an improvement in privacy protection here.

I hope you do some immediate follow up with some of these users with horror stories above….

AD | July 27th, 2009 at 9:17 am

What happens when someone knows the answers to your secret questions. If you change them to be more secure, the hacker can always select “This is not my question” and go back to the previous question. Does the feature expire after secret questions have been updated?

sam | August 6th, 2009 at 4:47 am

Dear Sabari,

My account was hacked last April 2008. i have contacted Yahoo about it but to no avail. I failed to give in the right answer to the security question as my cousin created the account for me..when i was 10 years old..im now..26.. again, the hacker is using my name to extort money from my friends.

Please help.

Rocky | August 13th, 2009 at 4:26 am

My concern is what if I am want to change my questions(2 in nos) for the purpose of security. Just like I change my password. (I feel comfortable that way and I will be doing it say every 3 months just as I do with my password) How long will Yahoo! remember old questions/ answers as is mentioned by Sabari?
He says “1. We’ve added logic that remembers your new account recovery data, even if an attacker deletes it and replaces it with new information.”

Jim | August 27th, 2009 at 4:59 pm

I don’t like giving Yahoo the answers to two identifying questions about me and see no justification for making this mandatory. It increases the exposure of information that might be used to get into other sites that are more important to my life.

Steve | September 17th, 2009 at 12:32 am

My mother has been upset for two days because she can’t access her Yahoo Mail unless she enters password-reset questions. It has taken me hours of of Web searching to figure out I guess it isn’t a scam.

The prompt I got for my Yahoo Mail account a couple weeks ago had a “Remind me later” button. Hers didn’t, which aroused suspicions.

At the very least, this scheme has been extremely poorly implemented by Yahoo. I also think the questions open up more security holes than they close.

Kim Komando suggests answering such questions with nonsense answers, since any real answer is probably known by someone. http://www.komando.com/columns/index.aspx?id=5487

Tommy | September 21st, 2009 at 9:51 am

Hi Sabari,

I am based in Australia.
My friend in US added his phone number into my Y ID, and now every time I reset my password via my alt email. He reset it back via his phone number . How can I delete that phone number, so that only me can reset the password online?
Or is there anyway to avoid Reset password online.

Thanks,

Tommy

nebo | September 21st, 2009 at 3:58 pm

I am going to repeat the same concerns with “Rocky | August 13th, 2009″ and “tenseuser | July 14th, 2009″.
I think I can understand why yahoo had put the ‘This is not my question’ link, if an account is compromised,
and hijacker changed the security questions, this would give the original owner a change to reset it back. That is great, But this information should not be kept forever. If I change my security questions, yahoo should keep the old sets only for a limited time, say 5-7 days most, and delete the original security question set.

What if the hijacker (ex-wife, ex-boy friend) guesses the original questions’ answers.

Yahoo is punishing the user not making a right choice at the first place.

~!~Ryan~!~ | October 18th, 2009 at 8:22 am

Yahoo is great and all but if they would just let u make _________ names again people most likely wouldn’t worry about stealing yahoo accounts..

Jeni_C | October 27th, 2009 at 1:54 pm

Because of the work done by the bland new, blight and slimey, locksmith that YaHELL has hired, I am now locked out of all my Yahoo accounts. Locksmith…. Bully mongrel security guard would be a more appropriate description.
The security guard forcibly redirects any login attempt on any of my accounts to the Q and A interstitial, and refuses to let me access my own accounts which have NOT been hacked, unless I accept completing the form that the security guard demands I fill out.