Skip to main content

Facebook and Yahoo plug password recovery vulnerability to stall cyber thieves

Facebook and Yahoo have stumbled across a way to reuse email addresses that haven’t been used for years by overcoming an issue that had the potential to allow hackers to take over social media accounts.

Read more: Why it’s vitally important to ensure your email account is secure

A new standard called RRVS [Require-Recipient-Valid-Since] lets Facebook timestamp password recovery messages to show Yahoo the last time the email address was legitimately used.

If that account changed hands since the last confirmation then Yahoo can drop the message and thus prevent password recovery messages falling into the hands of someone that doesn’t own the account.

It is built using the Internet’s Simple Mail Transfer Protocol [SMTP] and it’s thought that it will finally allow Yahoo, Google, Microsoft and others to reclaim millions of addresses that haven’t been used for years.

“Our priority when working with partners and other companies is to ensure Facebook accounts—which are connected to various email services, and can be extended via Facebook Login to other sites—are not only kept safe and secure, but also work together seamlessly. The Facebook ecosystem is large, and keeping your information safe is core to everything we do,” read a blog from Murray Kucherawy, software engineer at Facebook.

For the solution to be truly bullet proof, websites other than Facebook must sign up to make sure that outdated email addresses can’t be used by hackers and to that end Wired speculates that banks and security companies will be the first to jump aboard.

Read more: How to recover a stolen laptop and get your data back

As for other websites and social networks, the system will only work at Yahoo’s end if they sign up and in that sense it may be too late for users that have already seen old email addresses grabbed by other people.

Image Credit: Flickr (Anthony Ryan)