Central point of failure: Yahoo in a nutshell

Submitted by Larry on 4 June 2005 - 7:52pm

Like most people on the Net, I make some use of Yahoo! services. It's not easy to avoid it. Hundreds of thousands of people have a Yahoo! email address, just as many use Yahoo! Messenger, and Yahoo! Groups is "the new usenet" for many subjects. That's not even counting Yahoo!'s various other branding efforts.

Before I continue, I'm going to drop the stupid ! in the company name. Yes it should be there for accuracy, but good grief can we be a little less self-important? Thanks. Anyway...

The advantage of one company offering all of those services is that you have only a single sign-on to worry about. One name, one password, one bookmark, and you have all of your services at your fingertips. That's great... right up until you get butterfingers. It's also a single point of failure; one problem can bring down your entire PIM network.

Even that needn't be the end of the world, mind you. Backups, redundancy, and alternate verification mechanisms can add a layer of security, at least if you care to bother with them. Unfortunately, a company as large as Yahoo makes only a token gesture. They simply don't have the resources to deal with millions of customers properly. So what happens when one night you receive an e-mail from Yahoo's automated servers:

Your password for this account has recently been changed. You don't need to do anything, this message is simply a notification to protect the security of your account.

Nice of them to confirm such changes with me. Of course, it would make more sense if I had actually asked for my password to be changed. Hm, what does it mean when a password is changed by someone other than the account holder? It means either the admin is playing tricks or the account has been hijacked. Since I'm sure the Yahoo admins have much better pranks to play than futzing with my account, I get worried. I go to log into my Yahoo account and sure enough, it rejects my password. OK, no problem, go to the password recovery page and have it reset and sent to me. Of course, that page requires some identifying information, including birthdate and ZIP code. I enter that information and, naturally, get a message saying that it is wrong. Now I'm quite sure that I know my birthdate, and while I have moved recently I think I know what ZIP code they would have on file, but I try all of the other ZIP codes I've ever lived in. Still nothing. That leaves two conclusions: Either the account has definitely been hijacked or they don't have a ZIP code on file for me at all. If the latter, then asking for it is rather silly, eh?

After some digging I finally find a contact form for Yahoo Support (which I can't seem to find again, naturally) and send them a polite, detailed message explaining the problem, including timestamps and all sorts of other pertinent information. I immediately received a very long form letter, and nothing else. A few days later I try again, and get the same. Finally I bother to read the form letter, which consists of 3 screens of "remember to plug it in" type tips and then, tucked away at the bottom:

If you did not find your answer in this message or need further assistance, please reply to this email and provide the information requested below along with a description of the problem you're having. Without all of this information, we may be unable to process your request:

1. Yahoo! ID
2. Date of birth (mm-dd-yyyy)
3. ZIP/Postal Code
4. Country
5. Alternate (non-Yahoo!) email address that we currently list
6. Your new alternate email address, if it needs to be updated (please note that this cannot be a Yahoo! Mail address)
7. Secret Question and Answer

Hm, nice, so they try to reduce their support load by not actually providing support until you bother to read the bottom of a very-long and otherwise useless e-mail. I'm sure it works wonders. OK, fine, although why they then let you waste time with a complete and detailed message in the first place I don't know. I reply as instructed and provide all of the information over again, including my DoB, ZIP, "secret question and answer", and so forth. I also explain that the ZIP isn't working and I've not changed it, but that's why I believe the account has been hijacked. Finally, a human responds:

We have reviewed the verification information that you have provided.  However, we were unable to match the zip code that you provided with theinformation that was entered during registration or when this account was last updated.  To protect the security and privacy of all accounts, we are unable to provide login or other account assistance without completely verifying the account.
 
Please resubmit your request, and remember to match the information as it was entered when you originally established your account, or when youmost recently updated your information.  We look forward to assisting you with this account once the appropriate verification information has been received.

Well yes, the ZIP code doesn't match. Who'd have thought that if I'm writing to say that my ZIP code on file has been changed by someone other than me that it wouldn't match! Seriously, though, I can see their concern. If the ZIP code doesn't match, then they probably think (or their script for canned replies thinks) that I'm trying to hijack a legitimate account. Of course, ZIP code is hardly a good piece of information to reply on. They ignore all of the rest? Country, date of birth, that oh-so-special "secret question and answer"? Let's try again, with every ZIP code I've had in my life (there's only 3 of them), and offer additional information. I'll fax them a copy of my drivers' license if they really want.

We have been unable to match the zip code with the verification information as it is currently listed on the account in question. It appears that the information you have provided does not match the
information as it was entered at registration or when the account was last updated.  Please check your records and resubmit your request.

If you are able to match the information in our system, we will be happy to make the change you are requesting.  For security reasons, we will not be able to assist you without matching all the verification
information.

Hm, could you at least vary your script some? This account is the owner of a half dozen YahooGroups mailing lists and admin on a half dozen others, some of which go all the way back to when it was ListBot (then bought by eGroups, then bought by YahooGroups in order to solidify the monopoly), some of which have thousands of people on them. (I've been active in the Palm User Group world for years, and help administer some related support lists.) Even putting aside the huge hassle of unsubscribing from all of my YahooGroups on that account and resubscribing on another, and rebuilding my Yahoo Messenger contact list (which is stored server side, of course, so I'd have to sift through my logs to get IDs), that orphans several mailing lists and puts thousands of their other customers at risk. (If the account that owns the list is hijacked, that' makes it easier to use it to access information on other Yahoo members.) They have no way to identify me except by ZIP code? Is their system really that insecure?

We apologize for any inconvenience this situation has caused. We have checked the account information listed on your account and have noticed no recent update or change in the information. However, it appears that we will be unable to provide login assistance for the Yahoo! ID in question.  By accepting our Terms of Service, you agreed to provide true and valid registration information, and to keep that information current and updated should it change.

The zip code that you have provided in your previous requests does not match the information that was entered when this account was established.  You are welcome to establish a new Yahoo! ID at any time.
In accordance with our Terms of Service and Privacy Policy, we are unable to correspond further regarding this account.

Oh nice. So I use the secure version of their login every time (even though it's not the default, which it should be), I keep my own systems secure, I do provide them with accurate information (at least for information that was required), and somehow according to their TOS it's my fault and they're going to refuse to talk to me anymore. How nice of them. And how exactly did I get a password-change email without them knowing about it? It wasn't a phishing scam, or they'd have noticed in the headers when I sent it to them. Besides, I didn't click on any links in the original email, I used a bookmark to my Yahoo account.

I don't blame Jeff, Alex, Arthur, and Eugene, the randomly selected support reps who clicked the buttons to send me a pre-canned reply on every message. I blame the fact that a company the size of Yahoo does not, I suppose cannot, care about a problem a single customer has, even if it affects potentially hundreds or thousands of other customers as a result. They've got more, and really, what's their competition? Most people I know have accounts with multiple IM networks anyway, because they know people who are stubborn and won't get more than one. Google Groups is usenet, and all of the other mailing list services have been bought out by Yahoo to begin with. Had I an e-mail account with them, I'd be out of luck but they don't care since they've got thousands of others.

This, my friends, is known as a monopoly. This is why monopolies and oligopolies are a very bad thing. If you don't like that Yahoo Support is impotent, where else are you going to go? Do I get a new account and orphan dozens of mailing lists and put myself at risk of the same lack of support again? Or do I dump Yahoo, the dozens of mailing lists I'm on, the dozens of people I know on Yahoo Messenger, and lock myself out from some very active and often pleasant online communities?

I really don't like either option. If anyone can suggest another way to go about reclaiming my account, I am listening. Curse you Yahoo! (Exclamation point intended.)

One upside of all of this mess, though, is that I've finally gotten around to restructuring my network to allow me to run my own Jabber server at home. But that's a topic for another day.

Why Monopolies Are Bad

My friend Larry Garfield posted about Yahoo!'s poor customer service recently.

Essentially, someone managed to get access to his Yahoo! account and changed the password. Larry contacted Yahoo! a number of times, and each time he got a scripted r...

Anonymous (not verified)

11 March 2007 - 1:04am

Hi,

Last year my password been hack also. Sorry to hear that. I am trying to do my best to get it back. Notting is working. If i find a way to get my password back, i'll give you some detail.

Good luck.

Diogo Duarte (not verified)

22 March 2010 - 4:54pm

Old post but just to say that I suffered from similar question, formated, and now I don't have the Yahoo ID because they don't send it in the first mail of confirmation of registry !! And my e-mail does not match.. Now I can't use my FlickR account !!!!!!!!!! Damn stupid !!!