How Facebook Protected Users with Dormant Yahoo Email Accounts


YahooLogo650When Yahoo announced last year that it would allow user names that had been inactive to be claimed by new users, how did Facebook ensure that accounts on the social network that were tied to recycled Yahoo email addresses remained secure? Software engineer Murray Kucherawy detailed the process in a note on the Protect the Graph page.

Kucherawy wrote:

Our priority when working with partners and other companies is to ensure that Facebook accounts — which are connected to various email services, and can be extended via Facebook Login to other sites — are not only kept safe and secure, but also work together seamlessly. The Facebook ecosystem is large, and keeping your information safe is core to everything we do.

For example, last year, Yahoo announced that it was going to begin making long-dormant logins available for new registrations. This was a shift we knew we wanted to study closely to make sure we understood the impact to Facebook. If a Facebook account were connected to a recycled Yahoo email address, then that account could be taken over by the new Yahoo account owner via a password-change request if no additional protections were in place.

Working with our counterparts at Yahoo, we quickly proposed and prototyped an enhancement to email that addresses this problem. The enhancement inserts a timestamp within an email message to indicate when we last confirmed the ownership of a Yahoo account. If the account changed hands since our last confirmation, Yahoo can just drop the message, preventing delivery of sensitive messages to the wrong hands.

This new method for handling recycled email addresses is a new standard, called RRVS (Require-Recipient-Valid-Since), and it provides a way for senders to indicate to receivers a point in time when the ownership of the target mailbox was known to the sender.

To help other operators solve this problem and protect their own accounts, we documented our extension via the Internet Engineering Task Force, and the mechanism recently became a proposed standard. You can find it at

Readers: How active is the email address you registered your Facebook account under?



Why Soshable Went Dormant (and why it’s due for an eruption)



When I first started playing around with social media marketing back in 2007, it was new, fresh, and wonderful. I created this blog to keep my thoughts in order, to have a central point through which to post all of my content, and to build a brand that could eventually become a company of its own.

Things change. Directions change. Elements of our lives that we once considered to be important become secondary in the blink of an eye. For me, Soshable has been one of those aspects of my life that fell by the wayside. My focus on automotive social media marketing has allowed me the privilege of forming a strong company with a bright future that takes up way too much of my time and my former blogging stallion was put in the barn.

That is changing. The good part about having a company grow is that you can start to hire people to do much of the work that you had to do in the beginning. Things that took up all of my time when I started my company less than a year ago are now superbly handled by a team that makes me look good. Time is opening up. Needs are growing, but in different directions. It’s time for Soshable to erupt into what it once was – a place where I and other authors promote the best practices available in social media.

It doesn’t need to be a social media blog. It needs to be the social media blog, the one that it once was and that it can be again. Thankfully, it’s not like a boxer coming out of retirement. When a volcano erupts after being dormant for a long time, the fury is often greater than it every was before. That’s my hope. Bring the marshmallows. We’re about to spew some heat.

Soshable | Social Media Blog