The new button, called "Not My Email," reportedly will roll out this week and will be found under the "Actions" tab in users' inboxes. The button will help users of recycled accounts train their inboxes to recognize which email is intended for them and which is not, eventually rejecting email before the user has read it.
Although this solution might help current owners of recycled Yahoo accounts combat the influx of misdirected mail, it ignores the underlying security problems, experts said. Emails containing personal information are still reaching users who have taken over a Yahoo email account, and that still poses significant privacy and security problems.
"Yahoo's button doesn't solve the big problem and I can't believe they're not taking this more seriously," said Chester Wisniewski, senior security advisor at security firm Sophos, in an interview. "I don't think they have any intentions of protecting these original account holders. They're doing this as a song and dance in front of the press and just to make the new accounts more palatable."
[ Do self-destructing emails sound like a good security practice? Read This Email Will Self-Destruct: AT&T Seeks Patent. ]
Wisniewski said that although account holders "with a conscience" will likely use the button to expedite the process of weeding out misdirected mail, it's irrational to think that users with more malicious intent would even consider it. "I wonder how many phishers out there are going to click the button to let Yahoo know they're getting these emails? I'm incensed by Yahoo's response because it's clear they're trying to placate people," he said.
Yahoo maintains that the number of people receiving others' email is minimal and that it takes the security and privacy of its users very seriously.
Mike Davis, CTO at CounterTack, a malware detection organization, said that although Yahoo's button is a step in the right direction, the company still needs to work on addressing the security threats. "Clicking the button just accelerates an unsubscribe process similar to how a company categorizes spam," he said in an interview. "You're going to have problems where the email address was used to authenticate someone, which makes it easy for people to take over accounts or gain access to something they shouldn't."