This vulnerability report describes how an attacker could obtain access to (pressumably) any Yahoo! Mail account by resetting the password through recovery email which was re-registered after previously deactivated (because of inactivity) by an external freemail provider. Or, reset the password of a Yahoo! Mail account whose recovery email's domain was hijacked or has been purchased by a third-party entity, which can reset the linked accounts by just using the reset-password-mechanism.


Many freemail providers like Microsoft's Outlook/Hotmail (or maybe Yahoo! Mail) emails are being automatically deactivated due to account inactivity (eg. not being able to login after 5 years). This means that the said auto-deactivated email addresses are now free for any user to re-register. BUT WHAT IF -- a stranger re-registered the email address which was linked as a recovery email to a currently active Yahoo! Mail account? This is where the exploit can be used: The stranger can now use the standard process of resetting the password or obtain access to a Yahoo! Mail account by sending a code to the hijacked recovery email.

Same problem goes to when a Yahoo! Mail account was linked to a recovery email in an email address of a private domain like "" which was then bought by a no-longer affiliated entity, who can also access the recovery emails of the Yahoo! Mail accounts.

Browsers Verified In:

  • Google Chrome Version 68.0.3440.106 (Official Build) (64-bit)

IP Address:


Steps to Reproduce:

(Add details for how we can reproduce the issue)

  1. Create an account in Microsoft Outlook/Hotmail or any email provider. (eg.
  2. Create a new Yahoo! Mail accocunt. (eg.
  3. Link the old email address as a recovery email to the new Yahoo! Mail account.
  4. Wait until the old email account (recovery email) has been deactivated due to inactivity. (This could take a very very very long time)
  5. The attacker re-registers the my old email account as his/her own email.
  6. The attacker resets my password using my old email account as a recovery email to hack my Yahoo! Mail account.

Supporting Material/References:



The attacker could obtain full access to the victim's account which could lead to countless issues like frauds and hacks on other social media accounts.


I have posted a bug report on Yahoo! Mail's HackerOne bug tracker and this is what I got: