What you need to know about the Yahoo breach Watch Now

Deleted your Yahoo account? Think again.

Several Yahoo users, who last year decided to leave the service, told us that their accounts remained open for weeks or months after the company said they would be closed.

News broke in September of a massive state-sponsored cyberattack that led to the theft of 500 million records -- then thought to be the largest theft of records in history. That alone was enough for some to take action and delete their accounts, months before the company admitted it was hacked again -- this time taking one billion accounts.

David Clarke was one of those departing users, whose dormant account was slowly accumulating junk over the past few years.

"This was an ancient email I had set up, had no personal data in it anymore and had a unique password," writing about his troubles on Medium. "But it's a part of my digital footprint that I no longer required and decided, given the horrible security practices going on at Yahoo, to vote with my account and have it removed."

Yahoo makes the account deletion process straightforward enough, but users have to wait "in most cases... approximately 90 days" for the account to close. The company says this is to "discourage users from engaging in fraudulent activity."

On day 91, Clarke logged back into his account to find that it was still active. Unbeknownst to him, logging back in simply to check would reset the clock back to zero.

"Yahoo confirmed via email yesterday if you access your account it resets the timer," he told me. "So, if you login to ensure your account has been deleted and it hasn't, you have to wait at least another 90 days."

Clarke may have checked down to the day, but others we spoke to said that their accounts were still active for months longer -- even though they hadn't logged back in.

One user told me that they deleted their account "the day the breach was announced" in late September. But, as of the end of January, he was still receiving messages that were automatically forwarded from his Yahoo inbox.

He told me that he hadn't logged in to his account because he continues "to receive Yahoo-originated mailing list mail," he said. "This implies that the Yahoo account has not been deleted," he added.

When we asked him to confirm his account was still active, he told me that his email address was accepted at the login screen.

Users with expired or deleted accounts would see an error message saying that their accounts are "not recognized."

Another user told me that they thought their account was "supposedly terminated" days after news of the hack broke, but confirmed his account was still active -- when it should have closed by December.

"Since around August, I had a handful of attempted logins from South Korea and India -- maybe five or 10 of them, he said. "Yahoo appeared to shut out most of them," he added. "This account had essentially nothing in it -- I think a decade-old Flickr account is the only reason I had it -- so I wasn't using two-factor authentication or paying much attention to it at all."

Got a tip? You can send tips securely over Signal and WhatsApp at 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5. Read More

"According to [Yahoo], my account should have been deleted by the end of December -- but I received yet another 'unexpected sign-in attempt' email (from South Korea, as usual) on Feb. 1," he said.

A delay in closing the account coupled with an unauthorized sign-in may be why the account has not closed.

"Why aren't they at least putting the account into some kind of suspension mode?" the user told me.

A third user told me that that they had also deleted their account around the time of the September breach, but he had not logged in since. He confirmed that his account was still active.

However, another two other people confirmed that their accounts, marked for deactivation and deletion earlier in the year, had been successfully deleted and were unable to log in.

It's not known how widespread the problem is or how many are affected.

The company has faced its fair share of bad security headlines -- not only was it hacked on three occasions (in case you count Tumblr), but it's also faced privacy issues and run-ins over national security, which led to an internal clash that resulted in the company's chief security officer resigning.

A Yahoo spokesperson did not comment, but did point to the company's privacy policy, which says: "Any information that we have copied may remain in back-up storage for some period of time after your deletion request. This may be the case even though no account information remains in our active user databases."

It's no wonder that some customers want out.