Yahoo email addresses reassigned to a new owner are receiving personal emails intended for the previous owner.
One man told news site Information Week that he had received emails with some highly sensitive information in them.
In June the web firm announced Yahoo addresses and IDs would be reassigned if they had been inactive for a year.
Privacy experts called on Yahoo to address the issue “immediately”. Yahoo says it has taken a series of measures to overcome privacy and security fears.
A Yahoo representative told the BBC, “Before recycling inactive accounts we attempted to reach the account owners [in] multiple ways to notify them that they needed to log in to their account or it would be subject to recycling.”
“We took many precautions to ensure this was done safely - including deleting any private data from the previous account owner, sending bounce-backs to the senders for at least 30-60 days letting them know the account no longer existed and unsubscribing the accounts from commercial mail.”
It is also in the process of rolling out a feature called “Not My Email” where users can report an email that is not intended for them.
The process will come as little comfort to the previous owner of an email account now owned by Tom Jenkins, an IT security professional.
Mr Jenkins told Information Week: “I can gain access to their Pandora account [online radio] but I won’t. I can gain access to their Facebook account, but I won’t. I know their name, address and phone number. I know where their child goes to school. I know the last four digits of their social security number. I know they had an eye doctor’s appointment last week and I was just invited to their friend’s wedding.”
Other users have revealed that they have also received messages that contain personally identifiable information.