Considering how many times Yahoo!'s mail has been hacked[0], I doubt anyone still on it cares about security.

[0] https://en.wikipedia.org/wiki/Yahoo!_data_breaches

That doesn't work anymore. I wanted to get access to some old emails after I let my account lapse. Recreated the same account with same password: completely empty.

But the security hole is not that you can access someone else’s email messages.. it’s that you can do ‘I forgot my password’ flow for accounts associated with an email address that was previously owned by someone else!

That's a major hole in web authentication...not Yahoo!'s mail service.

It's both. Yahoo! used to maintain a policy against address reuse for exactly this reason.

This is the only reason I chose not to delete some old accounts from different sites, and check on them yearly-ish. I used to think the internet as ephemeral, but I don't have that luxury as long as anyone else doesn't. From relatives to banks the authentication crisis is real. My soul is forever bound to some shitty teenage usernames and some poorly secured hashes distributed around the world.

This is a massive security flaw if true.

Not for the email provider. If the only authoritative identity for an account is “can receive an email at a given address” you’re just admitting that you’re outsourcing your security to an implementation detail of a few large email providers that you have no control over and a bunch of small email providers that you have no guarantee behave the same way.

A trivial example is Mailinator.

All webmail providers used to delete old accounts and then allow re-registering them.

On-the-ball webmail providers don't allow this anymore, but some never changed their ways...