Who has logged in as you? (Image: Regis Duvignau/Reuters)

UP TO a million Facebook accounts could be vulnerable to an all-too-simple method of email hijacking that requires no programming skills or computer expertise. All you need, it turns out, is patience and someone’s expired Hotmail address.

So say security researchers at Rutgers University in Newark, New Jersey. The threat arises, Panagiotis Karras and colleagues say, because Microsoft retires unused Hotmail accounts after 270 days of inactivity and reassigns the email addresses to new users who request them. Facebook, meanwhile, uses an email address as a login. So an attacker can gain access to any Facebook account that uses an expired Hotmail address as a login – if they know where to look.

To find out if a target’s Hotmail address has expired, an attacker can simply send a test email. If a message saying “mailbox unavailable” bounces back, they probably have a viable target. Importing Facebook contacts into Windows Live Messenger makes things even easier, because it automatically tells a user whose addresses have expired.


The attacker can then sign up to Hotmail, ask to be assigned the address and reactivate it. Entering the address into the Facebook login screen and opting for “forgotten password” will trigger Facebook to send an email to the reactivated email address, whereupon the attacker can reset the password and gain full control of an account.

In a test, the researchers successfully gained access to 15 Facebook accounts, but then halted the experiment to avoid “ethical dilemmas” and “potential legal problems”. They estimate that attackers could gain access to as many as a million Facebook accounts. This represents a small fraction of the service’s one billion accounts.

The researchers estimate that attackers could gain access to as many as a million Facebook accounts

The team will present the loophole this week at the World Wide Web conference in Rio de Janeiro, Brazil.

Other online services could be similarly vulnerable, but a spokesperson at Google confirmed that the company does not recycle its users’ email addresses.

In an email to New Scientist, a member of Microsoft’s Hotmail team wrote: “This isn’t an issue with either Facebook or Hotmail. When someone stops using their Microsoft account, they should similarly stop having it associated with other internet services.”

This article appeared in print under the headline “Expired emails provide easy way into Facebook profiles”