Skip to navigation
Latest News

Hotmail loophole leaves Facebook accounts vulnerable

Hotmail security exploit

By Shona Ghosh

Posted on 9 May 2013 at 11:51

Facebook users who login using Hotmail and other web-based email services might be vulnerable to account hijacks, due to a loophole related to expired addresses.

Microsoft deactivates unused Hotmail accounts after 270 days of inactivity, reassigning the addresses to any new user who requests them after a certain period of time.

Those email addresses can then be used to reset passwords and log into other sites – such as Facebook – potentially allowing attackers to gain control of profiles.

Research from New Jersey-based Rutgers University, noted by New Scientist, found that a would-be attacker could locate expired Hotmail addresses using a simple script. The script sent out test emails to specific addresses – any bouncebacks indicated that an account had been deactivated, leaving the researchers free to request the address.

Once that was granted, they could then type the address into Facebook and ask for a password reminder. Since it appears that Microsoft doesn’t notify third-party services of an account’s expiration, Facebook then requested the attacker to reset the password, giving them easy access to the previous account holder’s profile.

In practice, the method is slow-going since the script still required manual input of specific email addresses. But the researchers noted that the more addresses and accounts they accessed, the easier it became to automate the process. It also became easier since several online mail services, and Windows Live in particular, allows users to import contacts from services.

"We can get the friends list of the account that we enter into and figure out which of those friends have expired Hotmail accounts in their turn," said the researchers. "Thus, they fall prey to our attack as well."

Microsoft's account deactivation policy

Microsoft has retired Hotmail, shifting users to the new But since is also web-based and operates the same account deactivation policy, that could still leave users vulnerable to attack.

Gmail appears to be less vulnerable because it doesn’t allow new users to request previously used addresses.

"The problem arises from the fact that the privacy of a user’s online social network account rests on the privacy of one’s email account. Once the user loses the one, they can lose the other as well," said the researchers.

Facebook claimed the vulnerability was Microsoft's responsibility and advised users to ensure their addresses were active and up to date. The firm pointed out that there are other account recovery options available if users are concerned about resetting passwords via email, such as SMS or appointing trusted friends.

"This is not a Facebook security issue – this is a vulnerability that only applies to a small number of people who have not updated their Hotmail email address tied to their Facebook account," said the spokesperson. "Nothing is more important to us than the safety and security of people on Facebook. We encourage people to make sure the e-mail address associated with their Facebook account is up to date and secure. We are constantly building and releasing new security features - from login notifications to one time passwords, and we encourage their use."

Microsoft has not responded to a request for comment.

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
User comments


Okay, so how many people actually use a Facebook logon with a Hotmail email address that they no longer use? I can't imagine we're talking about billions of people here. And "Microsoft doesn’t notify third-party services of an account’s expiration" - well of course it doesn't! Seems a bit of a non-issue to me.

By turnma on 9 May 2013

Non issue??

This isn't just about facebook, email addresses are used everywhere, sometimes linked to saved credit card information. For MS to just give away an email address that someone has used for security purposes is shocking.

The notion that this has to affect billions of people before it becomes a problem is silly.

By ChrisH on 9 May 2013

Leave a comment

You need to Login or Register to comment.



Latest Blog Posts Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds
Latest Real World Computing


Sponsored Links

Your email:

Your password:

remember me


Hitwise Top 10 Website 2010

PCPro-Computing in the Real World Printed from

Register to receive our regular email newsletter at

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.