
You can re-register deleted Outlook accounts without security checks - mnbghj
...and then use them to recover bank details&#x2F;accounts.<p>In 2014 I migrated away from Microsoft products. I moved all but a few disused accounts over from my Outlook address to a new Tutanota email address and then deleted the account through Outlook’s settings.<p>Because last week I fancied playing games on my old Steam library, I tried to recover my old Outlook email so Steam could send a password reset link (as I never migrated Steam to Tutanota). I tried to recover the email but could not as in Outlook’s database it didn’t exist.<p>Out of curiosity for what would happen, I tried to register my old email address from scratch. It worked without having to verify any old passwords or security questions. All my old emails were gone but this did enable me to receive Steam’s password reset email.<p>This seemed like very poor security practices on the part of Outlook and I wanted to see how far I could push it, so next I tried to recover my Paypal account.<p>As soon after migrating my Paypal account to my Tutanota address I had to create an entirely new account for business purposes, my old account fell into disuse. I sent an email to Paypal customer support stating that my login no longer worked and that I feared my account had been compromised. As no transactions had been made since I changed the email account on file with Paypal, customer support were able to bypass all fraud proceedings and simply revert my account email to my old Outlook address and send me a reset link (as obviously I was the account owner as I had access to the original email address). My Paypal account still had my active card linked.<p>Put simply, I recovered access to the entirety of my bank account by registering an email address anyone could’ve registered.<p>This could be exploited en mass quite easily by brute-forcing a list of Outlook accounts until you get lucky.<p>Microsoft won&#x27;t respond so making this public.
======
jaclaz
As often happens, I don't see the "scandal".

How does it work in the "real world"?

You get a P.O. Box.

You leave that address, the Post Office re-rents it to someone else.

I would guess that should be your care to make all people that know that
address to not send anything to it and/or change all references to it.

By the same token it is your responsibility to change all your current
subscriptions/whatever updating the e-mail address to a new, valid one, the
sheer moment you delete the "old" account.

~~~
CM30
Yeah, this. What exactly do people think should happen to an abandoned email
address? That it gets put on some permanent blacklist because of 'future
security issues'?

At the end of the day, it's like everything from addresses to phone numbers
and domain names. Once you stop using them, they return back to the pool of
available options for someone else to use instead.

------
icebraining
[http://www.pcworld.com/article/2052586/microsoft-is-
quietly-...](http://www.pcworld.com/article/2052586/microsoft-is-quietly-
recycling-outlook-email-accounts.html)

------
Mz
You knew a lot of insider info about yourself. Brute forcing registration of
outlook accounts in no way guarantees they will be connected to a pay pal
account etc.

I imagine there are easier ways to extract money from people. There are too
many unknown unknowns here.

------
Andrenid
Same goes for a lot of services I've found .. but it doesn't seem to be talked
about much.

The fact it happens for a service as massive as Outlook is unforgiveable
though.

