Apparently Microsoft Recycles Email Addresses Too

Chris CrumIT ManagementLeave a Comment

Share this Post

Yahoo has been making headlines in recent weeks thanks to an account recycling program it implemented recently, and the apparent security issues that have come along with it. It turns out that Microsoft has pretty much been doing the same thing for years. It also turns out that there have been similar security issues there as well.

Back in June, the company announced its plans to give old, inactive IDs to current users who wanted better email addresses. The plan immediately drew criticism from security experts and journalists (including the guy from Wired that who was famously hacked last year). At the time, well-known security expert Graham Cluley, who has worked for security giants like McAfee and Sophos, called Yahoo’s plan “moronic,” and told WebProNews, “they should throw the idea away in the trash can where it belongs.”

He criticized it again more recently after InformationWeek put out a story sharing quotes from users of the recycled email addresses who were getting other people’s email with sensitive information. Yahoo acknowledged that it had been happening to some users, and in response, launched a “Not My Mail” button so that those getting other people’s emails could notify Yahoo and fix the problem. Of course, that relies on the user to be honorable enough to use it, and not to exploit the sensitive info they’re getting.

Suffice it to say, the concerns haven't exactly gone away.

Now, we learn that Microsoft does the same thing with Windows Live ID and (formerly Hotmail) accounts. This is according to PCWorld and Webwereld (in Dutch). PCWorld reports:

The Microsoft Services Agreement mentions that users are required to log in to their Microsoft accounts "periodically, at a minimum of every 270 days, to keep the Microsoft branded services portion of the services active." Otherwise "we may cancel your access" and "your data may be permanently deleted from our servers."

Microsoft does not mention the possibility that email account names will be recycled. The company confirms that this is the policy, however. When the account becomes inactive "the email account is automatically queued for deletion from our servers. Then, after a total of 360 days, the email account name is made available again," according to an email statement from Microsoft.

Meanwhile, like with Yahoo's, Microsoft's practice is apparently also leading to people getting emails intended for others. Webwereld has reportedly seen evidence of this, and the former account holder is said to be considering filing a complaint against Microsoft.

The publication also confirmed with Google that it does no recycle accounts.

What they don't tell you in those Scroogled ads.

Image: Microsoft (

Chris Crum
Chris Crum has been a part of the WebProNews team and the iEntry Network of B2B Publications since 2003. Follow Chris on Twitter, on StumbleUpon, on Pinterest and/or on Google: +Chris Crum.

Leave a Reply