Security researchers in the US believe up to a million Facebook accounts may be at risk via expired Hotmail accounts.
Microsoft retires Hotmail accounts after 270 days of inactivity, making the user name available for anyone to register. If an attacker realises the username is available, they can register the account.
If someone has used that Hotmail account as a Facebook login, the attacker only has to submit a “forgotten password” request for the Facebook account to gain access.
During testing, the researchers gained access to 15 Facebook accounts before stopping the experiment, citing “ethical dilemmas” and “potential legal problems”.