Facebook Email Change Raises Security Concerns

A Sophos official said the social network’s decision to make the @facebook.com addresses users’ default addresses will make them even more attractive to spammers.

Facebook€™s decision to replace users€™ chosen email addresses with their Facebook email address as the default on profile pages likely will make those @facebook.com addresses even more attractive to spammers and other cyber-criminals, according to one security expert.

In a blog post June 26, Graham Cluley, senior technology consultant at security software provider Sophos, noted that with the change, essentially by default anyone on Facebook can send a user a message, and that anyone on the Internet can email the user at their @facebook.com address.

It was something Cluley warned users about in a blog post in 2011 about Facebook€™s messaging system, and the social network€™s decision to make the @facebook.com address the default email address on the profile pages will most likely make those addresses an even bigger target.

As Sophos pointed out last year €œthe @facebook.com email addresses are likely to prove attractive targets for spammers hawking goods and malicious links,€ Cluley wrote in the latest blog.

Facebook has been quietly shifting the default addresses of its almost 900 million users from the email addresses they chose when signing up on the site€”such as those from Yahoo or Google€™s Gmail€”to their Facebook addresses, which are the username@facebook.com. Facebook officials in April said they were giving all their users a Facebook email address using their public usernames, but it wasn€™t until this past weekend that some journalists and blog sites noticed that Facebook was making these addresses the default addresses on public profiles.

"Ever since the launch of Timeline, people have had the ability to control what posts they want to show or hide on their own timelines, and today we're extending that to other information they post, starting with the Facebook address," Facebook spokesperson Jillian Stefanki said in an email to the Associated Press June 25.

The social network, which is notorious for making blanket changes to its Website operations without sufficiently notifying its users, has come under heavy criticism from users and outside observers alike since the move was publicized. The common theme is that it€™s yet another attempt by Facebook to gain greater control over its users€™ lives.

€œClearly this is all part of the site's plan to get more people using the @facebook.com email addresses, thus making the social network even harder to extricate yourself from,€ Cluley wrote.

Facebook users who want to change back to their original default email can do so by clicking on the €œabout€ section of their profiles, going to the €œContact Info€ section and choosing €œEdit.€ From here, users can choose which of their email addresses they want to appear on their timelines and who can see it. Once that€™s done, users can then press €œSave.€

However, Cluley said, users €œshouldn't be fooled into thinking that hiding your @facebook.com email address makes it impossible for someone to work out what it is. After all, it now matches the public username in your profile's URL.€

Users can go into their account€™s privacy settings to determine who can send them messages, and they need to remember that €œEveryone€ in the settings means everyone on the Internet, not just on Facebook, he said.

Cluley also wrote that it will be incumbent on Facebook €œto implement effective filtering mechanisms to prevent fraudsters from exploiting users with spam, scams and phishing attacks as a result of this opening up of the network's messaging system. My guess is that it won't be long at all before we see criminals abusing @facebook.com email addresses for their own nefarious reasons.€