Sophos Highlights Security Risk After Facebook Email Change

The controversial decision by Facebook to replace users’ chosen email addresses with a Facebook email address as the default on profile pages, represents a possible security risk.

The move will likely make those @facebook.com addresses even more attractive to spammers and other cyber-criminals, according to one security expert.

Spammers Delight

In a blog post 26 June, Graham Cluley, senior technology consultant at security software provider Sophos, noted that with the change, essentially by default anyone on Facebook can send a user a message, and that anyone on the Internet can email the user at their @facebook.com address.

It was something Cluley warned users about in a blog post in 2011 about Facebook’s messaging system, and the social network’s decision to make the @facebook.com address the default email address on the profile pages will most likely make those addresses an even bigger target.

As Sophos pointed out last year “the @facebook.com email addresses are likely to prove attractive targets for spammers hawking goods and malicious links,” Cluley wrote in the latest blog.

Facebook has been quietly shifting the default addresses of its almost 900 million users from the email addresses they chose when signing up on the site – such as those from Yahoo or Google’s Gmail – to their Facebook addresses, which are the username@facebook.com. Facebook officials in April said they were giving all their users a Facebook email address using their public usernames, but it wasn’t until this past weekend that some journalists and blog sites noticed that Facebook was making these addresses the default addresses on public profiles.

“Ever since the launch of Timeline, people have had the ability to control what posts they want to show or hide on their own timelines, and today we’re extending that to other information they post, starting with the Facebook address,” Facebook spokesperson Jillian Stefanki said in an email to the Associated Press 25 June.

How To Change

The social network, which is notorious for making blanket changes to its Website operations without sufficiently notifying its users, has come under heavy criticism from users and outside observers alike since the move was publicised. The common theme is that it’s yet another attempt by Facebook to gain greater control over its users’ lives.

“Clearly this all part of the site’s plan to get more people using the @facebook.com email addresses, thus making the social network even harder to extricate yourself from,” Cluley wrote.

Facebook users who want to change back to their original default email can do so by clicking on the “about” section of their profiles, going to the “Contact Info” section and choosing “Edit.” From here, users can choose which of their email addresses they want to appear on their timelines and who can see it. Once that’s done, users can then press “Save.”

However, Cluley said, users “shouldn’t be fooled into thinking that hiding your @facebook.com email address makes it impossible for someone to work out what it is. After all, it now matches the public username in your profile’s URL.”

Users can go into their account’s privacy settings to determine who can send them messages, and they need to remember that “Everyone” in the settings means everyone on the Internet, not just on Facebook, he said.

Cluley also wrote that it will be incumbent on Facebook “to implement effective filtering mechanisms to prevent fraudsters from exploiting users with spam, scams and phishing attacks as a result of this opening up of the network’s messaging system. My guess is that it won’t be long at all before we see criminals abusing @facebook.com email addresses for their own nefarious reasons.”

What do you know about social networks? Find out with our quiz!