For months I have been receiving Facebook email notifications that are not related to my personal account. They are bounded to someone else’s Facebook profile, a namesake of myself. This person’s email registered on Facebook is quite similar to mine. The only difference is a dot between the first name and the surname in the username part of our Gmail addresses. Probably he does not know that Gmail treats email@example.com and firstname.lastname@example.org as the same address as I also did not before running into this issue.
But how bad is that? Many times I tried to prevent Facebook from sending me those emails by using the “not my account” link they provide on them. It was not enough and I kept receiving them. So today I decided to investigate how far this issue could go and used the “Forgot my password” link instead, then Facebook sent me an email with a code for setting up a new password. You can see where this is going. The password was reset without any further verification and I was logged in! I was logged into an account that is not remotely related to me due to an email typo! It seems that the account was active but it was not fully enabled. The owner might have not received the confirmation email, since it was being sent to me. Then I decided to deactivate the account anyway in order to avoid further confusions and told Facebook what was happening by leaving them a message on the deactivation form. I thought that the two email addresses were from different Gmail accounts but investing further I discovered that it does not matter if your email has a dot or not. If you send messages to email@example.com, firstname.lastname@example.org and email@example.com all of them will be directed to the same mailbox.
Anyway, this is a big security flaw. It is not ok that someone can access an account only because other person made a mistake while typing the email address. If the email address is not verified right after the registration then the Facebook account should be deactivated or should expire after some time. I have been receiving this guy’s friends notifications, friendship requests and suggestions for a long time. They should not have sent emails to me at all, besides the first one confirming the email address.
If you feel insecure about this, the best thing you can do is enabling the two factor authentication feature. Facebook will send a text message to your cell phone in order to confirm your identity. This at least will prevent unauthorized access if someone resets your password.