Registering for an account at any web site almost always requires an email address, and some people like to use a secondary address they don’t really care about instead of their real email address to avoid spam. If you do this, don’t use a Hotmail (Update: or other free webmail) account.
Microsoft shuts down Hotmail accounts that haven’t been logged into after nine months. So if you registered for your Gmail account two years ago and used your Hotmail address as your secondary email address and never logged back in, you’ve put your Gmail account at risk.
Here’s how: If your Hotmail account gets shut down due to inactivity, someone else can open a new one using your Hotmail address. Then, if that someone else requests a password reset from Gmail, it goes to that address, and that someone can get into your primary email account. This is how Twitter employees’ Gmail accounts got broken into last week.
From Hotmail’s help section:
Free Windows Live Hotmail accounts become inactive if you don’t sign in for more than 270 days or within the first 10 days after signing up for an account. After an account becomes inactive, all messages, folders, and contacts are deleted. Incoming messages will be sent back to the sender as undeliverable. Your account name is still reserved. However, if the account stays inactive for an additional 90 days, the account name may be permanently deleted.
In the comments of my post at Lifehacker this morning, a reader said that his wife’s last emails from her father were lost in a shutdown Hotmail account.
If you are or ever were a Hotmail user, make sure all the important online accounts you use (banking, other email accounts, shopping sites where you’ve stored credit card information) don’t send password reset messages to your Hotmail account, and that important messages aren’t left there untouched for too long. Either that, or make absolutely sure you log in once every few months.
Update: My apologies for picking on Hotmail! Turns out Gmail and Yahoo Mail have similar deactivation policies. From Gmail’s Help:
A dormant address is a Gmail address that hasn’t been used for six months. You can still receive mail if your address is dormant, but you need to log in to keep your account active. If you don’t log in to Gmail within three months of it being labeled dormant — or for nine consecutive months — Google may delete the address.
From Yahoo Mail’s help:
Accounts are deactivated and removed after four months of no use. When an account is deactivated, you won’t be able to access it, regardless of whether or not email has been received in the account during that time.
And sorry, but we can’t retrieve any of the information that was formerly stored in it.
In summary, unlogged-into Hotmail and Gmail account expire after nine months and unlogged-into Yahoo accounts expire after six (unless you pay for Yahoo! Mail Plus). Looks like we all have to remember to log into those secondary webmail accounts.
Do you know if using Gmail’s Mail Fetcher to POP3 your Hotmail account keeps it active? If I view the history, it checks my Hotmail every hour. It never gets anything, but does that keep it active?
Wow. Thanks for the tip, seriously! I have recovered my Gmail account once using Hotmail when my password unexpectedly was changed somehow, but I’ve just been lucky as I clear out the occasional e-mail every month or two. I’ll definitely be switching over that secondary e-mail setting.
Does using hotmail account as MSN ID count as keeping the hotmail account active?
I have a hotmail account I use primarily for IM, I just about never access the mail though.
Alternately you may use digsby and add all your web acounts in it.
This way you log every day with every mail account and you prevent the problem from arising.
Gmail provides an option to execute password recovery using text messages to your cellphone. However, it isn’t clear whether this is an OR or an AND with the secondary email address. I’ll give it a try soon and see how it works.
If you use your cellphone, it should be a bit safer than a secondary email account, and if it’s not, you know it’s someone with access to your phone (unless you can access your text messages over the web).
This is a very difficult problem, as the recovery mechanism should be more secure than the standard logon process.
You would also have the same problem with your own domain if you forget to renew it.
Giving your email address in so many sites creates a problem if you lose it. I think it’s best to not have a lot of secondary addresses.
Another idea might be to have a cron job that keeps polling your email so your account doesn’t become inactive. Once a week would probably suffice.