What you need to know about Facebook sneakily swapping users' default email addresses to @facebook.com

Filed Under: Facebook, Featured, Malware, Phishing, Privacy, Social networks, Spam

Have you checked the contact information you list on your Facebook profile?

Chances are that it's now listing an @facebook.com email contact address for you.

Facebook email address on user's profile

You can thank Facebook for making that change without telling you.

Back in April, Facebook quietly announced that it would be giving users @facebook.com email addresses so that they matched their public username (used as the URL for users' profile pages).

Facebook addresses matching Timeline address

However, the social network didn't make clear that it would also be making the @facebook.com email addresses the default address displayed to your online friends.

Clearly this all part of the site's plan to get more people using the @facebook.com email addresses, thus making the social network even harder to extricate yourself from.

If you don't want your @facebook.com email address to be displayed on your profile, you should change your settings.

  • Click on the "About" tab on your profile
  • Go to the section marked "Contact info" and choose "Edit"

Facebook contact info

  • Adjust the settings to choose which - if any - of your email addresses (including the new @facebook.com email address that you have been given) you would like to appear on your timeline, and who has the rights to see it. (You might also want to ask yourself whether if someone is really your friend, wouldn't they already know your email address without having to look it up on Facebook?)
  • Press "Save" and you're all done.

Facebook email address and URLOf course, you shouldn't be fooled into thinking that hiding your @facebook.com email address makes it impossible for someone to work out what it is. After all, it now matches the public username in your profile's URL.

According to Facebook, by default anybody on the site can send you a message, and anyone on the internet can email you at your new "username@facebook.com" address.

As we described extensively in our examination of the Facebook messaging system, the @facebook.com email addresses are likely to prove attractive targets for spammers hawking goods and malicious links.

If you don't like such a wide variety of people being able to send you messages, you will need to change your settings.

  • Click the account menu at the top right of any Facebook page and choose "Privacy Settings".
  • Next to the "How You Connect" heading, click "Edit Settings".
  • Select your preference from the dropdown menu next to "Who can send you Facebook messages?". Remember that "Everyone" means not just everyone on Facebook, but everyone on the entire internet

Facebook will have to implement effective filtering mechanisms to prevent fraudsters from exploiting users with spam, scams and phishing attacks as a result of this opening up of the network's messaging system.

My guess is that it won't be long at all before we see criminals abusing @facebook.com email addresses for their own nefarious reasons.

Further reading: FAQ: Security and Facebook's new messages system.

If you want to learn more about security threats on the social network and elsewhere on the internet, join the Sophos Facebook page.

, , ,

You might like

23 Responses to What you need to know about Facebook sneakily swapping users' default email addresses to @facebook.com

  1. Guest · 1165 days ago

    Thanks for the heads up!

    I don't read my facebook messages anyway, as anyone who want contacting me will know alternative ways.

  2. I'm just wondering how long it will be before facebook starts selling the addresses to advertisers - after all, they have to try and increase the revenue stream for all their nice new suckers - sorry, shareholders....

    • steveb · 1164 days ago

      You are way behind the NOW.. Slucker sold your info for over a yr now. Just before he talked about selling his stock..Ahhhh Poor you. DELETE your whole account.

  3. chris · 1165 days ago

    wow, they're sneaky lil buggers

  4. Freida Gray · 1165 days ago

    I changed all of my e-mail addresses except the one I use to log on to FB to the Only Me category when I edited my settings.The e-mail I use to log on to FB was changed to where my friends could see it.

  5. Colin · 1165 days ago

    When I went to check this I found to my horror that it also had my mobile number so I deleted it and immediately got an email to my 'real' address saying if I lost my p/w they could not unlock my a/c by text.
    I guess I must have given it just for this purpose, but how can one keep it invisible?

  6. Celia · 1165 days ago

    OK so I'm confused - where is my @facebook account - as far as I know I don't have an email account with that name to be able to access it, so if someone uses it where do the emails go?

    • Diana · 1165 days ago

      I have the same question ! ... Please can somebody answer it?

      • mindianaj0nes · 1164 days ago

        Hi Celia and Diana, emails sent to your @facebook.com account go to your Facebook messages: https://www.facebook.com/messages/

        One of the things I find most problematic about this whole thing is that in many cases, this will result in your never seeing the message. Unless the email is sent from an address that one of your Facebook friends has included (hidden or not) in their Facebook timeline, the email will go to your 'Other' inbox. You don't get notifications for messages in your 'Other' inbox, nor will you see them in your main Messages inbox. You have to click on the 'Other' option under 'Messages' in the left hand menu to see these messages, which almost always means these messages are missed. And depending on your privacy settings, the email may not even get to your 'Other' inbox, just get returned to sender with an automated rejection message from Facebook.

        As an independent consultant, I want to be as easy to get a hold of as possible. I keep my Facebook Timeline public, including an email address that I check regularly. By removing my email address from my Timeline and switching it out with one that doesn't even work, Facebook's making it harder for potential clients (who I don't know yet, which is why they don't have my email address already) to reach me. AUGH.

        • Nigel · 1157 days ago

          Hmmm...could it possibly be that you are under the delusion that Facebook exists to make ANYTHING easier for you?

          Facebook exists for one purpose only--namely to lure you into using their "free" site so they can commoditize your personal information and use it to generate revenue. The myth that it's "free" is just rubbish. YOU pay for it, and the cost is your loss of privacy, your exposure to greater security hazards, and the risk that information about you will be used in ways that are not in your best interests...in ways that you can't even imagine.

          Such is the nature of the mischief engendered by blind belief in the "free flow of information". It's NEVER free, the cost is always greater than you think...and with Facebook, you're the one who's paying it.

          With each passing day, Facebook provides me with ever more reasons that I am SO glad I deleted my Facebook account.

  7. John Allred · 1165 days ago

    I believe I will take my time and lose sleep on this major problem that we must solve. I'll take a nap and forget about it....

  8. Mark · 1165 days ago

    What's interesting is that changing my email address shows up in my timeline as "Mark changed his website." No, facebook... no I didn't.

  9. Will G. · 1165 days ago

    Just what I need: Facebook having complete access to every e-mail I send or receive through their system. Ha! Not on your life!

  10. Jenn · 1165 days ago

    I've tried to change my email settings so that the @facebook email address not only isn't my primary contact address, but that it is deleted completely. Not surprisingly, you can't delete that email, but even more questionable is the fact that no matter how many times I've changed and saved the info so that Facebook uses the email address I specify as my contact email, Facebook continues to revert back to the @facebook.com. email address as my primary contact email. Hmmm, really makes you wonder how many of your 'privacy settings' they actually honor...

    • Annathule · 1164 days ago

      Ha! I just found that out! I'm like, "wth???" I want folks who know my addy to be able to search for me. I haven't seen whether they can search for me if they know my email (the proper one!) It's the ONLY way to flip through about 5 thousand "Christine's" when I don't use my image as my avatar!

      And if they can STILL search for me by the email I want, doesn't that still bring up the fact that the one I want shown is the one I log in w/, one piece less a hacker has to figure out?? I think I'm leaving it "@facebook". So much for long lost friends finding me...but then, they don't know my email, do they? What a cluster...k.

  11. Dan · 1164 days ago

    This act, actually plugs a security hole, the Majority of people use their main e-mail address to sign in to facebook, so fake e-mail can imitate facebook, and may ask members to login on a special link.

    Most members leave their security set to show your e-mal address. Wich allows hackers to stick this in to the facebook password cracker, and gain access to your account. Must people have never set their secirity to show their e-mail to "me only' status, and thus hide it from the hackers. Now with the facebook addy, The facebook login e-mail address is protected.

  12. Dan · 1164 days ago

    This act, actually plugs a security hole, the Majority of people use their main e-mail address to sign in to facebook, so fake e-mail can imitate facebook, and may ask members to login on a special link.

  13. David Cosloy · 1164 days ago

    They have changed the process since this was written; you can put whatever email you want--the Facebook email stays put!!!! I tried to delete it. It just comes back into my page! Devils.

  14. JohnC · 1164 days ago

    Facebook and system security go together like oil and water. Gave up trying to secure my account as Facebook keep altering their security settings: result - closed the FB account permanently three days ago!

    Good riddance!

  15. I just got an email from Facebook saying that I removed my facebook.com email. The problem: I was gone at a wedding when the alleged action took place. It says that I need to click a link within my email if I didn't do this and someone else got into my account. Is it true or a phishing scam, or is it something of a whole other caliber? Please help me. I've been following you guys ever since I noticed your YouTube channel!

  16. PAB · 1099 days ago


    I received some email in my Other Inbox from someone who is not in my friends listing. However, it does not show the sender information.

    Could you please tell me how I can get the sender information ? It just does not display it anywhere..!! This was before I read your post and could action the email address from not displaying to "Public"

    Please help. Thanks!

  17. Bryan · 1017 days ago


    I noticed the setting of our personal and facebook email as well. Recently I having a issue where I suspect my FB account get hacked. Because I found that somebody hack in my account and change my FB setting i.e. Hide List / Block List.

    I suspect is one of the friend inside my friend list where I hide that person from viewing part of my info and photos.

    Is it very easy for people to hack our account as long as they know our login email?

    If we have locked and hide our email in FB setting, like the above screen shot, does it mean if let say you have some friends that searching you and wanted to add you, they no longer able to search you once u did that setting?

    My sibling had tried to search by my email, they can't search my account when they key in my email. Same goes to name.

    Is there any way, we can hide our email but people still able to search us? This is because I want to prevent from that Hacker (which use to be one of friend in my friend list before but once I noticed his true color, I have unfriend and hide him, yet he still sign up many fake account trying to add me)

    Hope that you guys able to guide and help me on this. Many thanks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley