Facebook's new malware target

Facebook is hoping that by quietly swapping your default email address it will get people using the @facebook.com email service. But the system may prove to be an oasis for budding cyber criminals and malware.

Have you checked the contact information you list on your Facebook profile?

Chances are that it's now listing an @facebook.com email contact address for you.

Facebook email address on user's profile

You can thank Facebook for making that change without telling you.

Back in April, Facebook quietly announced that it would be giving users @facebook.com email addresses so that they matched their public username (used as the URL for users' profile pages).

Facebook addresses matching Timeline address

However, the social network didn't make clear that it would also be making the @facebook.com email addresses the default address displayed to your online friends.

Clearly this all part of the site's plan to get more people using the @facebook.com email addresses, thus making the social network even harder to extricate yourself from.

If you don't want your @facebook.com email address to be displayed on your profile, you should change your settings.

  • Click on the "About" tab on your profile
  • Go to the section marked "Contact info" and choose "Edit"

Facebook contact info

  • Adjust the settings to choose which - if any - of your email addresses (including the new @facebook.com email address that you have been given) you would like to appear on your timeline, and who has the rights to see it. (You might also want to ask yourself whether if someone isreally your friend, wouldn't they already know your email address without having to look it up on Facebook?)
  • Press "Save" and you're all done.


Of course, you shouldn't be fooled into thinking that hiding your @facebook.com email address makes it impossible for someone to work out what it is. After all, it now matches the public username in your profile's URL.

According to Facebook, by default anybody on the site can send you a message, and anyone on the internet can email you at your new "username@facebook.com" address.

As we described extensively in our examination of the Facebook messaging system, the @facebook.com email addresses are likely to prove attractive targets for spammers hawking goods and malicious links.

If you don't like such a wide variety of people being able to send you messages, you will need to change your settings.

  • Click the account menu at the top right of any Facebook page and choose "Privacy Settings".
  • Next to the "How You Connect" heading, click "Edit Settings".
  • Select your preference from the dropdown menu next to "Who can send you Facebook messages?". Remember that "Everyone" means not just everyone on Facebook, but everyone on the entire internet

Facebook will have to implement effective filtering mechanisms to prevent fraudsters from exploiting users with spam, scams and phishing attacks as a result of this opening up of the network's messaging system.

My guess is that it won't be long at all before we see criminals abusing @facebook.com email addresses for their own nefarious reasons.

Graham Cluley is a senior technology consultant for Sophos and a writer for Sophos Security blog. You can see his profile and his other work here.