Microsoft is investigating a complaint that expired Hotmail accounts retain the linked MS Instant Messenger buddy lists, and those lists are available to the next person who registers the same e-mail address on a Hotmail account.
Microsoft spokeswoman Leslie Hui acknowledged the company is aware of the problem, but didn't say for how long, or when the access to supposedly expired buddy lists would be closed off.
The glitch first came to light more than a year ago, when Dmitri Alperovitch, a software developer and part-founder of Encryption Software, left a message at the Bugtraq Web site in July last year in which he detailed the programming glitches. He didn't indicate that the possible holes had created any real problems.
"I don't think anybody really knew that contacts wouldn't be cleaned out," said James Nelson, a systems administrator at Cisco Systems. Recently he found out otherwise.
On 14 August Nelson posted a warning at Bugtraq. He wrote that when his account expired after four months of inactivity, he tried to reregister it. Microsoft employees told him his account had never existed, so he registered the same account name from scratch. To his surprise, he wrote on Bugtraq, his old buddy list came up.
Later, he wrote, someone else was using his identity from a different account that he no longer used.
"One day, someone unknown appeared in my contacts' list. Turned out that someone had registered that (by then canceled) account, and had inherited my contacts' list," Nelson wrote in the posting.
"The first time, I thought it was a fluke," Nelson said in a telephone interview. "It's not a huge thing, but it is sort of disturbing."