Proton May Start Recycling Abandoned Email Addresses
In a post to the r/ProtonMail Subreddit, Proton quietly announced they are considering a change to their longstanding policy of not recycling mailbox addresses.
No decision has yet been made on whether these emails will actually be released to new registrations. According to Proton they are simply gathering community feedback about the potential change.
Proton says that many usernames which are locked away are due to the lack of anti-abuse technology they had in their early days, and most of them have never actually been used by legitimate users.
However, recycling email addresses has always been a controversial and discouraged idea in the privacy and cybersecurity space. Old email accounts may still receive messages long after the mailbox has been deleted, and these accounts may appear in past data breaches and other data sets that malicious users could use to try and hijack older accounts if they are once again made available to the public. Proton themselves notes this is a concern in the announcement:
Note, some usernames, in particular high value ones with common names (e.g. firstname@proton.me) have been disabled for close to a decade, but actually get email traffic as over the years, people randomly enter them into email forms across the internet (they even end up in breach datasets as a result). If you go to claim one of these common emails, keep this in mind.
Members of the Privacy Guides community were largely unconvinced that this change would be positive:
Simon
Subscriber Discussion