In 2014 I migrated away from Microsoft products. I moved all but a few disused accounts over from my Outlook address to a new Tutanota email address and then deleted the account through Outlook’s settings.
Because last week I fancied playing games on my old Steam library, I tried to recover my old Outlook email so Steam could send a password reset link (as I never migrated Steam to Tutanota). I tried to recover the email but could not as in Outlook’s database it didn’t exist.
Out of curiosity for what would happen, I tried to register my old email address from scratch. It worked without having to verify any old passwords or security questions. All my old emails were gone but this did enable me to receive Steam’s password reset email.
This seemed like very poor security practices on the part of Outlook and I wanted to see how far I could push it, so next I tried to recover my Paypal account.
As soon after migrating my Paypal account to my Tutanota address I had to create an entirely new account for business purposes, my old account fell into disuse. I sent an email to Paypal customer support stating that my login no longer worked and that I feared my account had been compromised. As no transactions had been made since I changed the email account on file with Paypal, customer support were able to bypass all fraud proceedings and simply revert my account email to my old Outlook address and send me a reset link (as obviously I was the account owner as I had access to the original email address). My Paypal account still had my active card linked.
Put simply, I recovered access to the entirety of my bank account by registering an email address anyone could’ve registered.
This could be exploited en mass quite easily by brute-forcing a list of Outlook accounts until you get lucky.
Microsoft won't respond so making this public.
How does it work in the "real world"?
You get a P.O. Box.
You leave that address, the Post Office re-rents it to someone else.
I would guess that should be your care to make all people that know that address to not send anything to it and/or change all references to it.
By the same token it is your responsibility to change all your current subscriptions/whatever updating the e-mail address to a new, valid one, the sheer moment you delete the "old" account.
At the end of the day, it's like everything from addresses to phone numbers and domain names. Once you stop using them, they return back to the pool of available options for someone else to use instead.
I imagine there are easier ways to extract money from people. There are too many unknown unknowns here.
The fact it happens for a service as massive as Outlook is unforgiveable though.