What you need to know about Facebook sneakily swapping users’ default email addresses to @facebook.com

Have you checked the contact information you list on your Facebook profile?

Chances are that it’s now listing an @facebook.com email contact address for you.

Facebook email address on user's profile

You can thank Facebook for making that change without telling you.

Sign up to our free newsletter.
Security news, advice, and tips.

Back in April, Facebook quietly announced that it would be giving users @facebook.com email addresses so that they matched their public username (used as the URL for users’ profile pages).

Facebook addresses matching Timeline address

However, the social network didn’t make clear that it would also be making the @facebook.com email addresses the default address displayed to your online friends.

Clearly this all part of the site’s plan to get more people using the @facebook.com email addresses, thus making the social network even harder to extricate yourself from.

If you don’t want your @facebook.com email address to be displayed on your profile, you should change your settings.

  • Click on the “About” tab on your profile
  • Go to the section marked “Contact info” and choose “Edit”

Facebook contact info

  • Adjust the settings to choose which – if any – of your email addresses (including the new @facebook.com email address that you have been given) you would like to appear on your timeline, and who has the rights to see it. (You might also want to ask yourself whether if someone is really your friend, wouldn’t they already know your email address without having to look it up on Facebook?)
  • Press “Save” and you’re all done.

Facebook email address and URLOf course, you shouldn’t be fooled into thinking that hiding your @facebook.com email address makes it impossible for someone to work out what it is. After all, it now matches the public username in your profile’s URL.

According to Facebook, by default anybody on the site can send you a message, and anyone on the internet can email you at your new “[email protected]” address.

As we described extensively in our examination of the Facebook messaging system, the @facebook.com email addresses are likely to prove attractive targets for spammers hawking goods and malicious links.

If you don’t like such a wide variety of people being able to send you messages, you will need to change your settings.

  • Click the account menu at the top right of any Facebook page and choose “Privacy Settings”.
  • Next to the “How You Connect” heading, click “Edit Settings”.
  • Select your preference from the dropdown menu next to “Who can send you Facebook messages?”. Remember that “Everyone” means not just everyone on Facebook, but everyone on the entire internet

Facebook will have to implement effective filtering mechanisms to prevent fraudsters from exploiting users with spam, scams and phishing attacks as a result of this opening up of the network’s messaging system.

My guess is that it won’t be long at all before we see criminals abusing @facebook.com email addresses for their own nefarious reasons.

Further reading: FAQ: Security and Facebook’s new messages system.

If you want to learn more about security threats on the social network and elsewhere on the internet, join the Sophos Facebook page.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.