Microsoft spokeswoman Leslie Hui acknowledged the company is aware of the problem, but didn't say for how long, or when the access to supposedly expired buddy lists would be closed off.
The glitch first came to light more than a year ago. Dmitri Alperovitch, a software developer and part-founder of Encryption Software, left a message at BugTraq in July 1999 detailing the programming glitches. He didn't indicate that the possible holes had created any real problems.
"I don't think anybody really knew that contacts wouldn't be cleaned out," says James Nelson, a systems administrator at Cisco Systems. Recently he found out otherwise.
On August 14, Nelson posted a warning at BugTraq. He writes that when his account expired after four months of inactivity, he tried to reregister it. Microsoft employees told him his account had never existed, so he registered the same account name from scratch. To his surprise, his old buddy list came up.
Later, he writes, someone else was using his identity from a different account that he no longer used.
"One day, someone unknown appeared in my contacts list. Turned out that someone had registered that [by then canceled] account, and had inherited my contacts list," Nelson says in his posting.
"The first time, I thought it was a fluke," Nelson says. "It's not a huge thing, but it is sort of disturbing."