Threats: Targeted Attacks, Anonymity
Mailbox.org will recycle an inactive address from between 90 days and 2 years depending on your account type. A Mailbox forum discussion can be read here.
A malicious actor could re-use your email after the recycling period and trigger password-reset requests on 3rd party services connected to that email if 2FA is not enabled for each service.
In the event of your death, incapacitation or simple lost access, this risk becomes greater as time goes forward for yourself and entities connected to you. Impersonation attacks become plausible due to hackers potentially gaining access to recovered accounts and your identity.
Even non-malicious actors may unintentionally recover accounts without meaning to if they go to sign up to the same service that the prior address-holder had.
There is a Digital Legacy feature that can pass your account on to a trusted party if you choose to, but would such a person know what to do with it? Would they realize that they are in a situation where they have to either pay to keep the account alive, or disconnect all 3rd party registrations from the email?
I understand that the perfect use of a custom domain or an email aliasing service nullifies this issue significantly (not completely). It is bad privacy practice to dismiss security flaws because secondary services rectify it.
Proton and Tuta
Proton’s wording leaves some ambiguity. They state that “Truly previously active accounts which become inactive are generally not recycled.“ This is apparently assessed on a case-by-case basis. To me this is not robust or clear enough, I would prefer if they explicitly state what defines a true active account or that they only recycle zero-history addresses.
Tuta will never recycle an address. This should be mentioned under ‘Account Termination’.
Thoughts
‘Security > Minimum to Qualify’ should include ‘Address never recycled’.
People should be aware of this major lack of security and foresight by commonly referenced providers Mailbox.org, Posteo, Fastmail, Mailfence (Claims to be on their roadmap).