New research done by Lucas Lundgren of IOActive shows just how simple it can be to get control of a target s email account. Lundgren found that with just the data he gathered online from Facebook and other sites, he had little trouble getting into the inboxes. A password-reset request for the Gmail account generated an email that was sent to the compromised Hotmail account, giving Cerrudo the ability to change the Gmail password and take over the account. The attacks don t require any real technical knowledge, just an understanding of the way that Web sites handle user-reset requests.
Source: https://threatpost.com/own-email-own-person-082012/76928/