>One thing that may have prevented this hacking: facebook could have noticed that the primary email for the user was for an expired domain, and proactively notified them to remove it.
Almost any website, app or online activity that requires logging uses email based authentication. Do you think all existing web sites and apps should verify the expiration of mail domains? And what about phone numbers? A user can lose his phone number, should they verify that, too?
>Do you think all existing web sites and apps should verify the expiration of mail domains?
No - it probably wouldn't be worth it. But it could absolutely be worth it (weighing bad outcomes against amount of effort needed to prevent those outcomes) for the biggest sites with billions of users.
... especially when they won't otherwise offer recourse/support in case of rare events like this. Rare events become less rare when there are billions of users.
Almost any website, app or online activity that requires logging uses email based authentication. Do you think all existing web sites and apps should verify the expiration of mail domains? And what about phone numbers? A user can lose his phone number, should they verify that, too?