Many people used @hotmail.com addresses back in the days (or other free e-mail providers) to register their ICQ number. Heck, you could even search for people on ICQ who were using @hotmail.com addresses. Eventually, those @hotmail.com addresses expired, and you could reregister them. Once you did that, you could recover the ICQ password, and bingo. The old UINs (what the UUID was called back then) were often not in use anymore (my memory is vague if I ever encountered one in use, I think it happened once and I struck a friendship with the one person who msged me). I traded many of these UINs away to friends. Even told some friends about the trick. I never sold them. Eventually the supply dried up.
The weakness lies partly in ICQ: they allowed to easily find all these people using @hotmail.com e-mail address and even showed this information. Sure, you could disable being part of this feature (IIRC it was called "yellow pages" or something akin to it) but still.
The other part of the weakness is exactly the very issue of domain squatting, username squatting, e-mail squatting or whatever you want to call it. I understand Microsoft wants to save space on their e-mail servers back in the early '00s but: former username should be frozen and their e-mail could be either bounced or silently rejected to /dev/null or whatever's the Windows equiv.
Blizzard's WoW has the rule that you you can only get a username from an inactive account. An inactive account is an account which did not play the previous expansion. That's their compromise. To be fair, it is not like people use WoW usernames for password recovery.
As for using numbers as username: that is what UNIX does under the hood, it is what Facebook does under the hood as well, it is what Blizzard's WoW does under the hood as well, and what T9 converts to as well, and ICQ did as well in contrast to MSN. Turns out people are lousy at remembering a bunch of numbers. So they resort to 26 character system of letters, or 36 character system of letters plus numbers. (Some services are more or less strict.) So, no, using numbers as human-usable UUID is not a solution but using it under the hood is totally OK.
The weakness lies partly in ICQ: they allowed to easily find all these people using @hotmail.com e-mail address and even showed this information. Sure, you could disable being part of this feature (IIRC it was called "yellow pages" or something akin to it) but still.
The other part of the weakness is exactly the very issue of domain squatting, username squatting, e-mail squatting or whatever you want to call it. I understand Microsoft wants to save space on their e-mail servers back in the early '00s but: former username should be frozen and their e-mail could be either bounced or silently rejected to /dev/null or whatever's the Windows equiv.
Blizzard's WoW has the rule that you you can only get a username from an inactive account. An inactive account is an account which did not play the previous expansion. That's their compromise. To be fair, it is not like people use WoW usernames for password recovery.
As for using numbers as username: that is what UNIX does under the hood, it is what Facebook does under the hood as well, it is what Blizzard's WoW does under the hood as well, and what T9 converts to as well, and ICQ did as well in contrast to MSN. Turns out people are lousy at remembering a bunch of numbers. So they resort to 26 character system of letters, or 36 character system of letters plus numbers. (Some services are more or less strict.) So, no, using numbers as human-usable UUID is not a solution but using it under the hood is totally OK.