Today I received a couple emails confirming my reservation at the Best Western Appletree and thanking me for opening up a new expedia account. I hadn't made the reservation and called expedia. At the same time, I requested online that my username and password be sent to my email. The interesting thing about expedia is that more than one user name can be registered to the same email. A Michael T. R had created another account with my email address and booked the hotel.

I am not sure what to think of this. It looks like a very serious security flaw to me.

Don't like your boss? Book a rental car and a few (unconfirmed) hotel nights in some offbeat country and create a new account under her name/email address. It sure got me riled up for a few minutes

But is "Michael T. R" your name? And was it using your credit card?

Even if it is your name, if it's not your card, it doesn't matter.

Not only is it the same as if you reserved airline tickets over the phone using someone else's mailing address, but Expedia isn't really part of the equation here.

No, it's not. It's just Michael R, no middle initial. He was using his credit card to make the reservation and you are right, anyone can make a purchase, reservation, what not, in anyone's name. However, there should still be only one user name per email address allowed. On top of that I know his user name AND password now. It's really his own fault by entering a wrong email address in the first place but he shouldn't have been allowed to enter one that is already assigned in the system.

I disagree with you on this one. I think its fine that you have multiple accounts/people feeding into a single email address, lots of families share only one account for all members.

This particular situation is clearly the other guy's fault for messing up the email address. There is no "identity theft" going on here, they haven't taken anything from you -- he gave away his name and password (again, his fault not a theft!) by messing up the email address. The appropriate credit card was used for the reservation and that is the most important part. You'd think when he didn't get his hotel confirmation, he'd figure out there was a problem and correct it.

But families can easily share one acount and have itins mailed to the other members. why not have the email address as the user name?

I forgot to write that when I requested that my username and pwd be sent to me that they sent me mine and his giving me access to his account. Expedia does clear the credit card info when the uname/pwd is requested.