From blog.avast.com
A new paper by the Microsoft Security Response Center explains account pre-hijacking, where attackers open an account with the victim’s email address then lie in wait for the victim eventually to join the site. Once the victim joins the site and breathes life into the account, the attacker takes full control, icing out the victim from their own account. Researchers noted five variations of this attack: the classic-federated merge attack, the unexpired session identifier attack, the trojan identifier attack, the unexpired email change attack, and the non-verifying IDP attack. For more on each, see Bleeping Computer.