Companies that allowed others to create accounts with my email addresses:
PayPal, Apple, Credit Karma,
Walmart (I just forwarded the email to legal@ and they took care of that instance very quickly, kudos to that at least). Edit: Forgot to add TD Bank - I actually opened a case with the Office of the Comptroller of the Currency that regulates this bank.
Companies that spammed me in the last 24 hours because they don't validate emails addresses they add to their mailing lists (maybe there are accounts too, IDK):
NerdWallet,
Ace Hardware,
Take 5 Oil Change,
Boot Barn,
Tommy Hilfiger,
The University of Scanton,
Tractor Supply Company,
Kutztown University, and a few small businesses.
Someone signed up to Amazon with an email address of mine, and saved their credit card details.
I couldn’t get any attention from Amazon, and just got generic responses telling me I could reset my password, etc. In the end, I signed up to Amazon prime, I think to test some reassurance they had given me - I wasn’t expecting it to work.
The email saying I had just accidentally made a purchase with someone else’s credit card got Amazon’s attention. I think they also gave me a telling off, which I thought was ridiculous.
Not long after, someone else signed up to Spotify with my email address too. I think it was a child/shared account or something. I spent a while trying to improve their music taste, but I think we both were suffering from the clash of algorithms because they cancelled it soon after.
I haven’t had any people reverse-hacking themselves for a while now.
I thought about doing something mildly nefarious with someone's PayPal account that they added my address to, but didn't want to chance legal problems. Instead I just logged into their account and removed my email address and logged out.
PayPal is certainly trickier. I felt more comfortable testing with buying Amazon Prime through an Amazon account, because it would be easy for them to refund.
I assume I thought of trying to remove the email address! :) I sometimes forget they’re not necessarily the only identifiers, and some accounts let you use a mobile number instead. Probably there wasn’t a mobile on the profile.
It would be nice if all accounts used a username, and allowed you to not have an email or phone if you tick a box saying “I don’t care if I get locked out of this account forever if I forget the password”.
Email is probably important as a spam-prevention measure. Without the necessity of validating an email or a phone number, one can create am unlimited number of accounts.
One can of course create any number of emails from server/domain they own, but that requires more skill.
You are probably technically violating the CFAA when you do this. Having your email address accidentally associated with the account isn't authorization.
Accidentally signing up once is a mistake. One person signing up for products, credit cards, unemployment, medical bills, television services, payday loans, mortgages, jobs with my email address over a 6 year period isn’t a mistake. This is some middle age dude in middle America.
I get regular emails intended for my doppelgänger, and have for many, many years. I know her entire family by proxy—we’ve effectively moved through the same stages of life together, in parallel, across the globe. For a while I used to respond to the more important-seeming messages, but it’s more mailing lists now. She and I are very far away physically—and it’s hard to say whether she knows about me at all, as I don’t mess up the email address in our collective name…
Oddly enough I’m still not sure of her correct address, only those of her correspondents. And in some cases family members.
It's not particularly likely to be tested for most types of online accounts, but if you told a judge that you thought the person had created an account for you to use, the judge would tell you to stop lying, they would not congratulate you on your clever argument.
I have first initial / last name at gmail for a common Irish name. My wife has first name last name.
There’s about a dozen people who routinely use my email address. The Washington post let someone subscribe for a year without any validation. One dude lost a job offer because they couldn’t contact him. One woman was the general manager of a factory and emailed “herself” with a VPN client and excel spreadsheet with passwords to access the factory’s IT and SCADA systems. A detective sent crime scene videos. The most recent is a guy in Scotland who isn’t paying his electric bill.
My wife had someone who has stolen her accounts via retail employee resets at CVS, Sephora and others. She’s an executive at a big wall st bank, and spends a lot on makeup - my wife got lots of points when she reset the Sephora account back.
I have a common lastnameinitial @ email provider. It's the same username from my mainframe days. Some people with similar surname use that, probably because they either don't want to receive emails or because they are just... I don't know, clueless?
Usually I takeover an account and change the password. Then add a 2FA if possible and update the details to my name and address. This way people can't say it's their account anymore.
A couple of times there were credit card numbers. I just delete those if possible.
I have cancelled hair appointments and car services. I have received flight information multiple times. I have locked out an account on a French dating site, which had some interesting exchanges (the guy's missing out!).
I did not cancel a vet appointment. Pets need to see a vet and their owners being dumb is not an excuse. I won't interfere with that. But I did book a full grooming for a week after.
When I takeover I just use a random password from Bitwarden and don't even bother saving the account, as I don't plan to ever use these again.
Generally speaking, it seems people gets it wrong when things are created over phone etc.
My firstname lastname is not common, but if one use firstname.middlenameinitial.lastname you can be sure that several people when noting their email will skip the initial, same if you have a suffix.
I had banks, credit cards, social securities related stuff being registered to my email, generally it last a few weeks to be fixed.
I have lastname first initial @ gmail, and I wish I didn't. I have started using it for school related stuff for my kid, and other places where I want to present as normal, but mostly I get garbage from a set of about 4 people who share my last name and first initial, but don't know their email address (I don't know it either!).
Lots of car dealers and travel reservations. Ugh. I've got a couple job application responses, and usually get a nice email from the sender when I respond and let them know the email was misdirected.
I used to get a lot of mail directed to people whose organization's domain has an extra letter compared to mine, but I think they must have figured it out, or closed down, I used to add their mistaken addresses to be rejected if sent to and have to update when they got a new employee (their IT person sent me the new user stuff once sigh), but that stopped happening. I got some invoices for them that looked kind of shady, but they're in Brazil, and I can't navigate the system down there to have forwarded it to someone who would find it interesting.
Ah, Apple -- I had that happen to me with them too. Had to contact their support to get the account closed. Infuriatingly, they were adamant that I must have approved the sign up email. Obviously I never received such an email.
To this day I wonder what path the mystery usurper followed to sign up my email address without validation.
Ugh. Then there's the general stupidity of forcing people to use E-mail addresses as user IDs. It's not just annoying, but also a security blunder. The general public can't be counted on to understand that when they're forced to use their E-mail address as an ID, they don't have to use their E-mail account's password for it.
That makes every one of these sites a gatekeeper to the user's E-mail account. All it takes is one shitty security regime or one disgruntled employee to expose these credentials.
Then there's the fact that everyone's E-mail addresses are on thousands of spammers' lists. When you combine those lists with lists of common passwords and start probing accounts, you have... once again... boatloads of compromised ones.
It's sad to see a company like Apple fall into this dumb behavior and then try to patch it up after some high-profile "hacks." Originally, Apple IDs did not have to be E-mail addresses; when they implemented this dumb policy, they wound up with scads of customers with multiple Apple IDs and purchases scattered across them willy-nilly. And when people rightfully complained, Apple huffily declared that it would NOT consolidate them for anyone. Nice attitude: Create a problem and then refuse to provide a solution.
But back to the perpetrator here: OKCupid took this to a new level when they started insisting that you provide a phone number. I got into some loop where I couldn't log in and I couldn't log out, because they kept hounding me about the phone number that I couldn't access my account settings to provide. Or something stupid like that. And you know what, OKC? You don't need my phone number, so piss off.
It's too bad. OKCupid was the best of the dating sites during its heyday.
Related stupidity: "Security Questions" that enable someone to take over your account just by collecting not-so-secret information that is often shared because the site insists you pick from their own set of questions which other sites have already used.
The best way to tackle "Security Questions" is to generate a passphrase, store in your password manager, and use that for the answer.
In the unlikely event you ever need to recover your account with the Security Answer, it's much easier to read out a few words than a 16+ character random password.
That is an unattainable standard for the average joe though. Savvy people have their ways to keep things secure, even if it's inconvenient. It's the masses that fall prey to these avoidable traps.
The only thing is you sometimes have to warn the customer service agent that you have an unusual answer to "childhood best friend" but otherwise I've never had a problem with it
I don't mean to discount your experience, and I'm guessing the social engineering opportunities are unlimited no matter the protections, but the screenshot I provided shows that by default it uses words, not password-style, generation so your childhood best friend would be "couch tulip wheel" and not cafe8675309$
There's other good reasons not to use a random string! Try calling up customer service, they'll ask you the question, and you can say "oh it's just a bunch of random letters and numbers".
Unlike a code or password, these security questions are fuzzy matches generally based on the judgment of human on the other end.
I choose answers that only barely make sense. ie...
"Where is your favorite vacation spot?"
Narnia
"What was your first pet's name?"
Falkor
Even my closest friends who know me would never guess those, even if they knew I was giving bullshit answers, simply because I was never into "The Lion, The Witch, and the Wardrobe" or "Never Ending Story".
(Note: These are not ACTUAL answers I've given, but you get the idea)
I save the bullshit answers into my password manager. But yeah, it's probably a better idea to just use an actual pass phrase.
Not parent poster, but generating a sequence of randomized dictionary words will work provided the answer-field isn't too small and none of them are too hard to spell.
This question reminds me of another brain-dead and rather incredible password policy I encountered. I was trying to set a password for United Healthcare. Their password requirements were shown, and I was complying with all of them. Yet it was failing over and over.
I finally called them to report the problem, and the first question out of the rep's mouth was, "Does your password contain swear words?"
I shit you not, UHC secretly audits your passwords for "swear words." Doing so is bad enough, but not mentioning it in the rules is doubly offensive for deliberately stealing users' time.
Don't give an attacker an opportunity to social engineer and say, "it was a bunch of random letters or words" and the customer service person lets them in because it looked like someone was just typing random stuff.
Another problem with email address as user ID is that much of the public (most I'd guess) does not have a permanent email address.
Many use an email address provided by their ISP. What happens when they move out of that ISP's territory? Or, if they are someplace served by multiple decent ISPs decide to switch providers?
Many use addresses from gmail, outlook, yahoo, and similar. Those at least keep working if they move, but still have some risk. If you use multiple services from the companies that own those and do something to get banned from one of those company's services that might also get you banned from their email service.
Best if a site insists you use email as user ID is to use an email at a domain of your own. That won't be free because you'll have to rent the domain, and pay someone to handle your email (most people will not be up to running their own email server), but if the domain is at one of the long established TLDs and you don't do anything too illegal and it isn't close enough to the name of an established company that you could lose it over trademarks you can probably keep it for the rest of your life.
Whoever you use to actually handle you mail might go away or kick you off, but as long as you still have the domain you can switch to some other mail handler and point the domain's mail records in DNS to that new handler.
If you want to be sure that there is no risk of being accused of being a domain squatter or losing the domain in a trademark dispute pick a name that will not be at all similar to any business name or famous person name. I've got my ham radio callsign as a domain under the US TLD for example.
If you aren't using your own domain, at least check with any important site that you use that requires email as user ID to make sure they have a way to change the email so that if you do end up losing your current email you can update the site. That might not work if you lose the email without warning, but at least it can help in cases where you know you are going to lose the email such as switching to a new ISP.
It might also be a good idea to keep a list of all sites you are using where you will need to change the email as user ID if you are going to move, so fixing it can be part of your moving checklist.
In the US both of the login servers that more and more government agencies require you to use for online access, ID.me and Login.gov, use email as user ID. Both allow you to change that email (add the new email as a secondary email on the account, then change the new email to be the default email). It would be really annoying to not remember to do so until after you have lost the old email, and so find yourself unable to login to your IRS account or your Social Security account.
> When I tried to unsubscribe using the one-click unsubscribe button in one of the emails, I was met with an error: “Something went wrong, please try again later.”
I want to start a blog which is just shaming every company whose most basic functions don't work and there's no recourse. It happens at least twice a day to me. Like a financial services management company whose website can't load my financial information. Or a jobs site that offers me premium subscription but its payments page is broken and I can't even notify them because there's no contact method. Or half the unsubscribes on the internet that never work, or require me to login to unsubscribe but it won't let me log in.
Does anyone work at Google? Why is it that, on my Samsung Android phone, when I pull up Google Search in the browser and click the search bar, if I don't wait at least 30 seconds, anything I type into the text bar not only is severely lagged, but then the letters appear in random jumbled order like the cursor is jumping? But if I wait it works fine?? Don't they make billions of dollars? Isn't this their whole product? What the hell is going on over there?!
The enshittification of technology is so extreme it feels like the whole web is constantly broken and literally nobody cares. If physical stores didn't exist and it was all online, I think riots would break out.
On this topic, I signed up for a new bank account online. They did not approve instantly, so I wasn't able to set up an account during the application. No big deal. A while later, they approved the application and invited me to sign up for an online account and do some setup with the account.
Of course, I can't do any of that without an account number which they haven't given me. I assume it'll arrive in the mail eventually.
Nobody cares because the world has been taken over by organized crime, and to them you're just someone to be exploited.
And why doesn't an independent company just create a better product? Because they don't like competition. It's a racket.
You'll find that your suppliers give you outrageous prices (but discounted rates for their friends), that potential customers refuse to buy from you (you're blacklisted), and so on.
OkCupid is a terrible service. It disassociates real people who don't pay, and encourages fraudulent scams such as pig butchering. Bots are ridiculously easy to spot. You can end up in an endless loop of the same rejects unless you start blocking them.
On the other hand, I met my wife there and my two children wouldn’t exist if not for it. That said, the OkCupid of today and that of 2011 when I used it are probably quite different.
Unfortunately most consumers are unwilling to pay what something is worth to them. Businesses are often the same so it isn't just consumer behaviour.
Meeting the right person should be worth a lot, and we should be happy to pay thousands for that.
Of course the profit depends on the user statistics too: I'm not sure what the economic term for profit thresholds for power law masses versus targeting - where say lots of users with a low profits per user (say advertising) beats reasonable profits per user (say kagle).
It's because we loosely understand that value based pricing is a scam.
An insulin shot at the right moment can be of unlimited value to the consumer. SaaS salesmen try to capture the entire value add a tool gives a user, but this seems to kill companies as the price a competitor can undercut by is huge (so much that the original price seems exploitative).
Basically any marketing based on the "value to me" I'm sceptical of.
An approach with transparency, that shows "this is what delivering an actually good product costs", might be possible...
The problem is most people won't send in a check to the matchmaker when they get married (or whatever the success criteria is). You've got to pay before the introduction, and you can't know if the introduction will be good before you have it.
E-Harmony seemed like it was going for the pay a bit more, one time, and you'll take who you get and be done. But I don't know if that worked for them.
"A Jewish man goes into the synagogue and prays. "O Lord, you know the mess I'm in, please let me win the lottery."
The next week, he's back again, and this time he's complaining. "O Lord, didn't you hear my prayer last week? I'll lose everything I hold dear unless I win the lottery."
The third week, he comes back to the synagogue, and this time he's desperate. "O Lord, this is the third time I've prayed to you to let me win the lottery! I ask and I plead and still you don't help me!"
Suddenly a booming voice sounds from heaven. "Benny, Benny, be reasonable. Meet me half way. Buy a lottery ticket!""
It seems like these dating services could hold the bulk of the money in escrow pending the marriage. Maybe you pay a few hundred up front, but a few thousand in escrow, and when you get married, it gets paid out.
Well, you can't marry who you never meet.
What would it be worth for you to pay a bribe to a time traveler not to go into the past to prevent your parents from ever meeting? ;)
Perhaps not. But you could still imagine a for-profit matchmaking service that would do a better job of aligning its interests with those of its clients. For example, it could collect only a small fee upfront with an agreement that if you meet Mr. or Ms. Right you'll release a larger fee held in escrow.
I imagine that would need to be quite personalized and high touch, but it would be an appealing contrast to standard dating sites, which have interests diametrically opposed to those of their users: a user who makes a long-term match will stop paying the membership fee, so the site owner has no real incentive to help the user do anything but churn.
I mean, if I had the time, I would create a non-profit to do so.
And yes, there are probably small mom-and-pop types of businesses that just want to keep their status quo.
I believe I've heard a few years ago, that at least one country operates a dating service for their citizens. I can't find it now, but apparently the Tokyo Metropolitan Government just launched their own dating app, "TOKYO Enmusubi"
Same, although for us it was 2015. But that is 10 years ago (noooo I hate getting old), and to your point I can imagine it changing a ton in that time.
OKCupid has another security issue related to email. If you get your hands on a link that they send out to a person's email regarding a match then that link auto logs you into their account and you can do whatever you want with it.
I discovered that when a friend of mine forwarded me a match that they had made and I suddenly found myself able to read their messages.
I contacted OKC about it and they did reply saying that it was a WONTFIX.
Just mark the emails spam and forget about them. If everyone blogged about every spam email they got we’d get articles every day about spam emails everyone got.
Had the same problem with Peacock despite constantly attempting to unsubscribe and mark spam. In the end I just created a filter rule to throw it in spam.
If you're in the US, I've had success by contacting customer service and threatening action under CAN-SPAM. The FTC has never really provided an easy way to file complaints or request enforcement by the public, but it seems to get their attention all the same. Now is a good time to try to exercise your legal rights against corporations before they are all executive order'ed away.
I missed that FAQ item, thanks. I've seen (and used) the "report fraud" page before, and I had seen something to suggest that it was the right place to report illegal spam, but it wasn't clear how "spam" and "fraud" were related.
I just said something like "If you don't remove me from the list within 24 hours I will report this to the FTC as a violation of US federal law." That's the easy part, the hard part is actually getting through to someone.
That might be out of concern of bad faith users abusing such a feature, such as folk who actually opt into a newsletter and then feed the results into such a filter.
Fastmail's masked emails are great! I honestly very rarely give out my "real" email. Usually when I sign up for something I create a masked email, or if I need an email on the spot I use a wildcard alias ([email protected]). Since most of my emails are random, it serves as an authentication additional factor.
I went from using Gmail for 10-15 years to catch-all using my own domain name with Fastmail. It took a couple of years to slowly make the switch, but it was worth it. I still monitor the Gmail just in case and it's not a big deal, especially since you can fetch it (and send from it) with Fastmail (I just keep a Gmail tab open to report spam).
1. it allows associating a description with the address, which could contain any annotation information you'd like
2. it has a handy delete option, for severing the relationship
3. when they do arrive in the inbox, it shows the annotation instead of the address because no sane person could remember what battery.horse.staple@fastmail corresponds to
It's just fastmail.com, that would be insane to blacklist. Also you don't really use these for sending, it's more for signing up for things and online shopping.
iCloud’s HideMyEmail service generates @icloud.com addresses. Very easy, single click.
Nevertheless, I still use my personal name at lastname dot com for everything for decades and amount of spam is quite tolerable. Rarely it leaks into inbox. It’s even published on my personal web site in plain text.
Spamazon did the same thing to me, someone signed up with my email and didn't verify and I couldn't recover the account because of the phone number associated with the account. Amazon was completely uncooperative.
Again, similar story with Commonwealth Bank of Australia which is even scarier since its a bank.
For those who are considering aliases to reduce spam in this.
DO THIS TODAY. One of my aliases at the vendor Thermpro got compromised by them. I got list bombed pretty badly. Because it was an alias, I was able to turn it off. I got over 2k messages (Most of it "sign up for our mailinglist") within the first 12 hours. Reaching out to the vendor got nowhere. (Pretty sure they don't care that they were compromised)
Problem is most email provider web interface and mail agents don’t handle dealing with aliases correctly. For me I’ve found only Fastmail & mutt to be able to handle my 500 email aliases.
Problem is, if you implement strict email verification, you lose users. Because that step of "please open your email and verify" is actually a big drop-off point in the funnel. No amount of "shaming" people over lax email validation is going to convince them to implement a change that loses them money.
Don't get me wrong, I hate it too. Every single day I have to block about a dozen new sender addresses for services that someone has signed up for under my email. Because my email address just so happens to be temporal at gmail.com (it was my teenage gamer tag), and it just happens that "temporal" means "temporary" in Spanish, so about half a billion humans think it's a great throw-away address.
Luckily I can very easily identify the emails that aren't meant for me, because they are in Spanish, which I do not speak. Still, I thought that after years of blocking a dozen senders a day, I'd have blocked just about everything... but no, they just keep coming. I've given up on clicking "unsubscribe" or trying to hijack accounts to shut them down, I just go straight to "block" now...
But yeah. I've been demanding that people validate email addresses for decades, and can assure you than nobody cares and they're not going to start.
The best you can hope for really is that they put a link in the email to disavow the account with one click. I've only seen a few companies do that but I really appreciate it!
> The best you can hope for really is that they put a link in the email to disavow the account with one click. I've only seen a few companies do that but I really appreciate it!
That's a great middle-ground, and I think I've only seen that once.
Such links might disavow in practice, or might alternately be used as "hey, this email address has a living person at the other end, update the alive status on your spam lists and sell the data point!"
Look, when option A is actually make sure your user gives you contact info that works, option B is include a link that stops sending garbage for a user that doesn't know their email address, and option C is signing up with an email address results in an unending stream of garbage...
I would prefer option A, but I'll accept option B, because it's better than option C.
Someone with my identical full name has for the past few years kept providing my old and unused gmail email address to various entities.
This has included banks, shops, and a company which apparently offers training to help you acquire a gun license in Poland.
I now know where this person lives (from order confirmation emails). I know this person's date of birth. I also know this person's PESEL (Polish national identification number) because one of the banks "protected" a document intended for this person by using part of the PESEL as a password (I just brute-forced that part). The other part is just an encoding of the birth date.
So I now have enough information to impersonate someone just because a number of organisations screwed up by not verifying ownership of an email address.
Ugh, I've got exactly the same thing with match.com at the moment. Some other Evan, presumably with the same last name, used my gmail address. Unsubscription link seems to have had no effect, I ended up just putting a filter in to send them straight to deleted.
Over the years I've been signed up for various porno sites, had wedding invitations, college applications, airplane tickets and an ongoing rental dispute all because either another Evan doesn't want to use their own email address for something dubious, or someone has assumed my gmail address must be the Evan they are after.
I wonder if they still (illegally?) discriminate based on sex. They used to give different payment plans to men versus women.
You used to be able to edit the plan number in the URL to get a better rate, then they "fixed" that, but then all you had to do was edit the plan number in the form action.
Despite your sarcasm, I don't disagree. Except for the fact I didn't click on this because it was their corporate blog. I clicked on it because it was on Hacker News.
And then once I realized it was their corporate blog, I became a bit more apprehensive.
I sympathize, I have dealt with this a couple of times, most recently with Coinbase (resolved).
I agree that we would live in a better world if everyone on the internet followed standards and best practices, but we will never live in that world. We can expect the enshittification to get worse.
When this happens to me I make a filter to trash the emails. No amount of complaining or well-meaning (and in this case a bit self-promoting) articles will make the rest of the world change.
PayPal, Apple, Credit Karma, Walmart (I just forwarded the email to legal@ and they took care of that instance very quickly, kudos to that at least). Edit: Forgot to add TD Bank - I actually opened a case with the Office of the Comptroller of the Currency that regulates this bank.
Companies that spammed me in the last 24 hours because they don't validate emails addresses they add to their mailing lists (maybe there are accounts too, IDK):
NerdWallet, Ace Hardware, Take 5 Oil Change, Boot Barn, Tommy Hilfiger, The University of Scanton, Tractor Supply Company, Kutztown University, and a few small businesses.