Someone signed up to Amazon with an email address of mine, and saved their credit card details.

I couldn’t get any attention from Amazon, and just got generic responses telling me I could reset my password, etc. In the end, I signed up to Amazon prime, I think to test some reassurance they had given me - I wasn’t expecting it to work.

The email saying I had just accidentally made a purchase with someone else’s credit card got Amazon’s attention. I think they also gave me a telling off, which I thought was ridiculous.

Not long after, someone else signed up to Spotify with my email address too. I think it was a child/shared account or something. I spent a while trying to improve their music taste, but I think we both were suffering from the clash of algorithms because they cancelled it soon after.

I haven’t had any people reverse-hacking themselves for a while now.

I thought about doing something mildly nefarious with someone's PayPal account that they added my address to, but didn't want to chance legal problems. Instead I just logged into their account and removed my email address and logged out.

PayPal is certainly trickier. I felt more comfortable testing with buying Amazon Prime through an Amazon account, because it would be easy for them to refund.

I assume I thought of trying to remove the email address! :) I sometimes forget they’re not necessarily the only identifiers, and some accounts let you use a mobile number instead. Probably there wasn’t a mobile on the profile.

It would be nice if all accounts used a username, and allowed you to not have an email or phone if you tick a box saying “I don’t care if I get locked out of this account forever if I forget the password”.

Email is probably important as a spam-prevention measure. Without the necessity of validating an email or a phone number, one can create am unlimited number of accounts.

One can of course create any number of emails from server/domain they own, but that requires more skill.

You are probably technically violating the CFAA when you do this. Having your email address accidentally associated with the account isn't authorization.

Aren't they the ones violating CFAA? They made an account for GP then accessed it without authorization.

People make mistakes.Just because someone made a mistake isn't permission to commit a crime against them.

Accidentally signing up once is a mistake. One person signing up for products, credit cards, unemployment, medical bills, television services, payday loans, mortgages, jobs with my email address over a 6 year period isn’t a mistake. This is some middle age dude in middle America.

What gives you the confidence to say that it was a single individual and not just a common email name which lots of people accidentally used?

I get regular emails intended for my doppelgänger, and have for many, many years. I know her entire family by proxy—we’ve effectively moved through the same stages of life together, in parallel, across the globe. For a while I used to respond to the more important-seeming messages, but it’s more mailing lists now. She and I are very far away physically—and it’s hard to say whether she knows about me at all, as I don’t mess up the email address in our collective name…

Oddly enough I’m still not sure of her correct address, only those of her correspondents. And in some cases family members.

> What gives you the confidence to say that it was a single individual

Because you can see their first name and last name on the emails you receive.

And addresses, I even knew when he was sending his mistress nicer flowers than his wife.

I get other people’s email too, just this guy has been more prolific than others.

It's not particularly likely to be tested for most types of online accounts, but if you told a judge that you thought the person had created an account for you to use, the judge would tell you to stop lying, they would not congratulate you on your clever argument.

What email are you using that's so popular that dozens of people are (inadvertently?) entering it in all these businesses?

Are you "john.smith@gmail.com" or something like that?

I'm firstname@firstnamelastname.com, and I have had maybe a half dozen instances in the past decade.

I have first initial / last name at gmail for a common Irish name. My wife has first name last name.

There’s about a dozen people who routinely use my email address. The Washington post let someone subscribe for a year without any validation. One dude lost a job offer because they couldn’t contact him. One woman was the general manager of a factory and emailed “herself” with a VPN client and excel spreadsheet with passwords to access the factory’s IT and SCADA systems. A detective sent crime scene videos. The most recent is a guy in Scotland who isn’t paying his electric bill.

My wife had someone who has stolen her accounts via retail employee resets at CVS, Sephora and others. She’s an executive at a big wall st bank, and spends a lot on makeup - my wife got lots of points when she reset the Sephora account back.

I have a common lastnameinitial @ email provider. It's the same username from my mainframe days. Some people with similar surname use that, probably because they either don't want to receive emails or because they are just... I don't know, clueless?

Usually I takeover an account and change the password. Then add a 2FA if possible and update the details to my name and address. This way people can't say it's their account anymore.

A couple of times there were credit card numbers. I just delete those if possible.

I have cancelled hair appointments and car services. I have received flight information multiple times. I have locked out an account on a French dating site, which had some interesting exchanges (the guy's missing out!).

I did not cancel a vet appointment. Pets need to see a vet and their owners being dumb is not an excuse. I won't interfere with that. But I did book a full grooming for a week after.

When I takeover I just use a random password from Bitwarden and don't even bother saving the account, as I don't plan to ever use these again.

Have done all that without suffering any sense of guilt ?

Yes. Also received invoices, past due notices and more.

A couple of times I contacted the companies to let them know their notices did not reach the right person. No reply or acknowledgement.

Both sides are bad. Not my problem. My problem is people using my email and creating trash in my inbox.

You are being an asshole to people who made a simple mistake, just because it caused you the mildest inconvenience.

Every time this sort of thing happens I make my best effort to inform all the parties involved, and block the senders as a last resort.

Be a better netizen.

Generally speaking, it seems people gets it wrong when things are created over phone etc. My firstname lastname is not common, but if one use firstname.middlenameinitial.lastname you can be sure that several people when noting their email will skip the initial, same if you have a suffix. I had banks, credit cards, social securities related stuff being registered to my email, generally it last a few weeks to be fixed.

I have lastname first initial @ gmail, and I wish I didn't. I have started using it for school related stuff for my kid, and other places where I want to present as normal, but mostly I get garbage from a set of about 4 people who share my last name and first initial, but don't know their email address (I don't know it either!).

Lots of car dealers and travel reservations. Ugh. I've got a couple job application responses, and usually get a nice email from the sender when I respond and let them know the email was misdirected.

I used to get a lot of mail directed to people whose organization's domain has an extra letter compared to mine, but I think they must have figured it out, or closed down, I used to add their mistaken addresses to be rejected if sent to and have to update when they got a new employee (their IT person sent me the new user stuff once sigh), but that stopped happening. I got some invoices for them that looked kind of shady, but they're in Brazil, and I can't navigate the system down there to have forwarded it to someone who would find it interesting.

first.last@gmail.

Common-ish English names, uncommon combination, but apparently common enough (did a quick search and there are at least 20 in the U.S.)

The Apple one was a catchall @lastname.com (a different first name than mine, but same last name)

See also:

https://xkcd.com/1279/ - Reverse identity theft

Having an email address that resembles a real name is a blessing and a curse.

Ashley Madison is another, then they tried to change for delete.

Twitter is another back in the day, but that doesn't impact employment like Ashley Madison does due to the leaks.

Accounts: Don’t remember all, but at least Instagram, TikTok, Ebay and some dating site (not OkC) had accounts created for my mail.

Newsletter: A German plushie store (Steiff) and some kind of wellness place. 2 democratic congressmen.

In all cases it’s the same, I mark them as spam and block them.

Also Uber, I keep receiving mails from users who used my domain, on my catch all mail

Ah, Apple -- I had that happen to me with them too. Had to contact their support to get the account closed. Infuriatingly, they were adamant that I must have approved the sign up email. Obviously I never received such an email.

To this day I wonder what path the mystery usurper followed to sign up my email address without validation.

Add AT&T to your first list.

venmo does it too