PayPal, Apple, Credit Karma, Walmart (I just forwarded the email to legal@ and they took care of that instance very quickly, kudos to that at least). Edit: Forgot to add TD Bank - I actually opened a case with the Office of the Comptroller of the Currency that regulates this bank.
Companies that spammed me in the last 24 hours because they don't validate emails addresses they add to their mailing lists (maybe there are accounts too, IDK):
NerdWallet, Ace Hardware, Take 5 Oil Change, Boot Barn, Tommy Hilfiger, The University of Scanton, Tractor Supply Company, Kutztown University, and a few small businesses.
I couldn’t get any attention from Amazon, and just got generic responses telling me I could reset my password, etc. In the end, I signed up to Amazon prime, I think to test some reassurance they had given me - I wasn’t expecting it to work.
The email saying I had just accidentally made a purchase with someone else’s credit card got Amazon’s attention. I think they also gave me a telling off, which I thought was ridiculous.
Not long after, someone else signed up to Spotify with my email address too. I think it was a child/shared account or something. I spent a while trying to improve their music taste, but I think we both were suffering from the clash of algorithms because they cancelled it soon after.
I haven’t had any people reverse-hacking themselves for a while now.
Are you "john.smith@gmail.com" or something like that?
I'm firstname@firstnamelastname.com, and I have had maybe a half dozen instances in the past decade.
There’s about a dozen people who routinely use my email address. The Washington post let someone subscribe for a year without any validation. One dude lost a job offer because they couldn’t contact him. One woman was the general manager of a factory and emailed “herself” with a VPN client and excel spreadsheet with passwords to access the factory’s IT and SCADA systems. A detective sent crime scene videos. The most recent is a guy in Scotland who isn’t paying his electric bill.
My wife had someone who has stolen her accounts via retail employee resets at CVS, Sephora and others. She’s an executive at a big wall st bank, and spends a lot on makeup - my wife got lots of points when she reset the Sephora account back.
Usually I takeover an account and change the password. Then add a 2FA if possible and update the details to my name and address. This way people can't say it's their account anymore.
A couple of times there were credit card numbers. I just delete those if possible.
I have cancelled hair appointments and car services. I have received flight information multiple times. I have locked out an account on a French dating site, which had some interesting exchanges (the guy's missing out!).
I did not cancel a vet appointment. Pets need to see a vet and their owners being dumb is not an excuse. I won't interfere with that. But I did book a full grooming for a week after.
When I takeover I just use a random password from Bitwarden and don't even bother saving the account, as I don't plan to ever use these again.
Lots of car dealers and travel reservations. Ugh. I've got a couple job application responses, and usually get a nice email from the sender when I respond and let them know the email was misdirected.
I used to get a lot of mail directed to people whose organization's domain has an extra letter compared to mine, but I think they must have figured it out, or closed down, I used to add their mistaken addresses to be rejected if sent to and have to update when they got a new employee (their IT person sent me the new user stuff once sigh), but that stopped happening. I got some invoices for them that looked kind of shady, but they're in Brazil, and I can't navigate the system down there to have forwarded it to someone who would find it interesting.
Common-ish English names, uncommon combination, but apparently common enough (did a quick search and there are at least 20 in the U.S.)
The Apple one was a catchall @lastname.com (a different first name than mine, but same last name)
https://xkcd.com/1279/ - Reverse identity theft
Having an email address that resembles a real name is a blessing and a curse.
Twitter is another back in the day, but that doesn't impact employment like Ashley Madison does due to the leaks.
Newsletter: A German plushie store (Steiff) and some kind of wellness place. 2 democratic congressmen.
In all cases it’s the same, I mark them as spam and block them.
To this day I wonder what path the mystery usurper followed to sign up my email address without validation.
That makes every one of these sites a gatekeeper to the user's E-mail account. All it takes is one shitty security regime or one disgruntled employee to expose these credentials.
Then there's the fact that everyone's E-mail addresses are on thousands of spammers' lists. When you combine those lists with lists of common passwords and start probing accounts, you have... once again... boatloads of compromised ones.
It's sad to see a company like Apple fall into this dumb behavior and then try to patch it up after some high-profile "hacks." Originally, Apple IDs did not have to be E-mail addresses; when they implemented this dumb policy, they wound up with scads of customers with multiple Apple IDs and purchases scattered across them willy-nilly. And when people rightfully complained, Apple huffily declared that it would NOT consolidate them for anyone. Nice attitude: Create a problem and then refuse to provide a solution.
But back to the perpetrator here: OKCupid took this to a new level when they started insisting that you provide a phone number. I got into some loop where I couldn't log in and I couldn't log out, because they kept hounding me about the phone number that I couldn't access my account settings to provide. Or something stupid like that. And you know what, OKC? You don't need my phone number, so piss off.
It's too bad. OKCupid was the best of the dating sites during its heyday.
In the unlikely event you ever need to recover your account with the Security Answer, it's much easier to read out a few words than a 16+ character random password.
How do you handle that?
Don't give an attacker an opportunity to social engineer and say, "it was a bunch of random letters or words" and the customer service person lets them in because it looked like someone was just typing random stuff.
(Insert xkcd here)
Many use an email address provided by their ISP. What happens when they move out of that ISP's territory? Or, if they are someplace served by multiple decent ISPs decide to switch providers?
Many use addresses from gmail, outlook, yahoo, and similar. Those at least keep working if they move, but still have some risk. If you use multiple services from the companies that own those and do something to get banned from one of those company's services that might also get you banned from their email service.
Best if a site insists you use email as user ID is to use an email at a domain of your own. That won't be free because you'll have to rent the domain, and pay someone to handle your email (most people will not be up to running their own email server), but if the domain is at one of the long established TLDs and you don't do anything too illegal and it isn't close enough to the name of an established company that you could lose it over trademarks you can probably keep it for the rest of your life.
Whoever you use to actually handle you mail might go away or kick you off, but as long as you still have the domain you can switch to some other mail handler and point the domain's mail records in DNS to that new handler.
If you want to be sure that there is no risk of being accused of being a domain squatter or losing the domain in a trademark dispute pick a name that will not be at all similar to any business name or famous person name. I've got my ham radio callsign as a domain under the US TLD for example.
If you aren't using your own domain, at least check with any important site that you use that requires email as user ID to make sure they have a way to change the email so that if you do end up losing your current email you can update the site. That might not work if you lose the email without warning, but at least it can help in cases where you know you are going to lose the email such as switching to a new ISP.
It might also be a good idea to keep a list of all sites you are using where you will need to change the email as user ID if you are going to move, so fixing it can be part of your moving checklist.
In the US both of the login servers that more and more government agencies require you to use for online access, ID.me and Login.gov, use email as user ID. Both allow you to change that email (add the new email as a secondary email on the account, then change the new email to be the default email). It would be really annoying to not remember to do so until after you have lost the old email, and so find yourself unable to login to your IRS account or your Social Security account.
Exactly, which gave rise to the on-going multiple-Apple-IDs fiasco.
I want to start a blog which is just shaming every company whose most basic functions don't work and there's no recourse. It happens at least twice a day to me. Like a financial services management company whose website can't load my financial information. Or a jobs site that offers me premium subscription but its payments page is broken and I can't even notify them because there's no contact method. Or half the unsubscribes on the internet that never work, or require me to login to unsubscribe but it won't let me log in.
Does anyone work at Google? Why is it that, on my Samsung Android phone, when I pull up Google Search in the browser and click the search bar, if I don't wait at least 30 seconds, anything I type into the text bar not only is severely lagged, but then the letters appear in random jumbled order like the cursor is jumping? But if I wait it works fine?? Don't they make billions of dollars? Isn't this their whole product? What the hell is going on over there?!
The enshittification of technology is so extreme it feels like the whole web is constantly broken and literally nobody cares. If physical stores didn't exist and it was all online, I think riots would break out.
Of course, I can't do any of that without an account number which they haven't given me. I assume it'll arrive in the mail eventually.
Define "the browser".
And why doesn't an independent company just create a better product? Because they don't like competition. It's a racket.
You'll find that your suppliers give you outrageous prices (but discounted rates for their friends), that potential customers refuse to buy from you (you're blacklisted), and so on.
I used it a little back in 2014, and again in 2021. The second time around, it was very different.
I don't know of any dating companies that focus on matching people versus optimizing for revenue.
I discovered that when a friend of mine forwarded me a match that they had made and I suddenly found myself able to read their messages.
I contacted OKC about it and they did reply saying that it was a WONTFIX.
I need to retire my real email address, but it'a bit tricky because I also used it for important things.
Haven't quite worked out how to solve that yet.
Can you remind us how fastmail's subdomains, and "masked emails" are an improvement?
2. it has a handy delete option, for severing the relationship
3. when they do arrive in the inbox, it shows the annotation instead of the address because no sane person could remember what battery.horse.staple@fastmail corresponds to
From what I can tell: Atlasian and Stackoverflow try to reject you based on your mx records on the domain (which makes that a problem)
There are a few other companies that try to restrict you to gmail or hotmail domains. (Which is even more frustrating)
Nevertheless, I still use my personal name at lastname dot com for everything for decades and amount of spam is quite tolerable. Rarely it leaks into inbox. It’s even published on my personal web site in plain text.
Again, similar story with Commonwealth Bank of Australia which is even scarier since its a bank.
DO THIS TODAY. One of my aliases at the vendor Thermpro got compromised by them. I got list bombed pretty badly. Because it was an alias, I was able to turn it off. I got over 2k messages (Most of it "sign up for our mailinglist") within the first 12 hours. Reaching out to the vendor got nowhere. (Pretty sure they don't care that they were compromised)
Don't get me wrong, I hate it too. Every single day I have to block about a dozen new sender addresses for services that someone has signed up for under my email. Because my email address just so happens to be temporal at gmail.com (it was my teenage gamer tag), and it just happens that "temporal" means "temporary" in Spanish, so about half a billion humans think it's a great throw-away address.
Luckily I can very easily identify the emails that aren't meant for me, because they are in Spanish, which I do not speak. Still, I thought that after years of blocking a dozen senders a day, I'd have blocked just about everything... but no, they just keep coming. I've given up on clicking "unsubscribe" or trying to hijack accounts to shut them down, I just go straight to "block" now...
But yeah. I've been demanding that people validate email addresses for decades, and can assure you than nobody cares and they're not going to start.
The best you can hope for really is that they put a link in the email to disavow the account with one click. I've only seen a few companies do that but I really appreciate it!
That's a great middle-ground, and I think I've only seen that once.
This has included banks, shops, and a company which apparently offers training to help you acquire a gun license in Poland.
I now know where this person lives (from order confirmation emails). I know this person's date of birth. I also know this person's PESEL (Polish national identification number) because one of the banks "protected" a document intended for this person by using part of the PESEL as a password (I just brute-forced that part). The other part is just an encoding of the birth date.
So I now have enough information to impersonate someone just because a number of organisations screwed up by not verifying ownership of an email address.
Over the years I've been signed up for various porno sites, had wedding invitations, college applications, airplane tickets and an ongoing rental dispute all because either another Evan doesn't want to use their own email address for something dubious, or someone has assumed my gmail address must be the Evan they are after.
You used to be able to edit the plan number in the URL to get a better rate, then they "fixed" that, but then all you had to do was edit the plan number in the form action.
And then once I realized it was their corporate blog, I became a bit more apprehensive.
I agree that we would live in a better world if everyone on the internet followed standards and best practices, but we will never live in that world. We can expect the enshittification to get worse.
When this happens to me I make a filter to trash the emails. No amount of complaining or well-meaning (and in this case a bit self-promoting) articles will make the rest of the world change.
Are there any other legal recourse that could be done in small claims court/ESCP?
