When you own a short email address at a popular email provider, you are bound to get gobs of spam, and more than a few alerts about random people trying to seize control over the account. If your account name is short and desirable enough, this kind of activity can make the account less reliable for day-to-day communications because it tends to bury emails you do want to receive. But there is also a puzzling side to all this noise: Random people tend to use your account as if it were theirs, and often for some fairly sensitive services online.
About 16 years ago — back when you actually had to be invited by an existing Google Mail user in order to open a new Gmail account — I was able to get hold of a very short email address on the service that hadn’t yet been reserved. Naming the address here would only invite more spam and account hijack attempts, but let’s just say the account name has something to do with computer hacking.
Because it’s a relatively short username, it is what’s known as an “OG” or “original gangster” account. These account names tend to be highly prized among certain communities, who busy themselves with trying to hack them for personal use or resale. Hence, the constant account takeover requests.
What is endlessly fascinating is how many people think it’s a good idea to sign up for important accounts online using my email address. Naturally, my account has been signed up involuntarily for nearly every dating and porn website there is. That is to be expected, I suppose.
But what still blows me away is the number of financial and other sensitive accounts I could access if I were of a devious mind. This particular email address has accounts that I never asked for at H&R Block, Turbotax, TaxAct, iTunes, LastPass, Dashlane, MyPCBackup, and Credit Karma, to name just a few. I’ve lost count of the number of active bank, ISP and web hosting accounts I can tap into.
I’m perpetually amazed by how many other Gmail users and people on similarly-sized webmail providers have opted to pick my account as a backup address if they should ever lose access to their inbox. Almost certainly, these users just lazily picked my account name at random when asked for a backup email — apparently without fully realizing the potential ramifications of doing so. At last check, my account is listed as the backup for more than three dozen Yahoo, Microsoft and other Gmail accounts and their associated file-sharing services.
If for some reason I ever needed to order pet food or medications online, my phantom accounts at Chewy, Coupaw and Petco have me covered. If any of my Weber grill parts ever fail, I’m set for life on that front. The Weber emails I periodically receive remind me of a piece I wrote many years ago for The Washington Post, about companies sending email from [companynamehere]@donotreply.com, without considering that someone might own that domain. Someone did, and the results were often hilarious.
It’s probably a good thing I’m not massively into computer games, because the online gaming (and gambling) profiles tied to my old Gmail account are innumerable.
For several years until recently, I was receiving the monthly statements intended for an older gentleman in India who had the bright idea of using my Gmail account to manage his substantial retirement holdings. Thankfully, after reaching out to him he finally removed my address from his profile, although he never responded to questions about how this might have happened.
On balance, I’ve learned it’s better just not to ask. On multiple occasions, I’d spend a few minutes trying to figure out if the email addresses using my Gmail as a backup were created by real people or just spam bots of some sort. And then I’d send a polite note to those that fell into the former camp, explaining why this was a bad idea and ask what motivated them to do so.
Perhaps because my Gmail account name includes a hacking term, the few responses I’ve received have been less than cheerful. Despite my including detailed instructions on how to undo what she’d done, one woman in Florida screamed in an ALL CAPS reply that I was trying to phish her and that her husband was a police officer who would soon hunt me down. Alas, I still get notifications anytime she logs into her Yahoo account.
Probably for the same reason the Florida lady assumed I was a malicious hacker, my account constantly gets requests from random people who wish to hire me to hack into someone else’s account. I never respond to those either, although I’ll admit that sometimes when I’m procrastinating over something the temptation arises.
Losing access to your inbox can open you up to a cascading nightmare of other problems. Having a backup email address tied to your inbox is a good idea, but obviously only if you also control that backup address.
More importantly, make sure you’re availing yourself of the most secure form of multi-factor authentication offered by the provider. These may range from authentication options like one-time codes sent via email, phone calls, SMS or mobile app, to more robust, true “2-factor authentication” or 2FA options (something you have and something you know), such as security keys or push-based 2FA such as Duo Security (an advertiser on this site and a service I have used for years).
Email, SMS and app-based one-time codes are considered less robust from a security perspective because they can be undermined by a variety of well-established attack scenarios, from SIM-swapping to mobile-based malware. So it makes sense to secure your accounts with the strongest form of MFA available. But please bear in mind that if the only added authentication options offered by a site you frequent are SMS and/or phone calls, this is still better than simply relying on a password to secure your account.
Maybe you’ve put off enabling multi-factor authentication for your important accounts, and if that describes you, please take a moment to visit 2fa.directory and see whether you can harden your various accounts.
As I noted in June’s story, Turn on MFA Before Crooks Do It For You, people who don’t take advantage of these added safeguards may find it far more difficult to regain access when their account gets hacked, because increasingly thieves will enable multi-factor options and tie the account to a device they control.
Are you in possession of an OG email account? Feel free to sound off in the comments below about some of the more gonzo stuff that winds up in your inbox.
I have a simple dotMac address from way back, but as you know, dotMac, Me.com and Icloud addresses are all aliased together, so @icloud.com is the same as @Mac.com. I get a fair amount of emails from all over the world thinking I am @me.com or @icloud.com. Most of what I get are vendors looking for their customers, though. No juicy bank accounts yet.
Exactly this. I remember over 20 years ago, watching the keynote in which Steve Jobs announced DotMac services, saying “and they’re available today…” So I thought “Gee, if I sign up right now, maybe I can get my first name!” Turns out…I did. And now people all over the world who share my first name (or maybe don’t?) use it for all kinds of things.
Some folks have signed up for Ameritrade. Just the other day, someone switched their Macy’s card to electronic billing. (I called to let Macy’s know.) On the same day, someone else had their Boost Mobile service shut off for non-payment. Someone in San Francisco who has a lot of disputes with his condo board gave them my email address.
There’s the guy in Germany who’s ordered some interesting pizzas. Someone in DC ordered Chinese food. Someone in Lebanon occasionally orders plane tickets, and someone near Montreal tried to sign up for a preauthorized airport security pass. There’s a retired Salvation Army band director in England who orders things every now and again, but then returns them. There’s the guy in Belgium who’s had his car serviced in the Netherlands, and the guy in the Seattle area who goes to the Apple store a lot. There’s the guy in Mississippi who recently ordered an infrared thermometer, AirPods, a Mario hat, and fart spray.
There was the guy in Louisiana who signed up for some hookup sites, and I was able to get him to stop when one of those sites emailed his cell number, so I was able to text him. Similarly, there’s a very lonely German man who keeps signing up for personals sites, though I suspect he may be a bot. He has French and Dutch counterparts.
There are a fair number of now-homeschooled kids who’ve signed up for their online school with my email address…but I can’t help them. Sometimes I’ll get misdirected FaceTime calls–for a while some Dutch people living in Thailand really liked FaceTiming at 4am my time. One young lady in Chicago could not be dissuaded that I was not the young man who gave her my Apple ID and told her to text anytime. (That one involved a lot of texts and FaceTime calls before I blocked her.)
I’ve become philosophical about it–it’s like a window into human activity all over the world.
Brian,
In May/June I alerted you to an email breach at Netflix Japan and
provided details. In this case, my credit card was stolen, a new Netflix
account was set up using my credit card. Netflix settled very quickly,
but refused to provide any details, including dates, about the party who
conducted the theft, used my card, and established a new account.
I thought that this might interest you, but unfortunately, I did not
hear from you, and so I am bit reluctant to share further information
including multiple phishing attacks aimed at my current address.
David
Good Luck
Can you give an example of an OG account? I thought the original invite only gmail account usernames had to be a minimum of 6 characters?
A really desirable OG account will have one or two letters. But they can also be simple short words, names or concepts, like “person@” or “hacker@” or “fear@”
Thank you. Do you know of any upcoming email platforms or social media platforms where I can try and register a OG name for my grandkids 🙂
Something on the horizon, which may or may not catch on. No commercial use or resale by me.
Thank you Mr. Krebs
Hey.com just launched their email platform recently 🙂 I got a 3 letter address myself
If you’re interested in longevity and portability, buy your own domain name. Depending on the suffix (com, net, org, etc.) it is about $20/year for the name.
You have full control over the domain name and any services associated with it like email. You could easily create email addresses for the grandkids, or any other individuals you wish.
You don’t need to provide the services yourself (e.g. by running your own server), but you could if you wanted to. With your own domain you can outsource to a third-party service provider for a nominal cost and could (with proper preparation ahead of time) change the back-end service provider.
It’s a nice thought, but most mere mortals are simply incapable of securing their own mail server. I would not advise that unless you really know what you’re doing.
You are 100% correct. I have an OG gmail account and I tried to use my first name which is 5 characters (and also quite unique. I wasn’t competing for others with my name). It forced me to use 6 characters.
Perhaps other services didn’t have the requirement, but gmail definitely did.
Recently, I logged into it for the first time in years. One other person seemed to have given it out to others by mistake, because there was legitimate mail coming to it (as well as a small amount of spam from insurance companies for some reason)
I changed the password and added 2FA and replied to the real messages with an explanation. Many wrote back thanking me for the notification.
It amazes me, the number of services out there that will use an email address without first requiring a response to a verification email.
I’ve a fairly generic domain that gets used as a throw away by numerous users as well as an actual example domain in publications (they clearly don’t know about the example.* domains). I just chuckle, shake my head at the insanity and bin it. Most of what I get seems to be social media accounts. Nothing overly exciting sadly.
I have the same issue. I got my firstLast@gmail.com and firstLastInitial@gmail.com back when you needed an invite, and I get signed up for TONS of stuff.
Some woman in St. Louis whose last name matches my first has used my email at her doctor. I’ve had accounts set up at pretty much every service out there. I’ve had someone use my email to purchase airline tickets for their entire family — I went to the airline’s website and pulled them up. I could have canceled their flights if I’d so chosen. Someone set up an Amazon account with it. I’ve gotten plenty of confidential materials from senders who had the wrong address — NDAs related to business acquisitions, stuff about a porn addiction meant for some minister with my name, crazy stuff.
If it’s school-related, church-related, or otherwise personal, I generally email the sender and let them know they have the wrong person, and I sometimes give them the right address. I’ve done enough Googling that I often know the email of their intended recipient.
But I have tons of filters in Gmail that automatically delete crap. It works pretty well, but without them I’d get overwhelmed.
It’s not just you. My Gmail address is my name, and I get an endless stream of mail for people with names similar to mine who imagine that my address is their address. In more than one case I’ve found the person, told him that it’s the wrong address, and even so before long they give my address to someone else.
I have a fairly simple (but I wouldn’t call it ‘OG’) Gmail address, and I have been getting order notification email from Amazon.in frequently enough that I just today blocked it.
Regarding MFA, I’m not opposed to it but I think security questions/answers are better when available–more generalized and I don’t need a separate app–they can live in my password manager with my passwords. Needless to say, my security answers are always randomly-generated strings like ‘6s8kw7zwb5wzesbt’.
I had a Mindspring address of “bobg” (I was customer #1100 or so) and used to get all kinds of good stuff for “Bobs” with a last name that started with “G.”
But the oddest one was a woman from Texas who used my 23-year-old business address to subscribe to a number of services including Good Housekeeping Magazine. After she refused to quit using it, I logged in, changed the delivery address to mine, and enjoyed the remainder of the subscription.
One thing I’ll add — I have the same firstLast@ and firstLastInitial@ on outlook.com, and I don’t get anything on those. All the junk is limited to Gmail.
This happens to me as well although perhaps not as frequently as in your case.
But I’ve been receiving emails for years from and for strangers who for whatever unfathomable reason using an email address they don’t have access to (well, I sure hope they don’t)
I’ve long wondered if this was perhaps a routing error on Gmail’s side (e.g when people put a dot or a plus in their email address? )
GMail is supposed to be “dot blind” these days, though that did not always seem to be the case.
My early GMail grabs were just family personal names. Never thought to get clever ones.
gmail ignores the plus and anything that follows it.
so `alfred+whatever-you-want-here@gmail.com` is delivered to `alfred@gmail.com`.
gmail also ignores individual dots, so `a.l.f.r.e.d@gmail.com` also goes to `alfred@gmail.com`, as does `al.fred@gmail.com` or any variation.
These two features make it easy to figure out which group is leaking your email address as you can do `alfred+chasebank@gmail.com` or `alfred+amazon@gmail.com` in order to distinguish things.
Note: gmail does not allow multiple consecutive dots, so `alf..red@gmail.com` should be bounced.
I am dealing with this problem for years now ( i have an email address as firstnamelastname@gmail.com). For the first few years, I tried emailing folks/companies to remove my email from their systems, but have now given up.
With the number of emails I get every day, my email account has become unusable and have resorted to using a not so common email address for my personal use.
Mine is a gmail with first initial + common last name. 80% of what hits my inbox is for other people, often with sensitive personal info. Here are some things I’ve gotten over 16 years:
-Staff tickets to the 2009 presidential inauguration
-Passport/sensitive document scans from an NFL team
-Scans of credit cards
-Backup gmail account notifications for 20-30 other gmail addresses
-Logins for almost every service provider or store (internet, cell phones, insurance, retail)
-Financial statements (credit card, mortgage, bank account, retirement account)
-House inspections
-Job applications, resumes, and reference requests (yikes)
-Tons of Docusign requests and invoices
-Personal photos and videos
I take great effort to notify people / delete things / be respectful, but the big problem is that almost no companies provide a way to say “No this wasn’t me.” I’ve often thought about just getting a new address and starting over, but the foolish pride of an OG address fuels tolerating the inconvenience.
>without considering that someone might own that domain
Friend of mine noticed many years ago that the email domain for a government agency that doesn’t like to talk to the public much was unregistered, so just for yucks he registered it.
And started getting a lot of email on it that made him very nervous. Which led to a second problem, figuring out how to hand it over to said agency without getting into trouble…
My gmail address is my name, which I apparently share with military officers in several countries. Yesterday, a senior US army officer sent me (amongst others) an excel spreadsheet from his .mil address with detailed personal information for his entire unit. Everything from parachute qualifications and weapon serial numbers to home addresses and next-of-kin cell numbers. Exercise for the reader: try to find a working website or email address where a civilian can report an Army PIIA breach.
More amusingly, there is a lovely bloke in the Australian Navy that I know all about too – diplomatic travel itineraries, family relocation documents, photos from that wild night in Hawaii, from the girls who can’t wait for his next port call…
And yet some nice short invite era Gmail never get picked on. I managed to get quite a few invites and set up about 12-15 Google and Googlemail accounts, then got more when they allowed Google mail.uk and then some more when they went to Gmail.
Some are still virgin accounts, registered, but never used except for tests to make sure they stay alive and I can prove ownership and control over them.
Some get used by lots of other folks for all sorts of rubbish, but some are fun trying to play with.
I’m still waiting for someone to make me an offer for some of them..
.
I signed up for a free email account whose address *looks like* an obviously fake address. I’m not going to disclose what it is, but think “fakeaddress@example.com” (except that it’s on a server that actually exists).
I sporadically get notifications from services (health insurance, travel, etc.) for people who apparently didn’t feel like providing their real address, and didn’t realize that mine is a real address. Just the other day I got a batch of 30 or or so notifications, apparently the result of someone setting up accounts for a group.
In some cases, I’ve tried to contact the service provider and their web form insists I provide my account number, when the whole point is that I don’t have one.
I need some Weber grill parts.
Change your name to Weber Grill and see what happens?
I will.
I thought it would be a good idea to sign up with my first initial and last name. Like my unix account at college and at my place of employ. Easy to remember, keeps everything consistent. I really wish I hadn’t done that.
Turns out that’s not a particularly unique combination. I’ve got credit cards using my name, someone’s Robin Hood account, all the usual garbage.
There is also a psychologist in Australia who has provided my email address to several of her patients (or they got it wrong). I get sensitive emails from them about various issues.
There is a title company with an employee who has used my email address as his. I’ve gotten countless emails with mortgage servicing documents. These include social security numbers, income, tax forms, addresses. Everything I would need to commit serious identity theft.
There’s a lawyer in Texas who has a similar name to mine. Her law partner sometimes sends her personal rants about her family members. who are quite troubled, to my email address.
Last week a woman sent me an enlarged picture of a disturbing mole. Her dermatologist has a similar email address.
I have a gmail label, “Mistaken Identity” where I file all these away. Sometimes when I get an email that’s intended for one of these folks I’ll forward it along. I’ve had several internship requests come that were intended for the psychologist (she is also a psychology professor), so I’ve forwarded them on.
My business domain is close to a medical imaging domain and I’m routinely sent scans / home address / medicare submissions to my domain via a catchall. Typo’s can reveal A LOT!
I get this all of the time on my gmail account. Some kids signed up for the SATs with my account, and they don’t verify email addresses. So now every college in the nation emails me inviting me to open houses and visit days.
Years ago I was quite pleased to set up an address as tom@ my university’s alumni association. Was great until it was overwhelmed by spam and other garbage.
Now for some critical issues I use email addresses of random characters, generated by a password generator.
I also have an OG email address, there is a guy in Manila (Philippines) ordering food, there is a retiree in Florida dealing with a mechanic and bank statements and notifications for another gentleman in Chicago
I have an OG account as my primary account, just last night i was able to aquire access to someones online shopping account who has been using my email account for buying clothes online.
Once in, i was able to see all their actual details, and changed their email address away from mine to stop getting spammed by their purchases.
In the past, i’ve found my way into accounts with saved card details, stored store credit and more, all because people put my email address in rather than their own.
I’ve also got numerous quotes on financial advice, pay slips, renovation plans and quotes, insurance claims with photos of accidents, event tickets, you name it, i’ve seen it over the last 15 years.
One of my most memorable ones was when i woke to find a few hundred dollars of Amazon vouchers in my inbox where a guys elderly parents sent them to me instead for his birthday. Given I had received so much of his email and correspondence i was able to go through it all, find out who he was and get them to him, of which he was very happy about…. strangely, i still get lots of his emails still.
The internet is a strange place 🙂
Ah yes, I received a non-trivial sum via paypal to my account.
Mostly, my friends joke about people who think I’m tim. (I actually ran across a tim recently.)
I too have an early gmail account, which amusingly enough I got to set up a non-tracable gaming account back when gaming on the Internet meant text-based MUDs and variants. I regularly cancel accounts for fantasy football leagues, gaming sites, hematology labs, endless colleges etc. I did google-stalk one poor woman who was in danger of having her car repossessed cause she used the wrong address. She too was sure I was a fraudster. Mostly I just reply (if possible) that Michael/Michelle/Molly/Mark etc is too stupid to know their own email address and you probably don’t want to hire them after all.
I have a two character protonmail account and get a LOT of things also. I had a psychologist in Austrailia send some very sensitive information and swear she sent it to the correct address even after I told her that it was wrong. I have had people purchase things and register my account as their email account. I even had one individual knowing that it wasn’t her account use it to get information about building a new pad in France! There was also an individual who purchased a fairly pricey online package for something, which I had their full account access to use.
In addition to all of that fun, I also have a very generic hotmail account that people love to use when they do not want to leave an email address. I dont know how many dating and porn sites it has been used on for people who want to try one out and not give their real address.
On the hotmail one, I usually just hit whatever site I get the email from and click the forgot password link and delete the account. I figure if the people are using an address that obviously does not belong to them, they are usually violating the TOS from the site anyway. Somehow I find it refreshing to delete an account when someone was trying to hide their identy on in the first place.
I’ve had an ‘OG’ Gmail account since it was invite only and I get bank and loan statements, dating and porn site confirmations, and was even mistaken for a pastor by someone hiring for an administrative position in the Catholic Church. I’ve had banks tell me they can’t change the email address without another factor which is ironic because the intention of my account was a second factor. Oh well.
In addition to the just annoying, like product warranties, car dealerships, and cable accounts, my OG email account also gets used for a disturbing number of financial accounts.
I spent many wasted hours when this first started happening trying to unravel it, but companies don’t care and sometimes tracking down the right user requires getting internet creepy. Now I just unsubscribe and figure folks are lucky I’m motivated to not take over strangers’ accounts and leave it alone.
I have a “mid-weight” OG gmail, and I can’t believe that tech giants such as Facebook and Instagram allow people to create and activate new accounts without first verifying their email address. It shows that these companies care more about getting the sign-up, than verifying the integrity of that new account. I’m not sure if this still happens in 2020, but for awhile there it clearly was happening.
I’ve also received a bunch of “wrong emails” over the years, clearly not spam, but highly personal stuff between businesses and their clients, including medical and financial items, and heaps of other stuff. These people are lucky it ended up going to me, and not someone who would be malicious with such items.
I have first initial+last initial+4-letter last name@gmail The most interesting email I received mistakenly was a $75 Amazon eGift for my “baby shower”.
I tried to get the eGift back to the sender, but couldn’t find any way to contact the sender other than a name. I even sent a thank you message through Amazon’s system explaining what happened and offering to send an eGift of equal amount back to the sender if I could just get a valid email address. After a few months of trying and no response, I just redeemed the gift into my Amazon account.
I assume most people as in this example really mean to give out (my name)+some numbers on the end@gmail – but the added numbers get lost in translation.
Like others have mentioned it’s shocking to me that companies such as Walmart, Verizon, Amazon, Chase, Ring, etc. don’t use email opt-in before sending sensitive information or order status messages.