When you own a short email address at a popular email provider, you are bound to get gobs of spam, and more than a few alerts about random people trying to seize control over the account. If your account name is short and desirable enough, this kind of activity can make the account less reliable for day-to-day communications because it tends to bury emails you do want to receive. But there is also a puzzling side to all this noise: Random people tend to use your account as if it were theirs, and often for some fairly sensitive services online.
About 16 years ago — back when you actually had to be invited by an existing Google Mail user in order to open a new Gmail account — I was able to get hold of a very short email address on the service that hadn’t yet been reserved. Naming the address here would only invite more spam and account hijack attempts, but let’s just say the account name has something to do with computer hacking.
Because it’s a relatively short username, it is what’s known as an “OG” or “original gangster” account. These account names tend to be highly prized among certain communities, who busy themselves with trying to hack them for personal use or resale. Hence, the constant account takeover requests.
What is endlessly fascinating is how many people think it’s a good idea to sign up for important accounts online using my email address. Naturally, my account has been signed up involuntarily for nearly every dating and porn website there is. That is to be expected, I suppose.
But what still blows me away is the number of financial and other sensitive accounts I could access if I were of a devious mind. This particular email address has accounts that I never asked for at H&R Block, Turbotax, TaxAct, iTunes, LastPass, Dashlane, MyPCBackup, and Credit Karma, to name just a few. I’ve lost count of the number of active bank, ISP and web hosting accounts I can tap into.
I’m perpetually amazed by how many other Gmail users and people on similarly-sized webmail providers have opted to pick my account as a backup address if they should ever lose access to their inbox. Almost certainly, these users just lazily picked my account name at random when asked for a backup email — apparently without fully realizing the potential ramifications of doing so. At last check, my account is listed as the backup for more than three dozen Yahoo, Microsoft and other Gmail accounts and their associated file-sharing services.
If for some reason I ever needed to order pet food or medications online, my phantom accounts at Chewy, Coupaw and Petco have me covered. If any of my Weber grill parts ever fail, I’m set for life on that front. The Weber emails I periodically receive remind me of a piece I wrote many years ago for The Washington Post, about companies sending email from [companynamehere]@donotreply.com, without considering that someone might own that domain. Someone did, and the results were often hilarious.
It’s probably a good thing I’m not massively into computer games, because the online gaming (and gambling) profiles tied to my old Gmail account are innumerable.
For several years until recently, I was receiving the monthly statements intended for an older gentleman in India who had the bright idea of using my Gmail account to manage his substantial retirement holdings. Thankfully, after reaching out to him he finally removed my address from his profile, although he never responded to questions about how this might have happened.
On balance, I’ve learned it’s better just not to ask. On multiple occasions, I’d spend a few minutes trying to figure out if the email addresses using my Gmail as a backup were created by real people or just spam bots of some sort. And then I’d send a polite note to those that fell into the former camp, explaining why this was a bad idea and ask what motivated them to do so.
Perhaps because my Gmail account name includes a hacking term, the few responses I’ve received have been less than cheerful. Despite my including detailed instructions on how to undo what she’d done, one woman in Florida screamed in an ALL CAPS reply that I was trying to phish her and that her husband was a police officer who would soon hunt me down. Alas, I still get notifications anytime she logs into her Yahoo account.
Probably for the same reason the Florida lady assumed I was a malicious hacker, my account constantly gets requests from random people who wish to hire me to hack into someone else’s account. I never respond to those either, although I’ll admit that sometimes when I’m procrastinating over something the temptation arises.
Losing access to your inbox can open you up to a cascading nightmare of other problems. Having a backup email address tied to your inbox is a good idea, but obviously only if you also control that backup address.
More importantly, make sure you’re availing yourself of the most secure form of multi-factor authentication offered by the provider. These may range from authentication options like one-time codes sent via email, phone calls, SMS or mobile app, to more robust, true “2-factor authentication” or 2FA options (something you have and something you know), such as security keys or push-based 2FA such as Duo Security (an advertiser on this site and a service I have used for years).
Email, SMS and app-based one-time codes are considered less robust from a security perspective because they can be undermined by a variety of well-established attack scenarios, from SIM-swapping to mobile-based malware. So it makes sense to secure your accounts with the strongest form of MFA available. But please bear in mind that if the only added authentication options offered by a site you frequent are SMS and/or phone calls, this is still better than simply relying on a password to secure your account.
Maybe you’ve put off enabling multi-factor authentication for your important accounts, and if that describes you, please take a moment to visit 2fa.directory and see whether you can harden your various accounts.
As I noted in June’s story, Turn on MFA Before Crooks Do It For You, people who don’t take advantage of these added safeguards may find it far more difficult to regain access when their account gets hacked, because increasingly thieves will enable multi-factor options and tie the account to a device they control.
Are you in possession of an OG email account? Feel free to sound off in the comments below about some of the more gonzo stuff that winds up in your inbox.
I have a 2004-era Gmail account that’s a short name (a Googler invited me pre-launch). Thankfully it’s not a super-common name, but I’ve still had all the same issues with accounts and backup accounts with it – thousands of them.
That’s the boring stuff. A few incidents are more memorable:
– I received not one, not two, but three full mortage applications with all supporting documentation, bank records, etc. I replied to these; one bank got quite huffy about why I wasn’t signing their docs more quickly.
– A hapless parent sent me a scan – at super-high resolution – of their child’s Social Security Card.
– A plastic surgeon sent before and after pictures of work they had performed on a young woman (the photos were partially nude). “I think they came out great!” – direct quote from the doctor. I called the office and berated the doctor’s staff for 15 minutes after deleting the images.
I registered my simple “first.last@…” address in 2005 without being aware of just how common my name combination really was.
In the years since, I have corrected or killed so many different situations I’ve lost count. I have an automatic reply that currently includes a partial list of 13 different *categories* of items I have received. My folder of this detritus contains nearly 2,000 items.
In one of the worst examples, I received a PayPal receipt in 2015 for an eBay transaction which I was never a part of. There was enough information provided that I was able to contact both seller and buyer and verify that the eBay transaction was legitimate and the sale had been paid correctly by PayPal, but I was not able to determine why my email address received the the receipt. eBay Customer Support (which still owned PayPal at the time) never responded.
It is not possible to fix many of these, because the lack of human support means that you can’t ask for help unless you can prove you are already a customer. Many *major* companies do not even attempt to verify the email addresses they store (Microsoft Xbox Live, Facebook, CapitalOne, etc.), because there is no economic incentive for them to care.
What percentage of email is essentially junk because it’s not reaching its intended recipients, and how much does that cost in terms of wasted infrastructure?
What would help is a means to automate blacklist population for every spurious email received, whether it was SPAM which contained a link to a malware site, a bill from a car dealership you don’t do business with, or registrations to web sites you’ve never heard of. With the right algorithm, the blacklist could be populated and notifications sent to the perpetrators, forcing legitimate operations to defend their email address acquisition/verification process and insure the cleanliness of their back-end mail services or have their mail blocked from sending.
It would take years to clean this up, but it took years to make the mess. When it costs money to ignore this issue, it will get fixed, but not otherwise.
Brian, have you checked if your Gmail address is used as username to someone’s Microsoft account?
Recently, a fresh looking spam campaign started arriving to my inbox. Checked one of the links in the emails, it redirected to Microsoft’s login page. I closed my VM, manually typed account.microsoft.com into another browser, typed my Gmail address as username and requested password reset. Sure enough, the spammer had created a fresh Microsoft account using my Gmail address as username. They had attached their own email as additional contact email in MS account.
I thought this was odd, as I don’t believe I was targeted. If it’s possible to automate MS account creation this way (i haven’t had time to study this) why would they not use a longer string as username.
Process of adding email account to a service is usually flawed. To make life easier they email the link to be clicked which in fact doesn’t confirm you have access to that account. And I’ve seen many places where clicking that link is enough. They don’t even require to sign in.
If they asked you to retype the code from email back to the browser it would help with such slip ups
Krebs, the original O.G.
I’ve always assumed that malware lurks in links in emails saying “so-and-so has given your email address as a backup”
I once received someone’s Senior Year photos from their school. They thought adding a “.” in between the name of my email would somehow make it different, even though they obviously never tried to access said email. I guess they didn’t know about Gmail aliases. I also receive frequent notifications from EA, Epic, and Steam stating that someone is trying to access my account when I have never had accounts for those services.
Irony alert. The donotreply domain appears to be for sale! Pretty sure I wouldn’t want to own it.
Nothing like you describe, but a 6 letter account name that starts with a name still gets me a few. Apparently there are a lot of people who don’t realize that you have to register for a Gmail account & that you only get an exact one – approximate mashups of your names and initials won’t work.
I would want to let these people know they made an honest mistake, but I don’t know how to contact them because the only contact I have is actually mine. The one time I felt bad about it was a school trying to contact a father that his son got in trouble and that the father should come to pick him up ASAP.
I signed up to Gmail back when it was invite only, I don’t have this problem, though I picked the email address to be my first name and part of my surname so I guess that helps..
guess im not one of the “cool kids”
Same here, actually I’ve created an “NotMe” label to categorise stuff from a dozen different people…
Yep, I have a ‘misdelivered’ folder to store all the weird things that arrive at my “initial.lastname@gmail” account. I’ve had messages asking for my input on a new airport in Dubai, X-ray scans of some girl’s teeth, overdue account notifications of increasing severity, wedding congratulations, and financial advice for some company.
Possibly the strangest one was when I tried to create an Apple ID and discovered that somebody else had somehow already created one using my email address, without me ever being notified about it. I do not feel guilty about ‘stealing’ that account back.
I too have an og Gmail account. I have bank account passwords, loan applications scans of passports, licenses , national identity cards, etc even scans of witnessed documents. For a few people I’d letthem know very directly that they we’re sharing their details with someone they didn’t mean too…
I’ve never been yelled but the amount of password reset and sign in attempts is insane.
This story quite resembles a talk I saw at HOPE this year.
archive(dot)org/details/hopeconf2020/20200726_1800_Anatomy_of_an_Accidental_Honeypot.mp4
yep.. its absolutely crazy some of the things people sign up for with my address, i have data coming in from multiple banks, multiple mobile companies, tax services, streaming services, delivery services, ebay, lyft drivers.. i dont use a lot of sites personally so almost all the popular places have “me” on them.
i receive hundreds of email on a slow day, easily up to a thousand on bad days. its a nightmare. then theres variations on my name which i also receive.. so any dots my.email@gmail, or prefix+myemail@gmail and on and on..
gmail? NEVER! For various reasons.
Nor Apple, F.c.book, Microsoft, Yahoo and the like.
Of course I don’t own such an address.
And I don’t communicate with those addresses. All is regarded as SPAM.
The only US-based email provider I use is lavabit. 😉
Why not gmail? Don’t be paranoid, mate.
if you don’t know why, I cannot help you.
There are so many reasons that I can’t repeat them all here.
Who WANTS to know them can know them.
One of them is discussed here above by Brian and commenters.
You may call it paranoid; I say “better safe than sorry”.
I too have a somewhat ‘OG’ Gmail address, at least enough that other people use it. Frustrated with the amount of emails I got from American Airlines once (I don’t live in the US), I decided to log into their account and change their meal preference to ‘bland’.
That was definitely an ‘OG’ thing to do I should do something like this.
I love it! I get itineraries every time a certain couple fly on Southwest. It’s a good thing I’m not a burglar. (Southwest completely ignored a letter from me and including an itinerary number that’s not mine, suggesting they should validate email addresses before sending confidential information. Delta has the same problem.)
I’m curious how you distinguish a genuine case where someone signed up with your email address from a simple “pray and spray” phishing attack where large numbers of potential or known email addresses are spammed with what appears to be email from various companies.
Similar experience here. My most favorite random account I got was some sort of ‘vet management’ system where I supposedly own two cats, and I can preselect treatments and checks for them during the next visit.
I lost track how many houses or cars I apparently am considering to buy or sell.
The internet is a very strange place.
I feel your pain! I get a pretty steady stream of github PRs in my inbox from people using the string @dave in their comment
I have an OG Gmail account, and this kind of thing happens all the time. I receive statements from a hardware store in Australia, and offers (along with contracts and a detailed salary breakdown) to become a cardiac surgeon in Maryland. I am a neuroscientist, according to emails I receive from a respected mailing list in Brazil, and have been invited to speak at their national conference.
Like you, I have been signed up to practically every service imaginable and get texts every couple of weeks to say that someone is trying to reset my password.
I get a pile of emails not for me, most memorably:
– invoices/quotes for everything from gravestones to painting a boat
– updates on a particular child’s day in kindergarten (and it took a few tries to stop receiving these)
– $70 refund on a car part through PayPal
– invite to a stag party
– a witness statement meant for a friend to verify
– details of a target meant for a private eye
– access to a television streaming service that I’ve enjoyed sharing for the past 5-6 years at this point.
I have a 3-letter mac.com which I registered the same day Steve Jobs revealed iTools. And that means I have me.com and iCloud.com, too. I’ve never used the latter two, but I get this happening on all three.
Just yesterday, I received an email with subject ‘test’ from someone with a first name the same as my email address. I replied, and let them know this wasn’t their address, which I assumed is what they were testing. They replied to apologise, and explained that it used to be their address, and that the “d*cks” at Apple must have given me control of it. I’ve let them know that I’ve had this account since 2000 🙂
I’ve had numerous emails about someone’s kid’s progress at school, and details about some business deals, or holiday plans. But the worst are when someone signs me up for some unpleasant service, some of which start bombarding me with invites to ‘chat’ with ‘buxom69’, or something equally unpleasant.
I fund that with Gmail especially, their ignoring a full stop “.” in the email is something many people are not aeare of.
And often one can add an email without any verification, it seems. When Igot tired of the pestering Samsung sign-in notifications of unknown origins, once, Iactually did a password recovery to take over that account, found the contact info of the person who set it up and gave them a ring, explaining what they had done and if they could kindly change the account to an email they actually owned.
I have a relatively OG gmail account, my somewhat common last name and my first initial. I have been receiving one woman in New York’s medical bills for years. I have received several gift certificates for middle brow chain restaurants in England. I receive one Scottish actor’s alerts for upcoming castings. It seems as though my last name is more common in the UK than the rest of the world. Though for over a year I received someone’s telecom bills from India.
I don’t usually get set as a backup account though, it seems as though all of these people just don’t know their own email address? Or have an email address one or 2 characters off from my own? It never ceases to be amusing.
I signed up for Gmail when I lived in an eastern European country, and used a common word in that language. Quite a few people in that country seem to think my address is theirs, including one who started a job at a Norwegian company, so guess who received the guy’s first payslip? (I contacted the data protection folks at the company so they could handle it.) Meanwhile, Vodafone in that country has been hassling me over non-payment for someone else’s account, and I hope someone made his flight from Copenhagen to Frankfurt given that I’m the one who got the confirmation.
Don’t get me started about the gaming websites. I used to try and get my address removed, but now I just change the password and secure the account.
Props to the person who was starting to learn English through Duolingo, and sorry I wiped out your progress.
GMail account. Every half a year or so I get an email in Hebrew from the Israeli Defense Forces, requesting me to report to some station (from what I can gather from the Google translation). No joke. Either I am some sort of Jason Bourne-style character, or the IDF need to start validating email addresses before adding them to their mailing lists.
Yup, been there. Oh, good article. Even a simple name like mine, can be found all over the world. With the same need for an email account. I have throwaway accounts, spam accounts, and those that are useful. I have to say this, but Google your name. See how many want that simple, easy to remember account name. So, they have to try that for new areas. And also, even email names like computers, can be wrong.
I have a very old email based off my surname. This means I often get redirected messages for others with the same name who apparently can’t remember their actual email. I have many purchase receipts, some voting information (reached out to the election officials), many random job offers (mostly for a woman who put my email on her cv) and other various stuff.
I get quite cross with companies sending sensitive data to me without first checking the email first though. People make mistakes, businesses should know better.
I guess I’m an IG (invited gangster) on gmail. Even though my address isn’t short, I get all kinds of messages.
The most egregious were for some guy buying a house someplace in the London suburbs. I got PDFs of his closing documents from his lawyer.
And there was the guy with the unpaid parking ticket from the govt in New South Wales, Australia. And the budget spreadsheet for a small and poor church in New Jersey.
The Basecamp company is standing up a new email service at hey.com. They’ve learned from experience: they charge a lot extra for short addresses.
I feel your pain. I have what might be considered an OG email account as well. I regularly receive:
– Mobile phone provider statements
– Auto dealer service reminders
– Overdue notices for a Capital One account
– Password resets for social media and gaming sites
– Estimates/invoices for home repairs
Occasionally, I get something interesting though. A few years ago, I was receiving production and scheduling emails for a major movie. I guess one of the crew provided the wrong email address.