When you own a short email address at a popular email provider, you are bound to get gobs of spam, and more than a few alerts about random people trying to seize control over the account. If your account name is short and desirable enough, this kind of activity can make the account less reliable for day-to-day communications because it tends to bury emails you do want to receive. But there is also a puzzling side to all this noise: Random people tend to use your account as if it were theirs, and often for some fairly sensitive services online.
About 16 years ago — back when you actually had to be invited by an existing Google Mail user in order to open a new Gmail account — I was able to get hold of a very short email address on the service that hadn’t yet been reserved. Naming the address here would only invite more spam and account hijack attempts, but let’s just say the account name has something to do with computer hacking.
Because it’s a relatively short username, it is what’s known as an “OG” or “original gangster” account. These account names tend to be highly prized among certain communities, who busy themselves with trying to hack them for personal use or resale. Hence, the constant account takeover requests.
What is endlessly fascinating is how many people think it’s a good idea to sign up for important accounts online using my email address. Naturally, my account has been signed up involuntarily for nearly every dating and porn website there is. That is to be expected, I suppose.
But what still blows me away is the number of financial and other sensitive accounts I could access if I were of a devious mind. This particular email address has accounts that I never asked for at H&R Block, Turbotax, TaxAct, iTunes, LastPass, Dashlane, MyPCBackup, and Credit Karma, to name just a few. I’ve lost count of the number of active bank, ISP and web hosting accounts I can tap into.
I’m perpetually amazed by how many other Gmail users and people on similarly-sized webmail providers have opted to pick my account as a backup address if they should ever lose access to their inbox. Almost certainly, these users just lazily picked my account name at random when asked for a backup email — apparently without fully realizing the potential ramifications of doing so. At last check, my account is listed as the backup for more than three dozen Yahoo, Microsoft and other Gmail accounts and their associated file-sharing services.
If for some reason I ever needed to order pet food or medications online, my phantom accounts at Chewy, Coupaw and Petco have me covered. If any of my Weber grill parts ever fail, I’m set for life on that front. The Weber emails I periodically receive remind me of a piece I wrote many years ago for The Washington Post, about companies sending email from [companynamehere]@donotreply.com, without considering that someone might own that domain. Someone did, and the results were often hilarious.
It’s probably a good thing I’m not massively into computer games, because the online gaming (and gambling) profiles tied to my old Gmail account are innumerable.
For several years until recently, I was receiving the monthly statements intended for an older gentleman in India who had the bright idea of using my Gmail account to manage his substantial retirement holdings. Thankfully, after reaching out to him he finally removed my address from his profile, although he never responded to questions about how this might have happened.
On balance, I’ve learned it’s better just not to ask. On multiple occasions, I’d spend a few minutes trying to figure out if the email addresses using my Gmail as a backup were created by real people or just spam bots of some sort. And then I’d send a polite note to those that fell into the former camp, explaining why this was a bad idea and ask what motivated them to do so.
Perhaps because my Gmail account name includes a hacking term, the few responses I’ve received have been less than cheerful. Despite my including detailed instructions on how to undo what she’d done, one woman in Florida screamed in an ALL CAPS reply that I was trying to phish her and that her husband was a police officer who would soon hunt me down. Alas, I still get notifications anytime she logs into her Yahoo account.
Probably for the same reason the Florida lady assumed I was a malicious hacker, my account constantly gets requests from random people who wish to hire me to hack into someone else’s account. I never respond to those either, although I’ll admit that sometimes when I’m procrastinating over something the temptation arises.
Losing access to your inbox can open you up to a cascading nightmare of other problems. Having a backup email address tied to your inbox is a good idea, but obviously only if you also control that backup address.
More importantly, make sure you’re availing yourself of the most secure form of multi-factor authentication offered by the provider. These may range from authentication options like one-time codes sent via email, phone calls, SMS or mobile app, to more robust, true “2-factor authentication” or 2FA options (something you have and something you know), such as security keys or push-based 2FA such as Duo Security (an advertiser on this site and a service I have used for years).
Email, SMS and app-based one-time codes are considered less robust from a security perspective because they can be undermined by a variety of well-established attack scenarios, from SIM-swapping to mobile-based malware. So it makes sense to secure your accounts with the strongest form of MFA available. But please bear in mind that if the only added authentication options offered by a site you frequent are SMS and/or phone calls, this is still better than simply relying on a password to secure your account.
Maybe you’ve put off enabling multi-factor authentication for your important accounts, and if that describes you, please take a moment to visit 2fa.directory and see whether you can harden your various accounts.
As I noted in June’s story, Turn on MFA Before Crooks Do It For You, people who don’t take advantage of these added safeguards may find it far more difficult to regain access when their account gets hacked, because increasingly thieves will enable multi-factor options and tie the account to a device they control.
Are you in possession of an OG email account? Feel free to sound off in the comments below about some of the more gonzo stuff that winds up in your inbox.
I got my OG address during Gmail’s beta testing because I was in the process of buying a Google Search Appliance (remember those?) at the time.
I’ve had the same trials and tribulations, but last week I was invited to a Bat Mitzvah, which I thought was nice. Trouble it, it’s in a far away state, and I’m not flying this month. I sent a “many blessings” message and an exhortation to be careful with email because I know when the family won’t be home.
Hi Brian,
As you can see I have one of those original Gmail addresses from an invite. Nothing bad happened to me until a few years ago.
Then the floodgates opened. Many folks reserved cars using my email address in the UK. Porn sites of course. It never ceases to amaze me…
Mine isn’t a gmail account but I get lots of mail from companies welcoming me as a new customer. Many have an “unsubscribe” link but if I go there they ask for a user name and password.
It is most annoying that the unsubscribe link isn’t always enough to unsubscribe. If I get the email, they should allow the unsubscribe without more information.
Some companies get it and have a query string attached to the link. I get “sorry to see you go” messages from those. Of course, I investigate the sending domains first but they are usually the biggest companies in the USA that get it right.
I have a short old gmail address (this one) that is not an (english) word and I chose purely out of liking and to have something that felt really unique. But for some reason it seems to be really, really popular (or similar to someone/some corp that is largish) in india of all places. I have received tons of resume submissions, invoices, etc., sometimes including full color scans of Indian drivers license/ID and everything. It finally tailed off a few years ago, but it was definitely wild. I too tried to reply a few times with “wrong email” but gave up under the torrent and just started deleting it all.
A real issue as you say with OG type email deluge is precisely that it’s so often 100% genuine organic stuff, not spam. Like, yeah there is plenty of spam too. But since so much is real people actually writing or signing up for real things, you can’t lean on normal spam tools because if you train the algorithms to reject this stuff you’ll absolutely start getting massive false positive rates on things you want. Extensive whitelisting becomes important to keep it useful.
I have an OG gmail – and my address isn’t that short… ********@gmail.com. I get emails for tons of people with the same first initial as me and the same last name – ALL of the time. I had a professor send me her final exams one time because she was conducting her university business on her personal gmail, but always forgot to add her middle initial to the address.
I also have an OG Apple account and use the same username with a .mac domain. But emails to the username at icloud.com and me.com also go to me.
Don’t companies make you verify your email before signing up for their crap?
Oohh man; it sometimes feels so absurd how many boarding passes, wedding invitations, bank account statements, requests for document signatures, etc.
Sometimes, I’m disappointed in the collective stupidness of people that also carry my name.
I’ve even thought this is a sort of “preventative black flag operation” trying to discredit my name,… You know, in case I ever step on some politician’s toes if I call them out on corruption, they can allege it was me who was corrupt all along (with my supposed chilean, venezuelan, ecuadoran, and American accounts).
I meticulously classify them in a folder, and try to contact, unsubscribe, and—if all else fails—report as spam… But they keep piling up.
I used to sign up with the garbage email addy of none@nowhere.net – until someone actually set up and registered it.
I’m not the only one so there are probably thousands of emails Mr None gets on a regular basis.
Is my email secure on THIS message board? The past month or two, the onslaught of spam has increased greatly. Hotmail catches it/into spam folder, but I have to check it daily because there are a few legit friends whose email goes to spam no matter how many times I tell hotmail it’s ‘not spam’. Is this spam increase due to the issue you talked about? My hotmail is not “OG” as far as I know, but I’ve had it since 1999.
On outlook email, you have to add people as a contact to get them into your inbox – I used to use the whitelist function, but when they changed the GUI for Outlook web mail, I decided it was easier just to click on the ID badge and add as a contact. I click “more information” to do that. Probably not the most expeditious way, but it worked, so there I go!
I have a very generic mail address like “…@email.de”. It is one of those where people probably think it is a test account.
Sometimes it feels I can follow some people’s lives. I never understand why they think it is a good idea to register with all kinds of services using a mail address they don’t own. So far it didn’t dare to call them on their mobile phone or, worse, make a purchase on their bill.
To be fair, most sites are useless until the mail address is confirmed, which I of course never do for other people’s accounts.
I get lots of stuff from South Africa and the Netherlands. I have a folder called “Not Me”.
For sign-ups from companies, I sometimes try to log into the account and change the email to a temporary one. For more personal emails, I do tend to reply that I’m not the intended recipient.
I have several OG email accounts. Sometimes it can be rather annoying when you want to sign up for a service and someone already used your email address… some services require DOB or information you don’t have in order to move the account off of your email address and make your own, so you are stuck with a bogus account on your email permanently.
I have a Hotmail (HoTMaiL) account from 1996 still. It’s one word, and I continue to get all kinds of email on that account from all over the world. Been ongoing for decades. Much personal stuff too, and I still try to let people know they have the wrong person.
For my Gmail and Mac accounts, people with names similar to mine often use my email as a backup, allowing me to, for example, lock them out of their Spotify account. Again, I try to let them know, but in the end they need to figure it out.
Certain financial institutions demand that we have email addresses. One they fill in the field, often without asking, their systems don’t allow it to be cleared.
A very large credit card company seems to have this issue. When I complained, the CSR said she would set the email address to nobody@none.com for me.
I complained about that address, but doubt the record was cleared, so now …
Regular people have no idea how the internet or email actually work. Not coming to me, is as good as going nowhere, at least in their minds.
Mine is an OG gmail account that’s sports related – what I competed in at the time. I would get sometimes invoices to a retailer of that sport.
Once I got an invite to open a Bicycle shop concession for the US Navy Exchange in Bahrain. That would have been an interesting side gig.
A financial adviser who’s a cyclist asked me for my contact email address. When I gave it to him his eyes opened, “What no numbers or anything else?”.
I have “OG” accounts for mac.com, Gmail, Twitter, Instagram and several other services. Apple has grandfathered mac.com (and the later me.com) addresses so email to @icloud.com comes to me. Multiple people seem to believe that that’s their email address, primarily in the US and the UK (though someone in France has used it for their bank account). So many services do not verify email addresses (Instagram is a particular repeat offender) when added to an account. I have MFA set up on all accounts where it’s available so it’s mostly a minor annoyance when someone decides to try to access the account they think has been theirs for months or years (while it’s been mine for…decades in a couple instances).
I have a Gmail address that originated back in the beta days of invite only. I only got an invite because a gaming buddy of mine got an invite. It was sometime in 2005, iirc. I do miss seeing the GB counter that was constantly counting up how much free storage space they were giving each account.
Having an “og” account I do get soooo much spam it’s disgusting but at least Gmail spam filter takes care of 98% of it.
The most fun is when other email addresses that are very similar to mine are created and try to use my email address as the backup recovery email address… I just say thank you and change their password. The same thing goes when people for whatever stupid reason create accounts to Instagram, Facebook or whatever else using MY email address… thanks for giving me access and full control of your social media account… DELETE!
The account has a sport association in it and I get lots of associated emails from sports clubs from around the world; Japan, Ireland, Columbia… can’t even read most of them without pulling out Google Translate. It’s interesting to see club schedules published before they are available on public websites.
All I have to say is thank Google for having 2FA for accounts otherwise I’m sure it would have been hacked away from me a long time ago.
Happens with phone numbers, too. I have a few toll free numbers for my business. Especially 800 numbers get re-used, so one number I had got so many calls for the previous owner that I deleted it.
Another number is one digit away from the West Virginia welfare department. I get lots of voicemail messages from people looking for their welfare checks. Some even leave their account number. -and yes my voicemail does state my company name and my own name, but people don’t listen.
In 2017, I registered a single typo squatting domain of icloud mail. That entire year, I collected thousands of accounts (I didn’t access them, just observing), including financial institutions, and even a few hacker forums (haha).
Also, I’m imagining that you own 1337@gmail.com
I got an early @gmail account, but because my last name is not all that common I haven’t gotten too much of this stuff.
I do have my own domains, though, and for some unknown reason lots of people in Brazil registered on Facebook with @, and the confirmation emails ended up in my mailbox. I changed the passwords of the accounts. FB does not have a way to report wrong emails.
I’ve had a similar experience with an email address that stems from the TV show Arthur. In one episode, Arthur is selling toys online and uses an “email address” (it’s really just a username). I registered a GMail account with that username, and I get many of the same emails where people sign up for random things (gyms, banks, games, etc) using that address. More fun though is people asking me if they can buy my toys.
I have a twenty-something year old email address that I created to receive business emails at home. It is just my first and last name. Recently I have begun receiving confirmation pin numbers from a few “questionable” porn and dating sites. Of course, I don’t respond, but it got me thinking it is time to retire that old address. I’m wondering what is the best service to move to, or does it really matter?
It doesn’t matter. If you actually use an email address, it will get passed around. I have one that I reserved ONLY for communication with a few friends. Those friends innocently use it for something like Evite, or to send me a magazine article, or whatever. Now it gets just as much junk as the on I use to sign up with, e.g., Amazon. (Not that Evite or Amazon are spammers, just that you cannot keep an email address private.)
I’ve had r+(not entirely common last name)@gmail.com since the invite only days, and have accumulated EXACTLY this kind of cruft (iTunes, power bills, dating profiles, blueprints, softball teams, school PTAs, several job offers) from people named Roger, Ron, Reggie, Ray, Reed, Robin, Rick, Ross, Ruairi, Raj, Roberta, Richard, Raymond, Regina, Racquel, Ryan, Rebecca, Rhianna, Rowena, Rodney and Roy. I’ve kept a list.
I still politely inform personal emailers of their error, and did once track down on FB someone whose cellphone was about to be disconnected, but beyond that it’s just giggles at this point.
One of my email addresses is an early account name that regularly gets used by other people to sign up for services. Most recently, a high school student apparently entered it as his/her parents’ email address to receive the student’s SAT scores.
Hi Brian,
I am 100 % sure that I have an original Gmail address.I had people trying to access my Paypal account and dating sites.
The worst experience when hackers from India were trying to hack into my gmail account which was absurd as I live in the United Kingdom.
It’s not just OG addresses. Someone uses my gmail address because it matches her first initial, last name. She uses it to sign up for web sites. She gave it to her daughter’s tooth doctor for appointments.
Not able to reach her to complain. Canceling appointments and unsubscribing from new accounts doesn’t faze her.
Pretty sure I get email for every Thomas [MY COMMON LAST NAME] in the world. I get job interview requests; flight, hotel, rental car reservations; home renovation estimates, insurance claims. One guy owns an interest in a fried chicken chain and I get the monthly P&L statements. There’s one in New Zealand who orders Dominos Pizza 2x or 3x a week, heavy on the peri peri swirl. I get just about everything imaginable.
I got my Gmail invite pretty early on and was pretty thrilled that my name was available. Now it’s so full of email for other people that my account is nearly impossible to tend. I should have added a few random digits to the end of the address…
Original gmail invite and set up my first initial last name email address. I’ve received emails from all over the world, cell phone bills, family photos, potluck planning group, rental car agreements and receipts, hotel and flight arrangements, contractor invoices, a mom yelling at her child. The current thing is every job candidates information for a posting by some headhunter company. Along with being subscribed to every newsletter an political candidate imaginable of course. I don’t even have a common last name!
While my primary address is a Gmail account, I have my first initial and last name registered on a handful of other sites from way back int the day. It amazes me how many other A(insert rest of name)Rossetti’s will simply use that address on other services. I’ve gotten pet records, account statements, order confirmations from various retailers, you name it. You’d think people would be more careful. I’ve even had people send me money via online payment services. One time, I received a $100 Amazon Gift Card a couple years ago, and it was amazing how difficult it was to REFUSE the gift card and ensure the sender was notified.
Yes, I have this all the time, including dating sites… I have a 3-letter address at an OG provider, and a 3-letter Twitter. Takeover attempts on my accounts happen at least once daily.
At university I got an “OG” email account based on my initials…which happened to be the same as professor’s. So for years, even after graduation, I would get emails intended for the professor; from students or researchers at other universities.
The most memorable email I got was from a student requesting an extension on an upcoming exam.
For better or worse, I never replied to any of the emails; but I have felt guilty about not replying to the exam request.
I’m another person with a common first and last name, and while I intentionally chose something quite different when the Gmail invite appeared, at work I often get email for another other common-first-name, common-last-name employee. If you type that name in Outlook my email address pops up first. My favorite misdirected mail is when the other guy emailed me photos from his phone, thinking he was emailing them to himself…
You don’t need an OG email for that. If you have an innocent .@domain.mail you get some messages intended for
.@, or -@, etc. from people failing to remember the correct permutations.