When you own a short email address at a popular email provider, you are bound to get gobs of spam, and more than a few alerts about random people trying to seize control over the account. If your account name is short and desirable enough, this kind of activity can make the account less reliable for day-to-day communications because it tends to bury emails you do want to receive. But there is also a puzzling side to all this noise: Random people tend to use your account as if it were theirs, and often for some fairly sensitive services online.
About 16 years ago — back when you actually had to be invited by an existing Google Mail user in order to open a new Gmail account — I was able to get hold of a very short email address on the service that hadn’t yet been reserved. Naming the address here would only invite more spam and account hijack attempts, but let’s just say the account name has something to do with computer hacking.
Because it’s a relatively short username, it is what’s known as an “OG” or “original gangster” account. These account names tend to be highly prized among certain communities, who busy themselves with trying to hack them for personal use or resale. Hence, the constant account takeover requests.
What is endlessly fascinating is how many people think it’s a good idea to sign up for important accounts online using my email address. Naturally, my account has been signed up involuntarily for nearly every dating and porn website there is. That is to be expected, I suppose.
But what still blows me away is the number of financial and other sensitive accounts I could access if I were of a devious mind. This particular email address has accounts that I never asked for at H&R Block, Turbotax, TaxAct, iTunes, LastPass, Dashlane, MyPCBackup, and Credit Karma, to name just a few. I’ve lost count of the number of active bank, ISP and web hosting accounts I can tap into.
I’m perpetually amazed by how many other Gmail users and people on similarly-sized webmail providers have opted to pick my account as a backup address if they should ever lose access to their inbox. Almost certainly, these users just lazily picked my account name at random when asked for a backup email — apparently without fully realizing the potential ramifications of doing so. At last check, my account is listed as the backup for more than three dozen Yahoo, Microsoft and other Gmail accounts and their associated file-sharing services.
If for some reason I ever needed to order pet food or medications online, my phantom accounts at Chewy, Coupaw and Petco have me covered. If any of my Weber grill parts ever fail, I’m set for life on that front. The Weber emails I periodically receive remind me of a piece I wrote many years ago for The Washington Post, about companies sending email from [companynamehere]@donotreply.com, without considering that someone might own that domain. Someone did, and the results were often hilarious.
It’s probably a good thing I’m not massively into computer games, because the online gaming (and gambling) profiles tied to my old Gmail account are innumerable.
For several years until recently, I was receiving the monthly statements intended for an older gentleman in India who had the bright idea of using my Gmail account to manage his substantial retirement holdings. Thankfully, after reaching out to him he finally removed my address from his profile, although he never responded to questions about how this might have happened.
On balance, I’ve learned it’s better just not to ask. On multiple occasions, I’d spend a few minutes trying to figure out if the email addresses using my Gmail as a backup were created by real people or just spam bots of some sort. And then I’d send a polite note to those that fell into the former camp, explaining why this was a bad idea and ask what motivated them to do so.
Perhaps because my Gmail account name includes a hacking term, the few responses I’ve received have been less than cheerful. Despite my including detailed instructions on how to undo what she’d done, one woman in Florida screamed in an ALL CAPS reply that I was trying to phish her and that her husband was a police officer who would soon hunt me down. Alas, I still get notifications anytime she logs into her Yahoo account.
Probably for the same reason the Florida lady assumed I was a malicious hacker, my account constantly gets requests from random people who wish to hire me to hack into someone else’s account. I never respond to those either, although I’ll admit that sometimes when I’m procrastinating over something the temptation arises.
Losing access to your inbox can open you up to a cascading nightmare of other problems. Having a backup email address tied to your inbox is a good idea, but obviously only if you also control that backup address.
More importantly, make sure you’re availing yourself of the most secure form of multi-factor authentication offered by the provider. These may range from authentication options like one-time codes sent via email, phone calls, SMS or mobile app, to more robust, true “2-factor authentication” or 2FA options (something you have and something you know), such as security keys or push-based 2FA such as Duo Security (an advertiser on this site and a service I have used for years).
Email, SMS and app-based one-time codes are considered less robust from a security perspective because they can be undermined by a variety of well-established attack scenarios, from SIM-swapping to mobile-based malware. So it makes sense to secure your accounts with the strongest form of MFA available. But please bear in mind that if the only added authentication options offered by a site you frequent are SMS and/or phone calls, this is still better than simply relying on a password to secure your account.
Maybe you’ve put off enabling multi-factor authentication for your important accounts, and if that describes you, please take a moment to visit 2fa.directory and see whether you can harden your various accounts.
As I noted in June’s story, Turn on MFA Before Crooks Do It For You, people who don’t take advantage of these added safeguards may find it far more difficult to regain access when their account gets hacked, because increasingly thieves will enable multi-factor options and tie the account to a device they control.
Are you in possession of an OG email account? Feel free to sound off in the comments below about some of the more gonzo stuff that winds up in your inbox.
I have an OG gmail account as well, which apparently is also a common name elsewhere in the world.
I’ve gotten cruise reservation confirmations, countless flight reservation confirmations, porn site signups, of course, gmail recovery account confirmations, OTP’s for financial transactions, prayer chains, car maintenance reservation confirmations, etc. My spam folder is overflowing.
For a long time, I used to delete gmail accounts that were setup with mine as a recovery account, as well as any linked accounts I could find, but once google included a “click here to unlink your account” I started doing that.
Recently I’ve had a number of emails saying “your linked gmail account has been terminated due to conduct violations” which I’m hoping won’t end up being tagged to my account.
I used to reply “Wrong Email” so much to the personal emails I got, but eventually I just got tired of them and delete them now.
I’m surprised how many sites either don’t verify email addresses used to sign up with them, or ignore that verification was never done and just start sending account related emails.
Not to mention how hard it is to get an email address removed from an account if you don’t have the full account information.
Wow! This article is a real eye opener for me, because I’ve never experienced it, and obviously from the huge comment response, it is fairly common!
I signed up for my first web based email in 2001, so I could have become one of these people, but fortunately I used a long goofy address, and I’ve not had one experience like this. All my other junk accounts, that I’ve built up as a target for spammers, also have long descriptions, so I’ve not experienced them there either. Of course the longer you wait, the fewer short names are available, but I started early in the history, and could have easily scored an OG account; but I’m glad I’ve avoided it, frankly – I have enough security trouble since the breach at Equifax, to keep me busy for a long while.
I also get similar stuff on my gmail account. My theory is that many ISPs use gmail for their accounts, so foobar@comcast.com (or whatever) for some reason also think they have foobar@gmail.com. I was getting notifications from a hospital in NY about some dude that used my email for years, I finally got fed up and mentioned the magic word, “HIPPA” and the emails stopped.
At work we used G Suite Gmail. I made the mistake of using my personal Gmail one day for testing purposes. G Suite gleefully imported the email address into the full organizational contact list. Now co-employees, being careless, email me at my personal email rather than the organizational one. The only thing I could do to stop it, wetware being what it is, was to block my organizational email from my personal one. Sadly, though, I can’t make the free Gmail bounce like I can the organizational one…
I have first.last@gmail.com, and I have a very common name. This speaks to me. I’ve also gotten peoples tax returns, mortgage applications, etc. I’ve gotten threatened from an accounting firm when they inadvertently sent me sensitive documents. Recently someone paypal’d me $300 (I returned it).
I send all emails to firstlast@gmail.com straight to the trash bin, as I don’t use that variation, and it at least doubles the amount of junk I receieve.
The most annoying thing is that just about every day I need to unsubscribe from at least one organization’s mailing list.
I wish I had added my middle initial when I registered it.
Yes, this. I’ve been sent payroll info, health records, and financial docs by orgs that don’t take the trouble to verify the proper recipient’s address. Some have been apologetic when I respond (they should be apologizing to their client!), but others have been abusive and threatening. Nowadays I just delete most everything i receive of this kind and leave the incompetents to sort out their comms problems with their clients themselves.
I also snagged firstnamelastname@gmail.com, though thankfully, though my surname is very common, my name has fallen out of fashion for the last century or so. But I still get email for about four or five other individuals in the UK and other English-colonized places (US, Australia, New Zealand) with the same first and surnames. I also gave up on correcting senders for the most part.
You could consider using gmail’s “pluss addresses” feature and then using your address like first.last+something@gmail.com.
I’ve also had that happen. (Note also that gmail ignores dots in the name, thus “dannyboy@gmail.com” is the same as danny.boy@gmail.com.) Was getting mail for a gent in another country who has the same name, but his email name has a number after it, which mine doesn’t, and some senders were leaving the number out.
Apparently my name isn’t all that common as I was able to obtain a firstlast@gmail.com in 2010 that I have been using since and haven’t seen any of these types of email described in the article or comment section. And even the spam filtered emails are relatively few. Interesting how different it can be.
Very enlightening! My email addresses are not short, so I have never had this problem either, but it’s interesting to know about the problems associated with a short one.
Regards,
I got a mac.com account in 1998. Some years later, I was invited to the Pebble Beach ProAm.
I didn’t go…
I do recall the “invite” days. I was fortunate enough to get an email address of the format “firstname.lastname@gmail.com”. My name isn’t super common so I haven’t had any issues. But since it does contain my name I don’t use it for non-professional things and instead use a different email address for stuff I don’t trust.
I’ve certainly received various phone voicemails that seems very important but clearly were not meant for me. I had a friend once get a voice mail from an attorney that seemed critical. Someone made a serious mistake there.
I do have a mac.com email address (don’t really use it) and supposedly Apple are trying to get rid of them.
I’ve been fighting this very fight since the very early days of gmail.
My first initial last name is apparently common as well (who knew).
I’ve got a small index of folks “real” emails to forward the more important bits off to them when I get them, financial statements, bills, medical information, etc…
In previous years, I’d spend the time to find someone’s phone number and call them, letting them know they were using the wrong email for very sensitive info.
“Hi I’m Steve, I’m from the internet.”
I think most just thought I was trying to scam them. I’ve largely given up.
More recently, a gentleman with the same last name as mine, has started using my gmail account on his resume. We happen to work in similar circles, though I’m not sure how the job prospects look for a ‘security practitioner’ who hasn’t verified his own email address. (Yes I’ve sent him a note letting him know his error)
What a mess.
I have my full name as well. I have canceled peoples memberships, plane flights, purchases, this one time I redirected a large furniture delivery to a chinese restaurant. Get so tired of morons not being able to check an address, so I punish them all as hard as possible. One time I even got some mail for this guy who was going on for a radio interview, and canceled it on his behalf.
Since I created the first Unix accounts for our organization some decades ago and thus my account was my first name, plus we used to use a really short/simple domain name related to our business (4 characters + .com), I too got all sorts of inexplicable garbage, including sign ups for things people clearly shouldn’t have been sending my way.
I feel your pain.
Got both of my children’s names on gmail accounts when gmail cranked up in 2005 and have only recently released the email accounts to the now 19 and 17 year old.
#1 child 19 years old has a rare and unusual combination of names so no spam issues however the #2 child 17 years old has a fairly common name for the gender.
The #2 child’s name is similar to a lower tier actor’s name so when I cleaned out the account of all the 2005 to 2019 emails i saw where over the years agents and people had sent scripts for review to the wrong email address. Also other people who worked some Broadway or summer theater with the actor had tried to email to the person also.
This account also shares similarity to a nice persons’ email address in the UK for whom the account had received job interview notifications and barclay credit card billing information and various BandB and hotel reservations. Unfortunately no way to connect with the real other person other than calling him up via telephone which I am not going to do even with google voice. Barclay UK bank had absolutely no way to report the bad address via their email system other than to come into a branch in person -hahaha. Not going to happen from the USA hinterlands. I told #2 child to create a rule to dump the offending emails into spam folder and forget about them.
However:
One cool thing is that #2 child has already been complimented on his email address by an employer manager who recognized the rarity of someone having a such common name FirstMiLast with a gmail address. The 17 year old explained that “Dad got the address years ago!”
Econo
Just today I have been dealing with a wrong email from a bank, another from a health care institution and a missed delivery from an online shop.
Someone used my email for Amazon without the dot. I finally changed his password and forced him to change the contact email.
Maybe the most funny incident was when someone apparently wanted to get a relationship because he was turning 40 that year and it should be one of his new year resolution. Between 28 Dec and 3 Jan he opened 4 o 5 accounts in several online dating services. What amazed me is that I could access to all his account details simply clicking a link in the emails.
Also I find incredible that banks that boast of their digital services do not care to check emails provided by customers before start sending communications.
I have been tempted to change my email address, but there are so many legitimate services linked to it that up to now I have given up.
A real nuisance 🙁
Very interesting article. After reading dozens of comments, I’m glad to learn that I’m not alone. I have a 6-letter Hotmail address I created in the 90s. Over the years, I’ve gotten signed up to several sites, and after doing a password reset, I delete the accounts. Nowadays, I receive my fair share of emails with apparently confidential files from institutions. However, I don’t open the attachments lest I download malware unto my devices. I just delete the entire email.
Furthermore, my email account receives frequent unsuccessful login attempts from all over the world. Does anyone else have this problem? Are you worried? How serious an issue is this? I have passwordless login enabled. Is that enough to thwart these attacks?
Mr. Krebs, I’d like to take this opportunity to thank you for the magnificent work that you do. Over the years I have gone from a casual reader to a loyal one. The reason is because your articles are not just informative but also educational–and this education is practical. Thanks again.
Echoing your feelings that Mr. Krebs is a top notch person for the industry he is in and for the rest of us using these infernal calculating machines and electronic communications…
Somewhat similar to this is the problem that while Gmail does not include periods in its username reservation system (e.g., sending an email to username@gmail.com and to u.ser.na.me@gmail.com would both go to the same account), many websites do not perform the same validation. I therefore have multiple people who have signed up for accounts on websites where I already have an account using my email address.
Actually, my email address is not short but it includes my name which is very common all over the world, and from time to time I receive vouchers for trips, hotels, from a travel agency. Did not know that still existed for individuals.
Got also invitations for some other events, most of them for people in the US while I am in Europe.
I don’t understand why sites do not check the email addresses for new accounts.
Most sites _do_ if it’s for an account with actual capabilities, like buying stuff, or posting comments.
But… if it’s just a list to market to, getting confirmation emails just reduces their potential audience, so fall back on a “opt-out” model. The number of times I’ve hit the “i never subscribed to this list” at various unsubscribe pages is uncountable.
In addition to more traditional forms, and an internet nickname, I have my surname as a gmail account.
Apparently, surname[0] as a first initial, and surname[1:] as a surname is relatively common, so I’ve been signed up for quite a few things. In my mischievous years I’d password reset those accounts (all of them e-shopping) to get in and change the primary email address to something at mailinator… just to stop the incessant useless email coming in.
Nowadays, I’m less mean about it, and I just forward the email to the security department at the website. It’s been 100% effective so far. So far……
A friend of mine got in early with ‘firstname.lastname@gmail.com’ for what is a common name and has a list of regulars who either use the wrong addresses or have people mistype it. One was silly enough to FirstnameMiLastname@gmail.com so it’s easy to miss that middle initial.
He doesn’t do anything with it, having tried initially to correct the people.
And I heard from another friend that early on Gmail considered ‘a.b@gmail.com’ and ‘ab@gmail.com’ distinct emails (they don’t any more) and they know someone who’s embroiled in a fight over
‘firstname.lastname@gmail.com’ vs ‘firstnamelastname@gmail.com’
I have +@gmail.com and constantly surprised at what I receive. I sympathize with all the stories.
I think one of the reasons I receive msgs intended for 3rd parties was down to differences between email address syntax differences between Gmail standard and Gsuite business.
Gmail standard ignores periods and capitalization, but I perceive the Gsuite is different? Then a user from office Gsuite has bad memory or brain fart when putting down the @gmail.com address on personal forms.
I’m especially concerned when I receive medical follow-up msgs from counselors and/or therapists. If the sender seems legit, I do respond with a simple “did not reach intended recipient”. I’m sure I’m opening myself to some hacker/phisher-foo by doing this…
I have a first initial.lastname@gmail.com and what I also get is email directed at folks that are off by a letter or a period. It s weird but any nuances off of my email get sent to me as well.
I have several “OG” email accounts including a 2-letter OG Hotmail address from back before Microsoft bought Hotmail in the 90’s and have used it as one of my main email addresses for many years.
One thing I’ve had to deal with is the insane number of people trying to hack/phish/steal my email account. I even lost access to my account about 10 years ago (foolishly used a weak password for an account that is brute forced every day) and quite miraculously was able to recover it. Since then I’ve activated every 2FA option and use a very complex password. When I look at my account sign-in log it shows dozens of attempts to log into my account every day, from all corners of the globe.
Brian: Have you checked your OG email on haveibeenpwned? My OG email address is littered all over the site. Evidently every major breach has a phony account with my OG email address!
Not exactly the same problem, but I keep getting texts from postmates and some others about getting stuff for “kylie”.
I am not sure what to do, since it can be impossible to communicate with these people without an account. I doubt that texting them back will do any good.
I have 5 or 6 users worldwide who have similar names, my most recent invitation was to a golf resort in the US and had to let them know that due to Covid-19 I was unable to make it over there from Australia.
It’s a nightmare that caused me to pretty much abandon my lastname.firstname gmail account. I log in about twice a year to mass delete stuff. I don’t know why I bother. Person with my name volunteering with amputees, people in the UK/Aust. whose physical addresses I have because they ordered stuff from tons of shops, credit scores, hotel reservations and rewards, facebook confirming my visit to their campus (I have no facebook account), lawyers in Canada emailing me documents. I hate it.
I had an early, though not OG Gmail account, and two I created for work-related purposes. However, some time ago Google locked me out until I “enable two-factor authentication.” Which appears to mean they want a cellular phone number they can send a text to.
I don’t have one.
I suppose I could ask a friend if I could have Google use their number, but Google probably wants that number for marketing, and I’d be signing them up for even more spam.
So, my notes say I last tried to log in on 11/02/2020. Let me try again… nope, it doesn’t like Konqueror and wants me to use a different browser. Nope, with Pale Moon it says “Google couldn’t verify this account belongs to you. Try again later or use Account Recovery for help”
I guess they’re still lost accounts…
Nowadays there are 2FA options for Gmail that do not involve phone number or smartphone. You can use 2FA dongle (via USB or NFC), a physical key; and as opposed to key fobs of yesteryear, universal.
I have firstname.lastname@gmail.com and get the same things as the rest of you.
For a while, for the new account activation emails, I would do an account password reset, log in and, if possible, unlink my email account. Worst case scenario the stupid person tries to do a password reset via email and then eventually realizes they mess up.
Unfortunately I stopped when I accidentally activated an Apple account. For years I was unable to delete the account or change the email because I didn’t know the security questions. Password reset worked via email, but not changing the email itself! This actually held my email hostage and Apple refused to do anything because they claim it was my fault for “forgetting” the answers to the security questions. After leaving it dormant for 90 days, I was able to guess the answer to one of the questions “ideal/dream job” – I guessed “President” and I was finally in. Not sure that is a dream job?
I have a short gmail account. I received some emails from the showtime series Weeds a while back. That was interesting. Lately, I was signed up for an Online Algebra I class at a high school in Las Vegas. I got my math and computer science degree in the late 80’s.
I am a Johnson by marriage. We had access to gmail very early on, and I can’t tell you how much email I’ve gotten for all the other Maria Johnsons who thought it would be fine to use my address. Soccer schedules, reminders to get their cars serviced, mostly “mom” stuff. In the beginning I emailed people back and asked them to please remove me from their mailing list, since I was not the Maria Johnson they knew. I requested that they ask the “other” Maria Johnson to stop using my email address because I didn’t want to know the personal details of their lives. Sometimes it worked, sometimes it didn’t. I still every once in a great while get something from one of these fine folks, but I just delete them now. I no longer try to use that gmail account.
Part of the problem, I think, was that people thought they could make the address unique to themselves by adding punctuation, but it’s my understanding that Google followed the rules, and in the rules, punctuation (such as maria(dot)johnson versus mariajohnson) were the same in the eyes of the gmail gods. It was a good lesson to me – I mostly stick with domains now that no one else owns.
For what it’s worth … I feel like it was a small price to pay to have some small semblance of anonymity on the internet. Johnson, according to the Google, is second only to Smith for usage as a last name in the US. Plus there’s all the fun jokes that Johnson can be used for …
I suspect the problem is not only user error, but also poorly written software that do not properly parse or validate RFC 5322 email addresses.
I’m the owner of a “mylastname@gmail.com” address, and I receive many misdirected emails for “firstname.mylastname@gmail.com”-type accounts that the user had obviously entered correctly at some point, but then got truncated at the period by various websites, online databases, mailing list managers and whatnot.
(Of course, I also get the usual amount of sheer stupidity in my inbox!)
I also got my Gmail address early via invite, but I use initial + shortened surname as my email address, so I don’t get OG type of email…
…but I was wondering for some time why I am getting subscribed to newsletters I do not remember subscribing to. I thought it was my mistake due to some dark UI patterns, or a harvested email, but I have not thought before this blog post that somebody could have mistakenly enter my email address.
I have an InitialsSurname gmail account – not an OG one – and I get plenty of wrong email. My favourites:
– A quote for getting a pool built. This would be ambitious for the second floor flat I lived in at the time. The company confirmed, though, this was the address the customer had given them.
– A long series of emails intended for an Australian orthopedic surgeon. I got tired of replying “Wrong Address” so… many… times, so when they next asked me for my advice on whether to amputate a leg or not I replied “Well, as a web developer, I’m not sure I’m qualified to comment, but I think I’d try to avoid amputation”. I like to think that there’s a lady out there who still has her leg because of me.
Sidenote – I’m astonished that medical data like this is being emailed to a Gmail account.
– One evening, receiving a series of emailed pictures from someone who was apparently at a fashion show – for swimsuits. That wasn’t bad.
All of which says to me that people are rubbish at using email.
It does baffle me that some people just don’t know their email address – or that when they’re told “I am not your intended recipient” they continue to email you…