When you own a short email address at a popular email provider, you are bound to get gobs of spam, and more than a few alerts about random people trying to seize control over the account. If your account name is short and desirable enough, this kind of activity can make the account less reliable for day-to-day communications because it tends to bury emails you do want to receive. But there is also a puzzling side to all this noise: Random people tend to use your account as if it were theirs, and often for some fairly sensitive services online.
About 16 years ago — back when you actually had to be invited by an existing Google Mail user in order to open a new Gmail account — I was able to get hold of a very short email address on the service that hadn’t yet been reserved. Naming the address here would only invite more spam and account hijack attempts, but let’s just say the account name has something to do with computer hacking.
Because it’s a relatively short username, it is what’s known as an “OG” or “original gangster” account. These account names tend to be highly prized among certain communities, who busy themselves with trying to hack them for personal use or resale. Hence, the constant account takeover requests.
What is endlessly fascinating is how many people think it’s a good idea to sign up for important accounts online using my email address. Naturally, my account has been signed up involuntarily for nearly every dating and porn website there is. That is to be expected, I suppose.
But what still blows me away is the number of financial and other sensitive accounts I could access if I were of a devious mind. This particular email address has accounts that I never asked for at H&R Block, Turbotax, TaxAct, iTunes, LastPass, Dashlane, MyPCBackup, and Credit Karma, to name just a few. I’ve lost count of the number of active bank, ISP and web hosting accounts I can tap into.
I’m perpetually amazed by how many other Gmail users and people on similarly-sized webmail providers have opted to pick my account as a backup address if they should ever lose access to their inbox. Almost certainly, these users just lazily picked my account name at random when asked for a backup email — apparently without fully realizing the potential ramifications of doing so. At last check, my account is listed as the backup for more than three dozen Yahoo, Microsoft and other Gmail accounts and their associated file-sharing services.
If for some reason I ever needed to order pet food or medications online, my phantom accounts at Chewy, Coupaw and Petco have me covered. If any of my Weber grill parts ever fail, I’m set for life on that front. The Weber emails I periodically receive remind me of a piece I wrote many years ago for The Washington Post, about companies sending email from [companynamehere]@donotreply.com, without considering that someone might own that domain. Someone did, and the results were often hilarious.
It’s probably a good thing I’m not massively into computer games, because the online gaming (and gambling) profiles tied to my old Gmail account are innumerable.
For several years until recently, I was receiving the monthly statements intended for an older gentleman in India who had the bright idea of using my Gmail account to manage his substantial retirement holdings. Thankfully, after reaching out to him he finally removed my address from his profile, although he never responded to questions about how this might have happened.
On balance, I’ve learned it’s better just not to ask. On multiple occasions, I’d spend a few minutes trying to figure out if the email addresses using my Gmail as a backup were created by real people or just spam bots of some sort. And then I’d send a polite note to those that fell into the former camp, explaining why this was a bad idea and ask what motivated them to do so.
Perhaps because my Gmail account name includes a hacking term, the few responses I’ve received have been less than cheerful. Despite my including detailed instructions on how to undo what she’d done, one woman in Florida screamed in an ALL CAPS reply that I was trying to phish her and that her husband was a police officer who would soon hunt me down. Alas, I still get notifications anytime she logs into her Yahoo account.
Probably for the same reason the Florida lady assumed I was a malicious hacker, my account constantly gets requests from random people who wish to hire me to hack into someone else’s account. I never respond to those either, although I’ll admit that sometimes when I’m procrastinating over something the temptation arises.
Losing access to your inbox can open you up to a cascading nightmare of other problems. Having a backup email address tied to your inbox is a good idea, but obviously only if you also control that backup address.
More importantly, make sure you’re availing yourself of the most secure form of multi-factor authentication offered by the provider. These may range from authentication options like one-time codes sent via email, phone calls, SMS or mobile app, to more robust, true “2-factor authentication” or 2FA options (something you have and something you know), such as security keys or push-based 2FA such as Duo Security (an advertiser on this site and a service I have used for years).
Email, SMS and app-based one-time codes are considered less robust from a security perspective because they can be undermined by a variety of well-established attack scenarios, from SIM-swapping to mobile-based malware. So it makes sense to secure your accounts with the strongest form of MFA available. But please bear in mind that if the only added authentication options offered by a site you frequent are SMS and/or phone calls, this is still better than simply relying on a password to secure your account.
Maybe you’ve put off enabling multi-factor authentication for your important accounts, and if that describes you, please take a moment to visit 2fa.directory and see whether you can harden your various accounts.
As I noted in June’s story, Turn on MFA Before Crooks Do It For You, people who don’t take advantage of these added safeguards may find it far more difficult to regain access when their account gets hacked, because increasingly thieves will enable multi-factor options and tie the account to a device they control.
Are you in possession of an OG email account? Feel free to sound off in the comments below about some of the more gonzo stuff that winds up in your inbox.
My OG Gmail account from the invite required days is simply my first and last name @gmail.com. No numbers, etc. I get legitimate emails all the time. Closing paperwork for home sales, invoices for a trucking company, relatives emailing me, then followups when I don’t reply. The most entertaining was when I ended up in a family email chain planning their reunion. They were some very outspoken and interesting group. 🙂
I am in the same situation, and had the same thing happen to me. When I informed my correspondent that I was not a member of her family, she invited me to join the outing anyway. Had it been closer I would have shown up.
Same for me. First and last name at gmail. I get notices about leases, doctors appointments, car services, etc. I’ve also been getting information on family vacations from the same people for a decade. You would think they’d have figured out by now, but they just keep coming in.
I am a security and privacy researcher at Michigan State University, and I’ve been doing some work studying this problem for a few years. Our data show that what we’re calling “misdirected email” does happen more often for people with “OG” addresses, particularly on Gmail. Sometimes these misdirected emails are caused by senders accidentally leaving off the numbers at the end of a first.name1234@gmail.com address; other times it seems to be because people don’t understand how Gmail handles periods in email addresses (firstname.lastname@gmail is the same thing as firstnamelastname@gmail).
But, the underlying problem seems to be related to three things: 1) people want to have an email address with their name in it but there are only so many names out there, so name collisions and subsequent mistakes are inevitable given the fact that anyone can send an email to anybody; 2) people are often asked to provide an email address in situations where it feels socially awkward not to comply or in order to access content or services, but they don’t actually want to receive email from that person or business so they make something up that *resembles* their real email address but is actually someone else’s real address; and 3) too many online services use email addresses as an authentication factor but don’t send an email to confirm that the person entering the email address to create the account actually owns the email address.
See my recent academic papers about misdirected email, and the difficulties of email unsubscribing, if you want to read more: https://doi.org/10.1145/3290605.3300520 and https://doi.org/10.1145/3313831.3376165
That’s interesting, I’ve never thought about #2. Thanks for sharing your research.
I don’t know if mine qualifies as OG, but my invitation only Gmail is a six letter euphemism for addressing a guy.
Since the address is informal, I never got the kind of financial information mentioned above, but at one time I had something like eight World of Warcraft accounts, some really advanced. Too bad I never played.
I do get an intersting stream of accounts at sites I have never heard of and marketing emails from as far as India and Australia. I live on the East Coast.
When my email gets used as a backup, most email providers now have a means of me opting out. And I keep the recurring email to a minimum.
My OG gmail address has been used by various people over the years for TurboTax; credit cards; utilities; various dating and porn sites; neighborhood watch lists in Australia (narrator: he doesn’t live in Australia), and so on.
When I get an actual “confirm this address” I always make sure to decline it to try to cut down on the spam (and maybe, hopefully, teach the user a gentle lesson), but too many times that’s not an option.
I have a gmail address from the old “invite only” days and I’m constantly getting other people’s email. I think it’s gotta be that those people just forgot to add the numbers on at the end…
Like many other commenters, my “OG” Gmail is simply firstnamelastname, but I get plenty of messages not intended for me. The best ones, I suppose, were the many messages from someone’s PhD dissertation committee. After a couple weeks of ignoring them, I sent a polite message back informing them that maybe they should consider weighing the fact that their doctorate candidate didn’t know his own email address. The emails stopped shortly thereafter.
With my og account, I have a number of people across the country who sign up for stuff using my email address by mistake. Verizon accounts (Kayla, I hope you enjoy your new iphone 11!) , Costco Credit card accounts (Anthony you missed your most recent payment), Evites to what look like fun parties but unfortuetly thousands of miles away, gynecologist appts, job applications, and the list goes on. What surprises me is the number of companies which somehow allow multiple accounts with the same email! Really verizon how can two people share the same email address for different accounts?
Oh my gosh, yes. I thought I was alone in this, with my OG address (I had been so proud that I had an invitation!) full of messages for other people.
What really floors me is the number of companies who will begin communication over email without verifying the recipient’s address. Banking, travel, commerce, you name it.
Also, the amount of medical information being sent in plain email attachments is shocking.
OMG THIS IS MY LIFE! I worked for Google in 2004, have an OG gmail account – but only for South African users. So far over 2800 have added my email as their backup email account, use it for taxes, job applications, university applications, credit cards, porn, every possible thing.
How stupid are people, really? Some keep trying to reset my password, never figuring out why they never get email using my email address.
Google support is worthless too – in 16 years they do absolutely nothing Every time some new idiot attaches it to their facebook account Facebook spams me with password resets – despite me having asked MANY times for them to block anyone from using that one email address.
Then again – Facebook is the worst run, sleaziest advertising and propaganda platform ever. so….
I have a very common first and last name, but was in early enough to get first.m.last@gmail.com. I get other peoples emails all the time including credit card info. It sucks when I get some credit card registered with my email because I have to call the CC agency and ensure that someone isnt using my real info like SSN etc. But every time its for a totally diff person with my first and last name who apparently mistyped their email address
I have a one short word email address at a popular internet destination’s mail site. I don’t use it for anything because the retail spam is overflowing, but every once in a while I will check into it just to see. Like you, multiple people use that address for their phone service, to buy all sorts of items, and to receive messages from their favorite candidates and causes. Around 2007 I received an interesting series of messages from an overseas person apparently referring to phone or real-life conversations about a visit their country to procure research chemicals. I read them with bemusement and didn’t want to get involved with that.
Yep. I’m in a similar boat.
The one that annoys me the most is paypal. They do a handshake to verify an email, but they lock that email to a paypal address the moment you sign up for it. So now someone may have your john.smith@gmail account assigned to their account. They can’t really use it… but neither can you. And even if you call and talk to their “experts”, they cannot (or will not) remove the address. It is there for life.
That’s OG? I bought my own domain and have it hosted. Hell, I should just set up a mail server locally and host it myself. That would be O-OG.
I first bought a domain in 1999 and my main email address is pete@[my domain].com.
Being the only user at that domain (though I do have a handful of aliases that point to that account) means I rarely get messages from other folks who share my name since they would have to know about the existence of my domain name (unlikely) and mistake their address with my own (even more unlikely).
I do, however, get messages for a few seemingly-real humans doing real-person stuff (like scheduling an appointment at an Apple Store to repair one of their devices). Strangely, they’re all people with typically-female names wholly different from my own (male) name. Very odd.
Yeah, I had a gmail account named after an important character in Tolkien’s Middle Earth lore. Some guy in Turkey registered over a hundred domain with a Turkish registrar using that as the contact email. Before long I started getting all kinds of cease and desist orders for using copyrighted images. I went round and round with several folks before convincing them that it was just some guy who was improperly using my address. Dozens of mails to the registrar went unanswered. I eventually sent off a few mails to make sure I was in the clear, and then closed the account. Not worth the hassle.
I have that same problem (Tolkien character) on a different system. Had someone use it when they signed up for a gym membership — took a dozen emails with the gym manager to finally get it changed. Most recently, I started getting emails from a “dating” service in another country. Figuring out how to close that account was interesting, finally did it though.
So I’m not alone, and it’s still a mystery what makes people do these things. I have e a “initial and last name” gmail account that I grabbed because “late to the game” I couldn’t just get “first_name@gmail.com”. Boohoo, poor me.
But that account gets absolutely hammered with spam and these OG emails (at least now there’s a word for it). Once or twice I’ve shut them up by contacting the institution and telling them the email is not valid, once even filed a ticket with a financial outfit (the emails stopped).
As it happens, this was the subject of my talk at the Hackers On Planet Earth conference this summer, as I’ve also got an OG Gmail account: https://livestream.com/internetsociety3/hope2020/videos/209132515
The thing is that almost all these emails don’t follow even my initials, completely random people with random names who use my OG gmail address. No idea where they get it from; my last name is not common.
Another OG here, your article is my day to day life and I try to help as well, I get threats and takeover attempts, etc .. Most the time i just ignore the emails now unless life or limb are involved… And yeah, those things happen to.
For several years I had MailerDaemon at comcast until comcast realized it was a bad idea.
About once a month I would get people replying to bounced emails asking me why I wouldn’t deliver their email (mostly from aol subscribers). Almost always it would include the entire text of the bounced email. So yeah. Good times.
TL: dr; Don’t reply to undeliverable email notifications, they are forged by the original sending mail server, not the server that would be receiving the original email.
I have received attachments for legal cases in excel format (with very sensitive info). When I called out the legal assistant she tried to scare me with legalese and threats. I have had all examples mentioned in this article as well. Netflix, Credit Card Statements, new service accounts with ISP’s, Wireless services, financial services.. Etc… It blows my mind how dumb people are.
Hey Brian long time no talk to! I’m unlisted@ so I get a billion of those emails. How funny you wrote an article about it. Everyone uses mine as their throw away.
I have a very short Gmail, first initial last name, so I get tons and tons of emails for other people. The worst is when I get airline reservations or appointments, and gmail automatically adds them to my calendar. I get the notice I need to be leaving for the airport and what not. Ones I feel bad about are families trying to message people, or trying to get in contact with family members and the email is the only thing they have.
Best ones are where someone is trying to contact someone for publishing papers, or consulting services, or someone who is pissed that something at their office wasnt completed and they email someone to finish it, but they have the wrong email.
The very best is when someone’s ex emails getting all mad and pissed off accusing of cheating and then gets mad when they don’t respond, or they get pissed cause they will respond to a text message but not emails
Info with humor! I really enjoyed this article. Thanks for all the great tips. I get notifications all the time telling me to change my password because it was breached. I will definitely follow up on the links .
my Gmail isn’t a OG but its simple enough that I suffer from the same type of problems. Gotten worst this last year.
I have an OG Gmail account from the beta days. It’s a 6 letter address consisting of my first initial and last name, which is Hispanic. So I get other peoples email from all over South & Central & North America, except Canada! The amount of W2s, reunion invitations, school assignments, bills, receipts, family photos, legal documents, and personal documents I receive is incredible. Not to mention all the account updates for accounts I never created.
What really annoys me when I want to create an account for a service only to find that my email address has already been used to create an account! So by necessity I need to reset the account and delete all of the other person’s info, including credit card info to reclaim my account. If not, I’d essentially be locked out of alot of services. It’s a good thing I’m honest. It’s ridiculous how careless people are!! It’s also stupid how many companies are idiots and don’t verify email addresses.
OG Gmail user here with again, just my firstnamelastname@gmail.com and I too am forget getting email mean for other people. Car rental agreements lease agreements, applications, you name it. I don’t understand how these people don’t know their email address, but I guess it’s comforting knowing I’m not the only one going through this on a daily basis.
First/last name gmail here. Some of the same experiences as others getting accounts for recovery, dating, shopping, banking, retirement, credit, healthcare, real estate, reunions, etc. Nice to see I’m not alone.
Anyone else ever received military orders or intel via their OG?
How about when a celebrity with the same name accidentally uses your account to share their calendar/task/files/etc?
You forgot the best part… Free pizza… Thank you to all the randos that get me pizza points. The tickets to The Cure were a bonus as well.
I am embarrassed to say that i am part of the problem. When i created my gmail I wanted it to be the same as my other email which is the name of my favorite booze. But that was apparently already taken so I just added my area code to the end. And have probably 20 or more different accounts using the gmail account forgetting to add the area code. So sorry capt.morgan at gmail whoever you are
Oh my. We need a support group. I thought I was so alone. I don’t get nearly enough spam or OG confusion to necessitate closing my account. I’ve had it as my main email since gmail started! However, the things I get signed up for are so flabbergasting! The bank accounts! Why? Why do you think I won’t steal your money? I used to call the companies involved and chew them out for not confirming emails, but it was too taxing. Funny fact, I never use my Gmail to sign up for anything, ever. I always use my old university account, which forwards to my Gmail. So, tricks on them. Anyone who actually emails me there directly is spam. Hello filters!!
Bit really. A support group would be nice.
AOL email here. I was part of AOL before it became AOL. Once AOL started, they made it east to have additional email addresses. The rage back then was to have a barcode email address — lllIIIllllIIII or a binary one OOO1O1O11OO1 etc. At first, it was funny how many of us received each other’s emails. Then after a decade, it got very old very fast.
My original pre-AOL moniker transferred when the domain name changed. Two decades later, when I first created a Gmail account, that other guy out there with my same initials and last name already had it. Grrr… He used to forward the errant emails to me, but I finally convinced everyone that using the AOL address worked best for me.
These days I want an app that when I delete spam, I move it to a shredder folder, and the app either blocks that domain or that email address. It is pretty bad when Viagra, penis enlarged, boob enhancement supplements, [kitty kat] warming cream or gel, etc., are all in a row in the 300+ spams I delete each day. The only email address that I have that never gets spam is the one I created just to test if the other emails are working.