When you own a short email address at a popular email provider, you are bound to get gobs of spam, and more than a few alerts about random people trying to seize control over the account. If your account name is short and desirable enough, this kind of activity can make the account less reliable for day-to-day communications because it tends to bury emails you do want to receive. But there is also a puzzling side to all this noise: Random people tend to use your account as if it were theirs, and often for some fairly sensitive services online.
About 16 years ago — back when you actually had to be invited by an existing Google Mail user in order to open a new Gmail account — I was able to get hold of a very short email address on the service that hadn’t yet been reserved. Naming the address here would only invite more spam and account hijack attempts, but let’s just say the account name has something to do with computer hacking.
Because it’s a relatively short username, it is what’s known as an “OG” or “original gangster” account. These account names tend to be highly prized among certain communities, who busy themselves with trying to hack them for personal use or resale. Hence, the constant account takeover requests.
What is endlessly fascinating is how many people think it’s a good idea to sign up for important accounts online using my email address. Naturally, my account has been signed up involuntarily for nearly every dating and porn website there is. That is to be expected, I suppose.
But what still blows me away is the number of financial and other sensitive accounts I could access if I were of a devious mind. This particular email address has accounts that I never asked for at H&R Block, Turbotax, TaxAct, iTunes, LastPass, Dashlane, MyPCBackup, and Credit Karma, to name just a few. I’ve lost count of the number of active bank, ISP and web hosting accounts I can tap into.
I’m perpetually amazed by how many other Gmail users and people on similarly-sized webmail providers have opted to pick my account as a backup address if they should ever lose access to their inbox. Almost certainly, these users just lazily picked my account name at random when asked for a backup email — apparently without fully realizing the potential ramifications of doing so. At last check, my account is listed as the backup for more than three dozen Yahoo, Microsoft and other Gmail accounts and their associated file-sharing services.
If for some reason I ever needed to order pet food or medications online, my phantom accounts at Chewy, Coupaw and Petco have me covered. If any of my Weber grill parts ever fail, I’m set for life on that front. The Weber emails I periodically receive remind me of a piece I wrote many years ago for The Washington Post, about companies sending email from [companynamehere]@donotreply.com, without considering that someone might own that domain. Someone did, and the results were often hilarious.
It’s probably a good thing I’m not massively into computer games, because the online gaming (and gambling) profiles tied to my old Gmail account are innumerable.
For several years until recently, I was receiving the monthly statements intended for an older gentleman in India who had the bright idea of using my Gmail account to manage his substantial retirement holdings. Thankfully, after reaching out to him he finally removed my address from his profile, although he never responded to questions about how this might have happened.
On balance, I’ve learned it’s better just not to ask. On multiple occasions, I’d spend a few minutes trying to figure out if the email addresses using my Gmail as a backup were created by real people or just spam bots of some sort. And then I’d send a polite note to those that fell into the former camp, explaining why this was a bad idea and ask what motivated them to do so.
Perhaps because my Gmail account name includes a hacking term, the few responses I’ve received have been less than cheerful. Despite my including detailed instructions on how to undo what she’d done, one woman in Florida screamed in an ALL CAPS reply that I was trying to phish her and that her husband was a police officer who would soon hunt me down. Alas, I still get notifications anytime she logs into her Yahoo account.
Probably for the same reason the Florida lady assumed I was a malicious hacker, my account constantly gets requests from random people who wish to hire me to hack into someone else’s account. I never respond to those either, although I’ll admit that sometimes when I’m procrastinating over something the temptation arises.
Losing access to your inbox can open you up to a cascading nightmare of other problems. Having a backup email address tied to your inbox is a good idea, but obviously only if you also control that backup address.
More importantly, make sure you’re availing yourself of the most secure form of multi-factor authentication offered by the provider. These may range from authentication options like one-time codes sent via email, phone calls, SMS or mobile app, to more robust, true “2-factor authentication” or 2FA options (something you have and something you know), such as security keys or push-based 2FA such as Duo Security (an advertiser on this site and a service I have used for years).
Email, SMS and app-based one-time codes are considered less robust from a security perspective because they can be undermined by a variety of well-established attack scenarios, from SIM-swapping to mobile-based malware. So it makes sense to secure your accounts with the strongest form of MFA available. But please bear in mind that if the only added authentication options offered by a site you frequent are SMS and/or phone calls, this is still better than simply relying on a password to secure your account.
Maybe you’ve put off enabling multi-factor authentication for your important accounts, and if that describes you, please take a moment to visit 2fa.directory and see whether you can harden your various accounts.
As I noted in June’s story, Turn on MFA Before Crooks Do It For You, people who don’t take advantage of these added safeguards may find it far more difficult to regain access when their account gets hacked, because increasingly thieves will enable multi-factor options and tie the account to a device they control.
Are you in possession of an OG email account? Feel free to sound off in the comments below about some of the more gonzo stuff that winds up in your inbox.
I’m a server admin. After helping a friend derail a sim hijacking
in progress that led to his gmail and then his bank accounts being infiltrated, I would never enabled SMS 2FA for any service, ever. Do you want phone company service reps to be the weakest link in your security?
I despise how Gmail offers constantly to sign people up for SMS based 2FA. It’s an incredibly flawed method.
…especially since many phone companies use prisoners as employees.
Right, I believe SMS 2FA is bad too. What about authy? I like authy.
I received, what I think was $1500 amazon gift card once?
I tried to return it but I could not get Amazon nor the sender to respond. Happy Hanukkah to me? Well, thanks Uncle Pat!
I had similar. I got a $250 Amazon gift card at my OG account that was for someone’s birthday from “Mum and Dad.” Definitely wasn’t my birthday. There was no way to contact Mum and Dad, and when I reached out to Amazon, the support rep wanted me to send the gift card number…because I’m sure he needed the gift card number to return it and not the order number I already provided. I never responded to him.
I have an OG domain name. About a decade after I got it, a regional trucking company acquired a domain name that sounded like mine but was spelled differently. I tried to be nice about always helping people get their mail to the correct address, but I never got any relief until the company finally went out of business.
Most of the time, though, people deliberately use my address. It isn’t a mistake. I once got nagging e-mails about somebody’s DMV appointment. I canceled his appointment and never received e-mail on his behalf again.
Every few weeks, I get offers from domain name brokers for ridiculously small amounts of money. Not that I would be interested in selling anyway.
Yup, same here. Been getting emails for years on behalf of people in the UK, Australia and a CPA in Utah who still gives out the wrong email address (and why is a gmail account his main point of contact when a domain name of his own would make more sense?). Cancelled some orders along the way, changed some passwords. I use to get statements from a public utility (along with order confirmations for boner pills…yuck) on someone’s behalf in north Wales…took two tries to resolve that.
Yeah, I signed up for gmail during the invite-only phase and was pretty proud of my short address.
I’ve had lots of emails meant for other people, including stuff regarding mortgage, Discover card, child care in the UK, and a livestock movement registration system in New Zealand.
Generally I have tried to contact the appropriate person to let them know, but it can be tiring.
Yep, I have an OG account too. I get all sorts of things but unfortunately, nothing that’s been good for me. Multi people use my email for everything they don’t want to actually give an address for. One time someone signed up for a GrubHub account under my email and after the 3rd or 4th time, I finally canceled their order. I didn’t even know this was a thing!
it doesn’t help that gmail doesn’t respect periods in the address. I get emails all the time for Farnhams that don’t know about this flaw. Why would gmail let them register email addresses that it then treats as mine?
I have an OG account, two of them actually. I get lots of links to other accounts because, I believe, google lets people add numbers to any account name if it already exists.
So if I have smith@gmail.com and someone else tries to get that account name, google then tells people it is taken but *suggests* they use smith1835@gmail.com
That’s the problem. People then don’t add the numbers when signing up for accounts and other things and I get all of their account information.
So this is partly an issue with dumb people and partly bad suggestions from google.
I own a domain name that I’ve had for decades. It’s short and is used by people all the time when they think they’re using a fake address (the domain implies something to that effect). Since I have a catch all email address set up for the domain, I get all kinds confirmations.
Over the years I think the furthest I’ve had to go with anyone is taking over their literally brand new Facebook account and shutting it down. Actually, I believe I’ve done the same for a few dating profiles, I’d completely forgotten about those!
the number of people who have my name and use my email surprise me. One Neal White’s wife signed him up for service notifications at their local Mercedes Benz dealership. I contacted him and he said his email is something like golflover(randomnumber)@gmail so he was really confused why she used my address
I have tons of Pandora accounts, PayPal accounts, ebay accounts, Instagram accounts. I love the various Uber accounts I have been given. Those come with lots of fun and I’m sure confusing driving instructions and feedback.
A couple of years ago some guy (who had also used my email to sign up for a bunch of different accounts for various things) started applying for jobs with companies that require an email and make you create an account so you can apply for a position and upload your resume.
After the 3rd or 4th one, I logged in to see just what this guy was doing. His resume needed work, and he clearly didn’t know how to market himself.
The funny thing was, he had HIS CORRECT email address on his resume… so I emailed him to let him know that he should stop signing up for things with my email address. I also (since I’m a hiring manager where I work) gave him some pointers on how he could improve his chances by making some changes to his resume.
He sent me a photo of himself, flipping me off.
Some people just can’t take advice.
“He sent me a photo of himself, flipping me off.”
Zero emotional intelligence.
(The “other” intelligence of his could be zero, too).
Oh yeah, I almost forgot.
Once I got an Instagram account that was created by someone who was clearly stalking some teenage girl.
I took it over and deleted all the pretty creepy photos of her and replaced them with pictures of cats.
After that I got about 2 dozen password reset confirmations which I ignored.
I have an aol email with my first name. Had it for 25 years or so. It’s incredible number of misdirected emails I receive. I’ve info on all kinds of people as well as countless logins to websites and services, should I desire to utilize them.
I’d set up a secondary account to my OG, in case I lost my password database. No problems there, but I started getting regular hacking warnings, and they traced them to Russia, yikes! Guessing s/he was hoping to sell it.
I kept testing how many characters were allowed, can’t remember if it was 50 or 100, but my SO was laughing at my paranoia, until I told him it was ALL alt-characters too. Then he started at me like I just grew another head, and guessed I’d lock myself out of my own account before long.
Wrong! It scared me enough to do my homework better. I still have that account over a decade later, and my warning notices dried up quickly.
I have one of those original request only addresses. Not a short address, but my real name. first.m.last@gmail.com format.
Interestingly I remember specifically adding the periods because firstmlast@ was already taken. At some point, the periods became moot, but I still have my account, and I get emails for firstmlast now too. I could be wrong, but I remember it very clearly.
My first last name is quite common (not John Smith, but still a lot). I get all kinds of random emails. The ones that surprised me the most are the ones that come from people that send to themselves, and don’t know their own emails. So dumb. One guy even sent all kinds of documents for his divorce proceedings to himself from his work account. Tax documents included.
I’ve also gotten invites to family events like birthday parties. Or even emails from my dopplenamers’ work colleagues. If they seem like real people, I usually respond with a simple “I’m not the First Last you are looking for”. Or if I’m feeling extra sassy, “That sounds like a great party, but I don’t know you 🙂 Wrong email.” etc
I’m in a very similar situation. I got loads of – sometimes personal – emails for someone with no dots in the gmail address I apparently own (which I registered with dots many years ago).
For ages I was paranoid that someone else had access to my gmail account as the emails kepy coming. Eventually managed to contact one of the people trying to use the address (via people trying to contact them!) After I sent them this support article –
https://support.google.com/mail/answer/7436150?hl=en-GB
they accepted the fact they’d been giving out the wrong email address and set up a new one.
People do make mistakes…. if you think you’ve registered an email address with google, double and triple check it’s working before you start using it!
I kept getting infrequent personal emails from a guy over a number of years. The first year or two I would respond politely saying he has the wrong email address. After I sent multiple notifications and would still receive mail from him I marked him as spam and figured it was a scam.
Turns out it wasn’t. Out of the blue, the Sacramento Sheriff’s Department contacts me for a recommendation for this guy that has spammed my inbox for years. Haha! I couldn’t believe it. I called them to make sure it was a real application and then proceeded to write down how this guy is the most unreliable, detail-lacking nincompoop there is.
It was a relief to read this article, actually. I was getting worried I’d done something stupid and exposed my email address and that’s why people kept using it.
I got one of those OG gmail addresses right at the end of college (I’m that old) and used initials with my complete last name–a surname common overseas but not in the US. Even with a less-than-common name, I’ve gotten flooring estimates for gigantic homes I don’t own in states I don’t live in, detailed reports on car problems for cars I don’t have, ADT security briefings (ADT! I’ve contacted you SO MANY TIMES about this!)–that’s super ironic to me, library fine notifications from overseas for books in languages I can’t read, signups for online games I would suck at playing, everything. I even met a nice pianist and music major (at a university I’d never heard of before this) due to a string of urgent last-minute piano-accompanist requests sent to my inbox. We had a good laugh about it, as her name is even less common than mine, despite the same surname.
Oh, and on top of this, for some reason, everyone thinks I’m a dude and address the emails as such.
ADT lol. The TSA of home security.
https://www.dallasnews.com/business/technology/2020/07/24/legal-battles-loom-as-more-adt-security-customers-who-were-spied-on-seek-damages/
I want to preface this by saying I have no computer skills or education I don’t know what I’m doing and that everything I describe here that I have done if I could do it any child could do it .
Way back during a time when I was less ethical then I currently am I made use of a file sharing program to acquire music and other files from “friends”.
When you installed the program it gave you an option to identify which folder full of files you want to share with your friends, and it was not that difficult to mistakenly share your entire computer’s contents instead of that one single folder.
When you were using the software and found a song/file you liked, you could search the folder that the person shared for any others of this type they might have that you could also borrow.
I quickly discovered that I could acquire people’s job resumes, love letters and other personal information. As an experiment I would search for files with the words “passwords” and “banking”. On one occasion, I used the information I had downloaded from one of these Word documents and was successfully able to enter the bank account of another person. Of course I immediately backed out and deleted everything but from then on whenever I was able to locate this kind of information on someone’s computer I would send them a message telling them they needed to change their settings to identify only their music folder as the one they wish to share with the world, and I included step-by-step instructions on how to do so. With only one exception everyone I contacted accused me of phishing or hacking or something like that, got angry with me and ended contact.
I have an email address from the mid-90s that’s firstnamelastname@hotmail.com. It’s a very common name, the female equivalent of johnsmith. I get all kinds of stuff.
But to me the disturbing part is going to a website I’ve been to before, like Marvel.com or Lowes.com, and finding out that my email address is already in use there as an established account. So far I’ve never run across it in a way that seriously inconvenienced me. But, well, it worries me.
As you can see i have an OG from gmail back in the invite days. A lady (Cynthia) has been using my email for a couple of years. Signed up for all kinds of e-shopping sites etc. I’ve even gotten job offers for her. I tried contacting people like that and asking them to contact her. Still getting them. I just unsubscribe to whatever she has used it for and sometimes that works. Otherwise I delete the emails now.
I have a 6-digit @gmail.com address. How much is it worth and how do I cash in?
omg. I have an OG .mac account and this is my experience too. Tons of spam, mailing lists and also personal information. I’ve been invited to shared family photos and events. Because my short email address is a name, there are people with that name who (presumably) are not tech savvy and genuinely think this is their email address. It used to drive me insane.
Yup. OG account here.
I’ve been signed up for anime message boards, random shopping websites, your name it.
For a time I had somebody trying to tell me it was their email address even though I’ve had it since the Gmail beta.
I ultimately switched off Google push MFA as I got tired of constant notifications at all times of the day trying to recover the account.
Authenticator app works just fine.
Ultimately ditched it as primary address but still have it.
I have an OG one too. firstname@gmail.com by invitation. I have had an increasing number of uses in the past 2-3 years, from medical appointment/scheduling to employment related emails to travel/itinerary information. What was once quite a novel thing to have has become a liability. I am not very happy with the way this has turned out.
I too have a mid 90s Gmail account of the format very-common-first-name.city@gmail.com and I regularly get personal or financial records intended for, I guess, similar emails.
I’ve gotten correspondence from a teacher about a student about disciplinary actions needed, a father who wished his son would talk to him, lease agreements from property agents, a tax returns from a CPA, and countless offer emails from companies. I’ve reached out and have concluded there are multiple emails that are getting mistyped. I always wonder are others getting emails intended for me.
This thread has been entertaining and a relief – I have an OG gmail account, and the constant barrage of accounts created by other people is sometimes wearing. Right now, there are 4 (different!) people with AT&T accounts who have somehow used my email to sign up. I get their bills every month. But there’s no way to fix the situation online, so I’d have to call AT&T and hope that the customer service rep a) understood what I was saying and b) had the ability to fix it. I remain unconvinced either is likely.
What annoys me the most is those emails from companies wanting you to verify your email address — but they almost never include an option for the opposite — verify this is NOT that person’s email address. But somehow, even though I never click through to verify, I continue to get stuff from them anyway.
I have to say it’s a bit cathartic to see so many people with the same experience as me. I have a 6 character gmail. I started with trying to find the right people and advise them how dangerous the practice can be especially on some types of accounts. Then tried to get businesses to fix the bad email but so often run into the “we can only make changes for the authorized account holder but you’re saying you’re not that person” wall. Now I mostly ignore them but keep a file (gmail label) on them. For awhile I was on the automated distributions whenever someone called in to complain their magazine didn’t arrive, with the messages including the address of the intended recipient. (Those lasted until I pointed out it was only a matter of time before some embarrassing ones went missing, and their customers would not be happy to know they told me about their subscriptions.) Dental appointment reminders, adultery website memberships (man, you’d think you’d type carefully on THAT one), robot battle details, funeral commentary, too-detailed information about youth sports obviously intended for parents of kids on the team, and of course all varieties of the mundane along with it.
It amazes me that more sites don’t force an email verification before they accept an address as valid. And that people “forget” their suffix or whatever their deal is.
I signed up for Gmail in its earliest days, so was able to get my own real name as my address — no need to say DavidW123 or Weinstock.in.Vermont. Calling it OG is cool, thank you. — I do have the slight problem that I receive emails meant for one other David Weinstock who appears to give out the wrong address to his many business clients and suppliers. This happens about once a month now. I forward the message to him, and also inform the sender.
So glad I’m not alone! I have a very early account I created primarily for use as a catchall when I sign up for something and don’t really want to get their emails. Several years ago I discovered that people all over the world, literally, use my email address for the same purpose. And not just individuals. I receive multiple receipts (of EVERY time), account confirmation emails, financial info, hotel and rental car contracts, etc., and my best guess is that their system requires and email address so the clerk enters my generic one when the person doesn’t provide theirs. It’s crazy that people don’t stop to think “this address probably belongs to someone.”
I currently have many problems with this, this article is a real joy.
Congratulations