02
Sep 20

The Joys of Owning an ‘OG’ Email Account

When you own a short email address at a popular email provider, you are bound to get gobs of spam, and more than a few alerts about random people trying to seize control over the account. If your account name is short and desirable enough, this kind of activity can make the account less reliable for day-to-day communications because it tends to bury emails you do want to receive. But there is also a puzzling side to all this noise: Random people tend to use your account as if it were theirs, and often for some fairly sensitive services online.

About 16 years ago — back when you actually had to be invited by an existing Google Mail user in order to open a new Gmail account — I was able to get hold of a very short email address on the service that hadn’t yet been reserved. Naming the address here would only invite more spam and account hijack attempts, but let’s just say the account name has something to do with computer hacking.

Because it’s a relatively short username, it is what’s known as an “OG” or “original gangster” account. These account names tend to be highly prized among certain communities, who busy themselves with trying to hack them for personal use or resale. Hence, the constant account takeover requests.

What is endlessly fascinating is how many people think it’s a good idea to sign up for important accounts online using my email address. Naturally, my account has been signed up involuntarily for nearly every dating and porn website there is. That is to be expected, I suppose.

But what still blows me away is the number of financial and other sensitive accounts I could access if I were of a devious mind. This particular email address has accounts that I never asked for at H&R Block, Turbotax, TaxAct, iTunes, LastPass, Dashlane, MyPCBackup, and Credit Karma, to name just a few. I’ve lost count of the number of active bank, ISP and web hosting accounts I can tap into.

I’m perpetually amazed by how many other Gmail users and people on similarly-sized webmail providers have opted to pick my account as a backup address if they should ever lose access to their inbox. Almost certainly, these users just lazily picked my account name at random when asked for a backup email — apparently without fully realizing the potential ramifications of doing so. At last check, my account is listed as the backup for more than three dozen Yahoo, Microsoft and other Gmail accounts and their associated file-sharing services.

If for some reason I ever needed to order pet food or medications online, my phantom accounts at Chewy, Coupaw and Petco have me covered. If any of my Weber grill parts ever fail, I’m set for life on that front. The Weber emails I periodically receive remind me of a piece I wrote many years ago for The Washington Post, about companies sending email from [companynamehere]@donotreply.com, without considering that someone might own that domain. Someone did, and the results were often hilarious.

It’s probably a good thing I’m not massively into computer games, because the online gaming (and gambling) profiles tied to my old Gmail account are innumerable.

For several years until recently, I was receiving the monthly statements intended for an older gentleman in India who had the bright idea of using my Gmail account to manage his substantial retirement holdings. Thankfully, after reaching out to him he finally removed my address from his profile, although he never responded to questions about how this might have happened.

On balance, I’ve learned it’s better just not to ask. On multiple occasions, I’d spend a few minutes trying to figure out if the email addresses using my Gmail as a backup were created by real people or just spam bots of some sort. And then I’d send a polite note to those that fell into the former camp, explaining why this was a bad idea and ask what motivated them to do so.

Perhaps because my Gmail account name includes a hacking term, the few responses I’ve received have been less than cheerful. Despite my including detailed instructions on how to undo what she’d done, one woman in Florida screamed in an ALL CAPS reply that I was trying to phish her and that her husband was a police officer who would soon hunt me down. Alas, I still get notifications anytime she logs into her Yahoo account.

Probably for the same reason the Florida lady assumed I was a malicious hacker, my account constantly gets requests from random people who wish to hire me to hack into someone else’s account. I never respond to those either, although I’ll admit that sometimes when I’m procrastinating over something the temptation arises.

Losing access to your inbox can open you up to a cascading nightmare of other problems. Having a backup email address tied to your inbox is a good idea, but obviously only if you also control that backup address.

More importantly, make sure you’re availing yourself of the most secure form of multi-factor authentication offered by the provider. These may range from authentication options like one-time codes sent via email, phone calls, SMS or mobile app, to more robust, true “2-factor authentication” or 2FA options (something you have and something you know), such as security keys or push-based 2FA such as Duo Security (an advertiser on this site and a service I have used for years).

Email, SMS and app-based one-time codes are considered less robust from a security perspective because they can be undermined by a variety of well-established attack scenarios, from SIM-swapping to mobile-based malware. So it makes sense to secure your accounts with the strongest form of MFA available. But please bear in mind that if the only added authentication options offered by a site you frequent are SMS and/or phone calls, this is still better than simply relying on a password to secure your account.

Maybe you’ve put off enabling multi-factor authentication for your important accounts, and if that describes you, please take a moment to visit twofactorauth.org and see whether you can harden your various accounts.

As I noted in June’s story, Turn on MFA Before Crooks Do It For You, people who don’t take advantage of these added safeguards may find it far more difficult to regain access when their account gets hacked, because increasingly thieves will enable multi-factor options and tie the account to a device they control.

Are you in possession of an OG email account? Feel free to sound off in the comments below about some of the more gonzo stuff that winds up in your inbox.

260 comments

  1. Not really an OG gmail account but with a password that does not meet current rules. If I don’t change it, anyone using a password generator set to try all possible rules will never try my password.

    • I had a password like that and when I went to change it I discovered that the site applied the complexity rules to the old password that I was trying to change, presumably because they used the same text widget in the “enter old password, new password, and new password again” fields. Had to email their tech support to bypass that.

  2. I have an OG gmail — 6 characters only — and from 2009 or so I’ve been getting emails for a guy in India (I am Indian American, we share the same first name) — and have been able to plot his life thru them — college, organizing road trips with friends, dental school, marriage proposals, visits to factories, buying cars and lease terms, and innumerable dental industry related things. I did respond to some of the personal ones with a “hey I’m not this guy”, including a match-making/marriage proposal (could have been the start of a rom-com if I got interested in the woman who was being presented!). Anyways, I imagine that guy is my doppelganger, living a life I could have lived had I grown up in India 😉

  3. I still have my aim login for my hacked pandora app. I checked it out log ago….the login was rerouted lost all my navy notes etc.

    Also for back ups….during this time check out.

    https://www.cobiansoft(dot)com/

    Very easy to use, clean, reliable, free….very good for SMB right now to make mirrors on a NAS to roll back to if cryptolocked. Can be put on server….very versatile better then endpoint backup in my opinion.

    Waiting on that update Kerbs : ))

    • I dunno, flash drives are small convenient, easy to make and to replicate backups of backups, inexpensive and if you can’t store all your stuff on 128 GB or even a 64 GB thumb drives, then you’ve got too much stuff. You can put backups of your backups at relatives homes, keep one in your car or bury one in a time capsule. Certainly emailing important stuff to yourself is always a good way to store stuff. People used to keep momento boxes and junk drawers and a tray for pocket watches and watches and rings and now we keep flash drive trays on our dressers. I format all of them with exFat so I can read them with either android or windows. Cloud storage is nice but I would never count on it never getting hacked or losing access.

      • Flash drives are fine for data: they’re not at all fine for installed programs.
        If you are an accountant, for example, you will have 2 or 3 installed accounting programs for every fiscal year going back a decade or more.
        The files backed up are utterly useless without the accounting program – and re-installing decade-plus software is often impossible since the original media are misplaced/lost/non-functional.
        Another example would be a decade-plus X-ray machine. The interface is certainly a Windows XP machine; take that machine down, you might as well junk the million-plus dollar X-ray.
        True backup/protection against business continuity interruption isn’t about the data – it is the ability to restore maximum feasible business function as quickly as possible.
        Any type of purely file-based backup does not fulfill this requirement, cloud or otherwise.

        • Cool story, C1ue. Two quick questions: drive images like acronis won’t fix this? and while the *DATA* of medical imaging hardware can exceed mem-stick capacity, what winXP systems do you have that exceed 64gigs.

          tldr: yes, enterprises (and HIPAA) probably shouldn’t just fly seat of the pants. But that’s really not what we’re talking about here.

      • Over 64 GB is “too much stuff” — that’s hilarious. My files from just one video production client are probably more than that. I had to look at the date stamp on your comment to make sure this wasn’t from 10+ years ago. I also re-read it to make sure there was no hint of it being a joke — I mean, leaving backups with relatives is also pretty ridiculous (no matter how nice your relatives are, the logistics are so awful that it will provide too little data security to bother with) — but I’m pretty sure you actually meant what you wrote.

        It’s best not to judge the needs of others based on what works for you. A 4 TB drive can be had for under a hundred dollars, and for some that 4 TB might feel too small. There are many valid reasons to have much, much more data than 64 or 128 GB.

    • Ransomware attackers go after any type of attached backup first.
      A NAS mirror that is always on? First to go.
      For that matter, any type of backup program that has a profile on the compromised device is vulnerable. I’ve seen both offline and cloud backups taken down because the attacker identified them by their presence in the installed programs section – and then poisoned the backups before taking down the primary.

  4. Why isn’t the website/email provider ever held accountable ? wow

    • What do you want them to be held accountable for? People entering the wrong emails into signup forms?

      • For not requiring validation before allowing the account to be created. I’ve had DirecTV, Netflix, reputable career sites, etc. all allow someone to create an account without validating they own the account or at least didn’t fat finger the address. It was sad to have to inform an older man that he didn’t get the job he applied for at Lowe’s and that he was using the wrong email address so none of the other places he applied for we’re going to have the correct contact info. Then there’s the pain I had to go through to unsubscribe from about 15 sites… annoying.

  5. Adding you as a recovery contact?
    Brian, don’t give people ideas!

    I’m sure a lot of people would feel (and be) safer if they had you as a backup option.

  6. it’s not just OG accounts. I have several example email accounts I use for instruction, and people try to use those all the time. All I can figure is bored kiddies trying to stir up trouble.

  7. A cautionary tale from 2012 , by Matt Honan , in Wired magazine, on the dangers of having an OG account , without 2FA.

    https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/

  8. I have a long, somewhat complex Gmail address. It so happens that several businesses in India have names that correspond to this email. The proprietors have used my email to sign up with their parent companies. I regularly get password reset one-time-passwords and confirmations of financial transactions. I have no doubt that if I wished, I could take over their accounts. For years, I was on a distribution list for a massive spreadsheet of Vodafone dealers, complete with financials and customer details–info which should never have been emailed at all. Vodafone IT Security simply shrugged. Like everyone else here, I’ve tried to be helpful, but have mostly given up on trying to rectify the mixups.

  9. I was mistakenly added to the newsletter for a co-ed softball team on the opposite side of the country. We were 8-2 that season

  10. PayPal is the WORST with this.

    I’ve got a short primary email and some random lady set up a PayPal acct with MFA, listing my email on the acct. (I had not used that email for PayPal). So now I can’t reset the PayPal password without her phone. And PayPal refuses to help.

    Even though PayPal never confirmed the email, they will not dissociate my email from the PayPal acct. And they frequently suggest this is my fault for allowing someone else access to my email acct, or that my provider allows such access. Ridiculous and easy to disprove, but they pretend I caused the problem. Every second rep I talk to makes this assertion.

    Normally when snapchat or other accts are set up with my email, I cancel the acct. I was nice to a rental car receipt once and didn’t cancel the guy’s reservation, but let the rental agency know and update his acct.

    But PayPal is the worst. I’ve spent hours as a COVID hobby trying to convince their customer reps to dissociate my email. They refuse. Even after I demonstrated that I control the email. I am blown away by this. Apparently I have no recourse.

    After hours and hours over multiple days, I got them to suspend the PayPal acct. But they still refuse to dissociate my email from it. They say they need the acct holder to respond first. Ridiculous of course, but this leaves me in perpetual limbo if the acct holder never responds. Just because I’ve got a semi-attractive email.

    PayPal customer service is embarrassingly terrible.

    • Write in to Reply All with a Super Tech Support request? I’m surprised they haven’t done this kind of thing yet. I have a friend who has a person with the same name who has been using her email address for years and refuses to stop.

  11. I don’t have the most common name but I got in early enough to get the version without any numbers added on. However, I have had others using my email address as their own, for purposes including: scheduling a car appointment which I now had the power to reschedule or cancel, Redbox DVD rentals, a cable TV account, voter registration, some guy who thought he was writing to his sister, and a college class mailing list. When I told the guy who thought I was his sister that I am indeed not his sister, he thought I was kidding and continued to send me mundane emails about family errands. Regarding the college class, I wrote back to the class instructor asking her to remove me from her mailing list. She ignored me and continued to send me all her class materials. I got fed up with it because I also received all the ensuing reply alls from the students! So I wrote back in ALL CAPS (great idea) and replying all (also great idea) hoping someone would finally remove me from the list. Instead, I got into an email shouting match with the instructor over the mailing list and I ended up having to block her and all her students. It was both infuriating and entertaining.

  12. My beta-era gmail address has a few more characters, but they spell out two initials and a common last name. And that means many of the same issues described in the article. The sheer number of messages I get from realtors makes me think people like to use is as a “fake” address on sign-in sheets at open houses. One time I was once able to open someone’s hotel reservation and could have cancelled it if I chose to. And for years I was getting someone else’s CVS receipts and couldn’t get CVS to fix it until I asked them if they thought it was a problem that I knew where this person lived and when they last purchased condoms.

  13. Mine got the stuff you mentioned, but once got a flurry of messages tied to someone’s illicit affair. With pics. First, a couple missent emails planning their trip to another town. I pinged the sender and got an OMG-Delete reply. Then, a month later, I got pics. Some of sightseeing and shopping, a few selfies, and then the nasty stuff.

    Some people don’t value their privacy as much as we think.

  14. I’ve received other peoples banking info. Letters from someones mother (sweet) and been scheduled for surgery – as the surgeon!

  15. In late 2003, I had an employee get a great opportunity with Google, which she left for. She was put on the Gmail team straight away, and gave me 10 invites as soon as they were available. I got some amazing addresses, the majority of which I still use to this day for various things (one for shopping, one for lists, one for online forums, one for personal, etc). I get an incredible amount of spam, as you might imagine, but manage it well.

    One of those addresses has to do with body art. Over the years, and multiple times a week, people from around the world send me emails thinking that I am someone in the industry. Most include pics, some in very private areas. I do my best to respond nicely and humorously to let them know that I am not who they think I am.

  16. You think you’ve got it bad Krebs, try being us. BagOfDicks.com is the domain of choice for anyone who’s signing up for something they don’t want to actually be contacted about.

    We’re also popular with political activists it seems. Can’t tell you how many daily submissions we get for every major politician.

    Can you imagine the amount of email that’s meant for Ted Cruz or Nancy Pelosi that gets sent to EatA@BagOfDicks.com every day.

    https://bagofdicks.com

  17. Yes. I experience this every day. It gets worse each year. My brother and I have a “first initial + last name” email (only 6 letters total) that we both acquired during the Invite-Only Gmail Beta era. We have been signed up for an incredible amount of very sensitive bits of information.

    Here is a small fraction of what I’ve received over the years: retirement fund statements & access, medical results & appts, dating sites (constantly), confirmation of hotel/flight reservations, sports clubs/little leagues, oil change appointments, hair salon appointments, apartment rentals (and subsequent missed rent notifications), massive amounts of free magazine sign-ups (under different first names, but with the same first initial and same last name). And my favorite – a neighborhood Luxury Yacht Club mailing list (that I can’t seem to get off – so now I just read the email drama like a soap opera).

    It is very tempting to screw around with this access. Such as cancelling a hotel reservation, or setting up oil change appointments with a car dealer, showing up to a house party that I was “invited” to via email… but normally I just delete the accounts and unsubscribe if possible. Or tell people they have the wrong person.

  18. What about authy? I like authy. Is authy Good..?

  19. I have an OG address too and I’m amazed at all the shopping sites someone else has subscribed it to. I’ve also received wedding and class reunion invites.

    Any organization sending sensitive info by email (really any entity sending automated mail) should validate an email address before further use. Perhaps send an email with a time-limited code and don’t send another until the user manually requests it or it is successfully validated via some other channel.

    If sending a URL instead, the destination site should require authentication so if the email is already in use by someone else, the existing user can’t easily take over your account by simply clicking the link.

    Seems like there should be regulations or at least widely used standards that require email address validation for entities sending financial, health, legal, or other sensitive information via email.

  20. I go with 3 different (well-known) major cloud drives. Two are shared back and forth with each other, the 3rd is what I guess you could call my modern day “sneaker-net” volume.

  21. Short email domains are a permium, I saw hey recently starting charging $1k for a short email domain. I have mine with xyz.am which is nice and short.

    I like to think about all the time it saves me when entering a short email address.

  22. I’m amazing at how many people use MY gmail address (first initial, last name) acquired in the second wave of beta gmail invites. I’ve even had a lawyer send “me” very sensitive legal documents, and then became a real dick when when I pointed out his error. Since I can out-dick just about everyone, I suggested that I pass them on to the other party, and then he started threatening about the disclaimer in the sig (like I’m bound by that’…), and attorney/client privilege (which I pointed out that he was the one who breached it. I suggested we have his state bar adjudicate who is right and wrong, and that was the last I heard from him.
    That was fun. Right now, there are two separate kids applying for college and all of the admissions officers are trying to hook them, and a guy who is traveling and his hotels keep sending me surveys–to which I give horrible results.

  23. I am just taking a detailing from another person explaining the issue, and it really being an issue with the email vendors, in this case Google Gmail. So the security really is a matter with the vendors.

    “Gmail does not count dots as part of an account name. That is, first.last@ is the same e-mail address as firstlast@. This applies to both account creation and usage to send e-mail; the presence of dots in the name does not make it a different e-mail address.

    Gmail also ignores capitalization in account names so first.last@ is the same account as FIRST.LAST@ (or any other combination) and also does not represent different accounts. This also applies to both account creation and usage.

    In like manner, @gmail.com and @googlemail.com are also the same e-mail address and do not represent two different accounts.

    Fortunately Google does not allow duplicate accounts to be created, so it’s not possible (for example) to have both a first.last@ and a FirstLast@ account. There are not two accounts with the same name and no one is getting e-mail that hasn’t been sent specifically to their account. More specifically, no one else is getting your e-mail because no one else has your e-mail address.

    That said… There is nothing to prevent people from using the wrong address when registering on a web-site, or giving out the wrong address as their own to others. This means that e-mail sent to that address would go to someone else (the actual owners of that e-mail address). E-mail you receive that was intended for someone else does not mean there is a duplicate account, merely that it was sent to the wrong person.

    Just to clarify, you are not receiving e-mail addressed to someone else, you are receiving e-mail intended for someone else but miss-addressed to you.

    Google’s help article on this subject: https://support.google.com/mail/answer/10313
    And also: https://support.google.com/mail/answer/7436150
    A really good explanation of account names: http://gmail-miscellany.blogspot.com/2012/08/wrong-email-gmail-dots-issue.html
    A more technical look at the topic: http://gmail-tips.blogspot.com/2014/07/not-my-email.html

  24. Not an OG, but my regular address (firstName.lastName@gmail) is being used by several other people. Someone signed up for Santander bank account (I’ve been receiving monthly statements for about 3 years already), cable TV and several online courses (monthly subscriptions), Play Station Network and more.
    I tried contacting all these companies and let them know about the situation, but most of them (including the bank) never replied.

  25. Not exactly OG, but a firstname.surname@gmail.com address, and my name is pretty common where I live. Both registration confirmations and actual messages do occur… People are incredibly careless. The funniest one was when I got instructions from a vet… for cows’ stomach medications.

    • I have a very similar email and have a handful of folks with the same name that I get random emails for, I can usually puzzle out which other Robert it is intended for and forward them the correct email address.

      One of them I actually reached out to years ago and compared family trees and found how we were related!

  26. I have a short email address for an early (and still popular) email service with free accounts. There are one or two individuals with the same first initial and last name, one in Michigan and one in New York state, that keep giving out my address as theirs. I get their utility bills, insurance bills and offers, and occasionally retail receipts. They don’t seem to be catching on; I’m in no way malicious but tired of receiving their junk and often hit “unsubscribe” or block the sending addresses.

  27. Though I have a simple Gmail address that I got the first week Gmail opened to people who were paying to advertise on Google, and have experienced some hacking attempts, this story has nothing to do with that, but is funnier.

    A few weeks ago I saw an ad on Facebook from Wayfair, for an item my wife and I were shopping for. I clicked over to the Wayfair site, but was absolutely refused entry until I gave up my name and email address.

    I didn’t want to give them that information, especially when I was being hustled so rudely.

    So I entered my name as Joe Blow, and my email as joe@blow.com.

    Wayfair’s response?

    Welcome Back!

Leave a comment