> And you would be surprised, how many sites sell email addresses to others, and I know it as every one gets its own email address.
So much this. I've actually contacted companies to tell them they've been compromised because I started getting phishing emails. I quit after the third time of reporting it and being told "we haven't been hacked, someone in your friends group has and you just can't read email headers".. right because someone in my friends group emails "mylocalgym.com@mypersonaldomain.com" to schedule group activities.. then six to twelve months later I get an email from HIBP telling me said website was hacked and my email was compromised.
It's funny to hear this experience. I've been doing this consistently for about 5 years now and have noticed 2 instances where this occurred, and in both there were prior disclosures about a security failure.
I tend to sign up for a lot of things (I'm seeing over 150 unique email addresses I receive emails from using this scheme), but I guess I'm just getting lucky.
Also, just out of curiosity, where does one sell email addresses, and how much are they worth? I take signups on a few websites, and I'd never sell my users' email, but I'm just curious to learn more.
I used to trade e-mail addresses with various banks, some 15 years ago. I'd just call up their marketing departments and offer those as 'financial leads'. I had a network of people who had various ad campaigns running where a customer could win something if the'd leave their personal (financial) data.
I did it in the early 2000s with a domain I picked up just for that purpose, which I'm almost positive was "myspamstopper.com", but I let the registration lapse and it was snapped up. It's amazing what was still available back then to easily register.
Side note: I've seen some MTA systems having weird filters for receiver's domain name or company name being part of sender's local-part.
When I'm opening an account at Example Bank which uses example.com domain, I avoid creating dedicated mailbox or alias with words "example" and "bank". exmplbnk@, xmplbnk1234@ or similar seems to have better deliverability when I'm attempting to contact the other side.
Perhaps there should be a system that lets
[1] ordinary people record that they notified a company that said company had been hacked together with timestamped evidence of said notification.
[2] people/organizations who sue/regulate said companies wrt said hackage have access to said timestamped evidence.
I don't know how to monetize said system but it would produce both social and economic value.
I've discovered two previously unknown data breaches this way. I was gratified when the operators of the sites thanked me for reporting it. Most times, though, I get the treatment you're describing.
So much this. I've actually contacted companies to tell them they've been compromised because I started getting phishing emails. I quit after the third time of reporting it and being told "we haven't been hacked, someone in your friends group has and you just can't read email headers".. right because someone in my friends group emails "mylocalgym.com@mypersonaldomain.com" to schedule group activities.. then six to twelve months later I get an email from HIBP telling me said website was hacked and my email was compromised.