I am still livid on a weekly basis when some strangers create an account for a service using my email address (non-maliciously, usually); I get a "verification" email; and I can only choose "YES, Please verify", or ignore at my peril.
From tiny little mom-and-pop shops, to FAANG giants, nobody is giving me the opportunity to say "NO that's NOT me!". And though it's a "verification" email, typically account is usable and vast majority of functionality is allowed even without verification. So I get to vicariously and angrily "enjoy" the follow-up emails and updates while the users gamble, purchase, sell, review, invest, write, game et cetera using my email address.
I had a positively hilarious interaction when somebody with my name used my personal email address for their retirement fund provider. I received an invitation to a zoom meeting addressed to my personal email account and their work email account. So I went ahead and joined the meeting in progress.
I sat silently for a bit while the financial advisor finished his talking point. Then I spoke up. I don't remember exactly what I said but the other guy with my name sat there with a scared / dumbfounded expression on his face while the financial advisor calmly asked me to leave.
I told him I would leave as soon as they promised to remove my email address.
Given it is your email that is being used, that should allow for you to take over the account(s)? I'd submit a password reset, change the password, then just allow the account to live a dormant life.
That of course doesn't make it any less annoying, but it would at least stop an actor from using an account that is associated to your email.
For Experian accounts, doing a password reset requires an SMS or phone call code.
The only mechanism you have to alert the person usurping your email identity that there is an issue is to trigger the phone call verification 3 times per day, preferably around 4am.
If you call the phone support, it will give you robots until playing a pre-recorded message telling you to physically mail a legal request including copies of your ID etc.
File an FTC and CFPB compliant. Only regulators will light a fire. Experian isn't going to do anything due to consumer complaints, as the consumer's credit file is the product. Let someone from Compliance have to email the product owner about it, and the complaint starts the clock ticking.
Be careful, in the USA that is still a violation of the CFAA and US courts have proven themselves to be technically incompetent time and time again. People have been sent to prison under CFAA for using the “view source” button that’s available in every web browser.
> Governor Parson's office maintained that Renaud had unlawfully hacked the school website: "The hacking of Missouri teachers' personally identifiable information was a clear violation of Section 569.095, RSMo, which the state takes seriously. The state did its part by investigating and presenting its findings to the Cole County Prosecutor, who has elected not to press charges, as is his prerogative."
It wasn't thrown out by a judge. The governor still maintains that the reporter "hacked" and violated state law but the prosecutor's office declined to pursue the case.
Doesn't exactly work when they use your email to create an Apple iCloud account. It needed the actual iPhone it was connected to to complete the reset, I think I ended up getting it into a weird unusable state where neither of us could log in.
1. That exposes me to MORE involvement with this service, not less, and potentially legal culpability. Risk may be small but impact is large and benefit is neglible, so math doesn't work out for me.
2. It requires MORE effort on my part. For a poor design and error made by not me.
If it were once every 5 years, maybe.
When it's weekly, it's just an annoyance.
Sometimes when I'm really angry, I just write to their gdpr or compliance officer with a stern better and links to various sections of the law and their obligations. Doesn't accomplish much but makes me feel better :-)
But overall, it's a systemic issue, and given we are on hacker news, I'd say it's OUR systemic issue caused by us :-/
I was receiving somebody's water bill in my email addressed to someone in the Netherlands (apparently with a similar name). It contained their address, full name, details of their water bill... The email was in Dutch and I used Google Translate to make sense of it. It came from a no-reply so I couldn't just reply and say 'wrong customer', and there was no customer support email address to be found. I had to go to the company website and hunt down some kind of feedback form and begged them to fix this customer's email address. Eventually I stopped receiving the emails. I guess that company never even verifies email addresses. The company is called Oasen in case you're wondering, name and shame.
Vietnam Airlines once sent me someone's airline ticket, about 48 hours before they were due to fly (and about 10 years after the only time I ever flew with them). Their name wasn't even remotely similar to mine and their email can't have been either. At least that one appeared to be human error so there's a chance that my email pointing out the mistake was read by a human that was actually able to sort it out.
Don't be too quick to assume this. Likely the email account is one of many spammers gathered from a data breach.
Reset the password. I even change the username to "spam" or something too, poison as much of the associated data as I can. PITA I know, it happens to me regularly.
I frequently get emails intended for someone who has my same email handle, but with the extension "@googlemail.com" instead of "@gmail.com".
I know a lot about them. I know their shipping address in the UK. I know that they order inexpensive club attire, online Dominoe's delivery, and have a specific gym membership.
I am shocked that Google offers no way to disentangle my email address from this person's. A more malicious person than I could easily take advantage of all of this personal information.
Or they could just have a similar gmail address they frequently get wrong (or that looks like yours when written in the terrible handwriting they fill in forms with)
There's probably a single digit number of people with my initial and surname in the world, and I still get order confirmations for one of them, car promotions for another and am on some sort of targeted B2B spam list for a third to my Gmail address in that format. I quite like the order confirmations tbf, most of them are for a fish and chip shop I actually used to get food at when I was a kid and my grandparents lived nearby so they're oddly nostalgic
Nah, this person just doesn't know what their own email address is and types yours instead (yours with googlemail). This happens all the time and it really isn't something Google can do anything about.
Lyft likely cost customers' funds though a poor process like this in the past.
One could create an account, hail rides and add their own payment method while still being associated with someone else's email. Ride recipes would then be sent to someone else's email where the receiving party could add or increase a tip through an unauthenticated link and have it charged to the riders credit card.
I have had spotty success forwarding the confirmation email to security@{wherever the mail came from} explaining the situation. When that fails, you can look up the WHOIS information for their mail sending provider and contact their abuse@ inbox as well.
I can beat that on annoyance level at least. I still get postal junk mail for Mr Qwe Rty after I put it in a test form when I was a contractor in 2005. This got onto a database somewhere and was sold to someone and I just get junk mail galore!
I have an early/obvious gmail account and get around 3 messages per day from unauthorised signups to legit sites. facebook and google (as recovery account) are the only ones that allow you to de-link your address from an account
I get these every so often and I'm curious what you mean my ignore at your own peril. My approach has been to ignore it and assume they will realize their mistake and reregister.
There's any number of risk scenarios, assign likelihood as you will :
* owner of account doesn't pay, service sells the debt to collection agency, and they come after you because it matches your email and profile.
* owner of account subscribes to something unsavoury or does something illicit, which is now traceable to you
* given email is a big part of the incredibly ridiculous and overly pervasive tracking economy and profiling of the interwebs, your profile will now be even more annoying then before and be associated with things you don't want them to be.
Etc. Or just, to your point, one day they'll realize their mistake and be mad at YOU (because people aren't generally good at taking responsibility :) and now it's a thing.
I should mention I have a dozen email accounts of various degrees of protectiveness. Thia happens, annoyingly, to my most private address that I have never ever once used for business or signed up for anything, only for friends and family. So among everything else I'm peeved that my pristine email and identity is being polutted by other crap.
And again... The reason this frustrates me, is this should.not.be.and.issue in any sane world. If you're sending verification email it should have a No option. Anything else is grossly neglible or evil or both.
I understand the problems with people using your email to register for sites. My confusion was the claim that verifying the email for some random stranger causes fewer problems than ignoring the verification email.
Over years, I've received peoples private medical bills; been subscribed to dating sites of various degrees of sketchiness; my email has been used to register with government agencies in countries of various degrees of sketchiness too; signed up for gaming, gambling, Crypto, banking, nft, investing, and so on - many things where my comfort level for mistakes and mistaken identity and Confusion and incorrect systems of record, is lower than "some kiddie signed me up for blizzard.net" :-/
Do you have an example of what your email address is?
Is it like "john@gmail.com" or "mike@hotmail.com" or something?
Seems pretty crazy that someone chooses it randomly every week.
Have you considered getting your own domain for your email to make this probably go away? Obviously changing addresses is painful, but living your life with a common email seems worse.
I’ll chip in as john.<reasonably common surname>@icloud.com.
I still get email from AT&T for John Notreallyme who I believe is in his 80s and lives in Montana. He signed up in-store and I got emailed all of his details.
I got the first email that asked me to confirm my email address. Obviously I did not do that.
It makes no difference. I don’t know why they bothered.
Mine is first initial, somewhat-uncommon last name at gmail.com. Address acquired during the public beta back in 2004.
I regularly get reminders for dental visits in Oklahoma, purchase orders for machinery in Germany, and course registrations for some person who works in my industry and was easily searchable online.
It is not so intrusive to be problematic, and is mildly interesting.
I’ve made a few online “acquaintances” over the years as I’ve figured out the real email addresses for the people for whom I receive email at iCloud. We check in each time I forward something to them.
It can be fun to figure out how to contact your “acquaintances” the first time this happens. You can't really email them, can you?
I had it when someone (or likely his partner) with the same (somewhat uncommon!) firstname.lastname@gmail.com used my email. I started digging and it turned out we both were/are PhD students, just totally different fields. Must have something to do with the name. I was happy that via the faculty site I found his "real" email. Nearly send him a really weird post card, I had only his postal address...
It wasn't as hard as I expected. In one case, I found her last name on an email and it had an additional letter, so I just modified the address to match her name (we were both first initial/last name).
In the other case I must have simply experimented with first initial/middle initial/last name, and that worked.
One is a minister in the Boston area, so it's not hard to recognize her inbound emails.
I get tons of email intended for the other "first last"s in this world.
Most memorable are an employment offer as an environmental engineer in New Zealand, the results of an environmental survey for some commercial real estate development in Houston, TX, and bankruptcy papers from an attorney in British Columbia, CA.
From tiny little mom-and-pop shops, to FAANG giants, nobody is giving me the opportunity to say "NO that's NOT me!". And though it's a "verification" email, typically account is usable and vast majority of functionality is allowed even without verification. So I get to vicariously and angrily "enjoy" the follow-up emails and updates while the users gamble, purchase, sell, review, invest, write, game et cetera using my email address.
Boo to this, I tell ya, boo!