69 comments

[ 3.7 ms ] story [ 110 ms ] thread
My Gmail is based on my real name and I had similar problems:

https://news.ycombinator.com/item?id=9502169

At least 300 men in the USA share the same name as me. I got my Gmail in 2005 so I got it firstname.lastname@gmail.com and others who got the same name as me enter it into websites all of the time. Most don't even validate the email, and sometimes I have to email the admins to get the account shut down.

I think websites have a resposibility to validate the email and delete the account if it isn't validate in a reasonable amount of time or have a link to delete the account if someone who signed up wasn't you.

(comment deleted)
> I think websites have a responsibility to validate the email and delete the account if it isn't validate in a reasonable amount of time or have a link to delete the account if someone who signed up wasn't you.

You're talking about a business with questionable practices to begin with in that case, not a responsible one. These people are scammers like most of the dating websites.

Obviously the only thing they cared about was money. Offered to delete the account for $19 but just hid it instead of deleting it.
> I think websites have a resposibility to validate the email and delete the account if it isn't validate in a reasonable amount of time or have a link to delete the account if someone who signed up wasn't you.

Why do you think this? It would help if you pointed to a statute imposing this obligation, as I've never heard of one.

You might do better to make an argument that they had an obligation to delete the accounts of people who paid them specifically for the service of deleting their account. Which it appears that in many or all cases, they did not.

Alas there is no statute that protects people and their email addresses from abuse in this way.

Anyone can enter an email into a webform even one that isn't even theirs and create an account and get away with it. I myself never found out who was entering my email into dating sites and other places. I wanted to talk to them and tell them to stop, but I was powerless to do anything.

When you share a name with 300 other men in the USA, and some of them forgot to enter a number or series of letters for their own address, it comes back to my address.

My point is that I found out the hard way that most websites don't even bother to validate the email, take any email, and people who own that email get unwanted messages from that site.

Ha! I have always been jealous of the people who got firstname.lastname@gmail.com but now I see that privilege has a price.

I have a very common first name / last name combo (it's awful, it's not 'John Smith' but frankly it may as well be.)

I worked at a large corporate where there were four people who shared that combo.

We constantly got each others email and meeting requests.

One of them wouldn't have any of it but the other two and myself got to the point where we'd forward an email with a comment like: "Hey, your wife isn't able to fetch the baby from creche this afternoon, see below."

In a weird way I kind of miss it.

> Mostly, though, I grew to enjoy being a kind of hub in the E. Ratliff community.

> E. Ratliffs have our secrets, and we stick together.

lmao. Great read.

I have the same problem. I receive flight tickets, dinner reservations, once even an entire stack of private documents including passport scans (from someone working as an admin for the Italian PM! Blackmail opportunities ahoy...). I usually do my best to track down "offenders" and forward their stuff... unless it's something from racist/wingnut organisations (it looks like Americans sharing my surname have right-wing sympathies).

I originally thought it was a "senior citizen" issue but now it happens with all sorts. People just forget what their correct email address is. Moral of the story: registering your name to new services asap is always good ;)

Me too. I constantly receive email notifications that I've won some lottery or inherited money from some prince. It's clearly been sent by mistake. Being a good citizen, I've never attempted to claim them.
I get the same and have sometimes tracked down the people involved for things that seemed important (e.g . medical continuing education course proof).

I do gleefully mark as spam the ongoing stuff from a rather wingnutty gun rights organization that someone donated to, though I did attempt to unsubscribe first. Apparently once you give some groups money there's just no getting off their lists.

Imagine the spam you would get if you have a common name - like jsmith@gmail.com.

I have a boss with a very common last name - not quite as common as smith though. He has a "jsmith@yahoo.com" email address. He constantly gets emails meant for other j smiths.

I have my [lastname]@gmail.com -- I have learned that there are many distant cousins in Brazil.
Ditto. I assumed this happened to everyone; it happens to my gmail address constantly. Occasionally I get a message that's cc:d to sameusername@notmyuniversity.edu so I can at least inform the person that they've been using the wrong address. I actually was shocked to hear the above woman's voice on the radio one time, when she was interviewed by NPR as a faculty member at that same university!

Mostly it's an annoyance, and pisses me off that more places don't use double-opt-in.

I've had the GMail account since 2004 and I got no mis-addressed mail until at least 2008 or 2010, then only stray ones until about 2013 when all of a sudden there was an uptick and it seems like there must be at least 20 people who at least occasionally use my email address by mistake, at least on occasion.

I've gotten Alitalia boarding passes, tax data, all kinds of things. I'm on a family mailing list. I got a reply to someone who sent an email (using my address) from behind the steering wheel of a top-down Miata. Imagine their shock when I sent back an identical picture from behind the wheel of my own identical car.

Another good one was the kid who kept signing up for college information using my address. Then one day I got email from a college administrator saying the snail-mailed info packet was sent back to them as unaddressable, and asked him (me) for clarification as to his postal address. I politely pointed out that he also, unfortunately, provided an incorrect email address. I was thinking to myself "not everyone is college material", but others assured me I had done the right thing.

I have a similar email address. Signed up for gmail early on. A lot of people are surprised that AM doesn't verify emails, but it doesn't surprise me at all. I am signed up to 100s of newsletters and other services through no action on my part. I can say with certainty that Plenty of Fish also doesn't verify emails (at least at first,perhaps they inactivate accounts after a period of time). I had to add them to spam. It's too bad, some guy in Australia with my first letter/last name was getting a lot of attention from the ladies.
I'm stunned I'm not in the AM database. Variations of my gmail address (dots in different places) have been used to sign up for every sketchy "adult dating" site in the world. My wife saw some in my inbox and was very upset, until I showed her the massive amount of things I get that are quite obviously intended for someone else with my name.
Gmail ignores the dots internally. j.smith@gmail.com is the same as js.mith@gmail.com is the same as jsmith@gmail.com.
Who cares about email addresses? Credit card numbers are how you incriminate your cheating spouse.
This is what you needed, especially in this case. Ashley Madison did not verify e-mail addresses, anyone could put any address in there.
(comment deleted)
Credit card numbers are often stolen and therefore are not a good singular piece of evidence.
Don't know why you got downvoted. My CC was recently compromised, and the "thief" purchased a lot of very odd things all at once which triggered the flag, including online services I had never heard of. And lots of dominos pizza!
Except as many others have pointed out, having an account on the site with a matching credit card number does not offer proof of cheating, nor even of intent.

I'm not very sympathetic to the people making this argument (the "it ruined my life!" crowd), because the reality is that probably 90%+ of all the account holders cheated or intended to cheat while married, without their spouse's approval or knowledge. As far as I'm concerned, if you had an account there, it was up to you to make sure your spouse knew that, and why. And it's your fault if your spouse is unhappy about it or doesn't believe your post hoc explanation. The criminals responsible for the leak need to be punished severely, but the criminal nature of their acts doesn't let you off the hook.

Nevertheless, this all falls well within reasonable doubt for me, so I'm not going to call someone a "cheating spouse" even if 100% certain they had an account. For one, I don't care; what is and not cheating is between spouses. For another, I don't need a libel lawsuit. And last, calling someone a cheater doesn't provide me any benefit anyway.

So maybe lay off the loaded language a little.

true. more evidence is needed. my point was more that simply an email address is definitely not enough evidence.
I actually thought about something slightly related -- With the AM drama, won't an individual have a reason to signup to all shady websites with their worst enemey's email address and then wait for one of those sites to get similarly hacked? Would some people have created AM profiles of others just as a joke, and now those people might be in trouble?

I once found a dating profile of mine that was created by an overzealous relative. Thankfully this was few years before I met my spouse.

> won't an individual have a reason to signup to all shady websites with their worst enemey's email address

Well usually sites verify that the person signing up on a site is the owner of that address, in a large part for this very reason.

I've heard that AM didn't verify. And I'd say many shady websites won't.
That seems to be the case. But then one has to wonder why they bothered collecting the addresses in the first place. If I were running a service that most people would prefer others not know they use, and I were not verifying addresses, I would expect that very few of the addresses I'm given would be of any value. Since I haven't verified them, I can't really use them myself, and I'm not likely to find much interest if I try to sell them. So why even ask?
That's a cheap form of plausible deniability, then.
In Django, as an example of one web framework, the email address would still be in the users table. There'd be a flag somewhere else in the database to indicate whether it had been confirmed or not. Only a sign up system that has separate storage for unconfirmed registrants, or that purges unconfirmed accounts after a period of time, would keep your email from showing up in the dump if a buddy signed you up as a prank.
Couchsurfing.com does this a little differently - they mail you a post card and you enter your 2-factor code from the postcard onto the website, verifying that's your real address.
I'd imagine this method won't work for sites like AM...
I have the same problem, having an jbloggs@gmail.com-format address.

It seems there's one lady who apparently lives in Utah and is unable to accurately tell anybody her email address. I've received several sets of flight bookings / e-tickets, personal photos, schedules for religious retreats, etc.

> Ashley Madison does not validate all email addresses

There you go. Everybody gets a perfect excuse for their email showing up in that database.

With a bit of investigation it's easy to find out the lat/long and signup ip address associated with an email account. Most of the time this should make it clear if the person in question really did it or not.
In 99% of real world situations, the girlfriend or wife will either believe you or not. Once any experts are hired, the relationship is already over, no matter what the investigation concludes.
I'm not talking about hiring experts here, I'm talking about reading a text file.

But ya, while I might not go as high as 99% I generally agree with what you're saying.

My gmail address, which I got when gmail just started, is my last name @gmail.com. There's no first initial, no numbers after it.

Now, my last name isn't that common, but there are probably several thousand people with it. And I get all sorts of email for all the others with my same last name who think that last name @ gmail.com will work.

So this is how women can get interested in IT.
This type of comment may be keeping them away.
the article doesn't mention that you have to confirm your email is valid by clicking a link before you get registered so incriminating strangers this way should be impossible. I presume he validated the email himself
I have no personal experience of AM - but everything I have read about it says that they did not require email validation of this sort.
But that's widely reported as not being true. On what basis do you claim otherwise?

> It’s important to note that Ashley Madison’s sign-up process does not require verification of an email address to set up an account, so legitimate addresses might have been hijacked and used by some members of the site. One email in the data dump, for example, appears to belong to former UK Prime Minister (Tony Blair).

-- http://www.wired.com/2015/08/happened-hackers-posted-stolen-...

And why would that make it suspect? I'd rather assume it was him who signed up
yes i was surprised to find out this was the case. I actually didn't think I'd posted this comment, as I went to AM and tried it out with a dummy account. must have hit the post button by mistake.
(comment deleted)
(comment deleted)
I wonder if a lot of addresses were added by AM themselves, perhaps from an email marketing list. I have a spam-catcher account where all messages go straight to the junk folder. I use it when required to sign into services that I don't ever plan to return. I found this email on the AM list, though I haven't ever signed up. It's likely that my address was sold by some service or another, is all I can figure?
Okay, time for my story:

About two decades ago, while going through new-employee orientation at a university, I sent some e-mail from a computer lab. As part of this, I entered my e-mail address as the reply-to address. At that moment, there was some kind of misconfiguration: the directory on the university-wide server where global defaults were stored happened to be writeable.

A couple of weeks later, when all the students showed up, my e-mail address was the default reply-to address on the standard e-mail client in all university computer labs. And because the configuration problem had been fixed -- the directory was no longer writeable -- my address remained the default address.

It took me a while to figure out what had happened. For several days, all I knew was that suddenly I was subscribed to every mailing list in the universe.

When I did figure it out, I told the IT people, and they fixed it. But then -- I'm not making this up! -- there was some kind of crash, they had to restore from a backup, and it happened all over again.

There was no serious negative impact from this episode; I just got tons of wacky e-mails for a while. Perhaps things might be different if something similar were to happen today.

> I just got tons of wacky e-mails for a while.

It might be worth saving those pearls.

Yes, indeed. But, alas, this was 20 years ago, and the messages in question are long gone. At the time I was not thinking of humor value for posterity; I was just annoyed.
Would you receive replies from emails users sent from their own address?

User a emails his mom, his mom hits reply and it was directed to your account?

Yes, that was eventually the big tip-off as to what had happened. I would get messages like, "Hi, Fred! Glad to see you're settled in at BigU. Who's this 'ggchappell' guy?" (My name isn't "Fred", BTW.)
This guy has two problems:

1) his wife doesn't trust him

2) his wife needs a lesson in spam avoidance, as she was foolish enough to type her husband's email address into a website form that very likely is scraping addresses to be sold to spammers.

My phone number used to be 222-3212 and every day when I got home from work I had a filled phone answering machine, (yep that long ago). Mostly random kids, but sometimes sales people.
Something similar happened to me last week. I started getting e-mails from eBay to first.last@me.com, an e-mail address that I use for iCloud, but nothing else. I was getting inundated with messages from eBay, so this morning, I did exactly what the guy in the article did; I reset the password, and took control of the account. Hopefully, problem solved (aside from some residual messages I'm still receiving).

Also, it turns out that I get collections calls for a guy with my first and last name, and based on the information in the eBay account, I have reason to believe this is him. Guess where I'm pointing the next debt collectors to call me to?

I'm on the receiving end of some family's group emails. It seems like they've had some nice vacations over the past few years. I hope they found the lost sneaker they misplaced this Summer. I contemplated showing up at their (our?) family reunion but I wasn't able to make it that weekend.
I think many people are missing perhaps the real issue with appearing on a list like this (even if wrongly accused so to speak). By appearing on the list you raise suspicions and those suspicions could very well cause someone (spouse, girlfriend) to look at what you do more closely. That may or may not matter. It may have to be combined with other solid or sketchy data. This is similar to how police solve some crimes. Some little fact, while insignificant in itself, gets them to focus more closely on a particular individual that they might not have thought much about prior to the insignificant and even incorrect fact that was passed to them. Such as "well I did see a Red Chevy Camaro with Florida plates" or "a guy wearing a University of Michigan sweatshirt"...
Similar first-initial-last-name gmail address, similar issues. Fortunately my email didn't make into AM, but I checked as soon as I found out because I get so many wrong emails, and wanted to know myself before anyone else looked "me" up.

The worst is Sprint: my email address is attached to a family account in Minnesota… and every time the parents use the "locate your child" feature it, as a security measure to be sure, sends an email alerting them that their child had been located near 123 Main St, SomeTown, MN. That one freaked me out enough to try to resolve it… I called Sprint, went through three reps and it took 20 minutes just to get them to understand the issue. And even then, neither that rep nor their supervisor could do a thing about it. So now I have a gmail filter that insta-trashes those messages… I really don't want to know where those children are!

I've successfully created a few emails written in leetspeak or using short 3-number keys or 3-letter abbreviations converted to some type of base X system and never have problems with them. I rarely, if ever, receive junk mail, and humans definitely have a lesser chance of using them.