Ask HN: Am I under attack?

4 points by passive ↗ HN
So, over the last month, I've received five "welcome to X" emails for relatively prominent online services.

Two of these were gaming related, and included a fairly unique username which I tracked to a redditor who claimed to have no idea what was going on, though they admitted they had an account with one of the gaming services.

It could be coincidence, I suppose, that someone has a similar email and keeps entering it wrong in the same way. It seems unlikely, but otherwise I'm not sure how signing up for services with my email address is an attack vector.

Is there a risk I am missing here?

6 comments

[ 3.4 ms ] story [ 30.4 ms ] thread
Maybe these are phishing emails? Just change your password and maybe enable two factor authentication just to be safe.
If you clicked on any hyperlink from that email then you can consider yourself to be phished. You do not know what they wanted - was it your google account? Or something else? You don't know, the only way to keep yourself safe is to change all of your passwords.
No, I made sure not to click anything, though I did check the raw message to confirm the links were genuine (or at the right domain).

I've got 2FA enabled, and I checked my gmail access history and there are no unusual locations or devices.

It's just very odd to me that this has continued, gradually, over a month.

Do you have a common name?

I do and have firstnamelastname@gmail.com. I get all sorts of emails from people with the same name who somehow believe they have my email address.

A common issue I've seen is websites treating a period in email addresses differently. All discussion about standards aside, the fact is

* To Gmail, firstname.lastname@gmail.com and firstnamelastname@gmail.com are the same.

* To a website like Paypal, they are different. So it will allow multiple signups with the 'same' email address.

I just had to troubleshoot this for my parents, who have separate Paypal accounts, but tied to the same email account.

If the links to the platform are legitimate, try (carefully) logging to one of them and see if you can get more info on the person who created the account.

Did they leave other information on the platform: Name, number, login history? Are they dummy accounts or are they really used by someone?

It may be an honest mistake.