52 comments

[ 3.5 ms ] story [ 120 ms ] thread
This is nothing.

I have a very common name and a very common surname and people have used my email (name.surname at gmail.com plus the infamous GMail variants such as namesurname or NameSurname) for purposes like accounts on dating sites, Spotify, Instagram etc.; invoices; banks and insurances; resumes and job applications; medical test results; newsletters and all kinds of personal communications.

"I" am a local politician, a Swiss or Italian banker, a boyfriend deserting some girl in Argentina, a rugby player, a professor or two; "I" buy screws, magic tricks, diving suits; I know several of "my" birth dates and addresses and I have easily identified a couple of correspondents.

In most cases there is no practical way to verify email addresses, particularly if the person is really convinced that their email is the wrong one or that some approximation is allowed, and without actual payment collections coming your way little harm is done.

I sometimes complain to web sites with inexcusable confirmation-less registrations or reclaim accounts on services I might want to use, but for the most part I just let incorrect emails accumulate to play the passive game of collating them and consolidating identities (e.g. is the person who follows cooking courses in a certain big city the same who received from a friend bus timetables for that city?).

We are on the educated side of the internet populace. I can only imagine worse things when this happens to the non-educated, especially in developing countries like India, where almost everyone has an (mobile) internet connection these days.

It's interesting to think about how the very basis of our internet identities, that is the email, can be so easily abused by someone who has bad intent.

> In most cases there is no practical way to verify email addresses

What's wrong with "Click the link in the email we just sent to x@x.com to verify your email"?

A malicious recipient can click the link and exploit that their email is now associated to the account of some other person.
This seems like a relatively small vulnerability in practice.

But it could be mitigated by "click the link and enter the one time code we gave you at sign-up time". Too much friction? How about "click the link on the same browser you used to sign up, and we'll verify that using a cookie we just set" - functionally equivalent and probably works for 90% of users while the rest can fall back to the one time code.

I've seen a handful of sites do something like this in practice. No idea why it's not more common: presumably most people don't roll their own verification process so if some major web frameworks adopt it we'll eventually see it more widely.

> presumably most people don't roll their own verification process

Oh boy. Auth is that thing that looks so easy because you just need to store an md5 password to feel like hackerman. If people actually used existing solutions, web logins wouldn’t be in such dire conditions.

Allowing password reset requests (or activating the account in full) before the email is verified, so that I can reset the password and take over the account, means that the holder of the email prevails over the password holder: a severe protocol design error, which can be made even worse by accepting payments before the email is verified or by restricting account creations attempts.

Not all careless stupidity should be attributed to the website admin, however: assholes using random email addresses and phone numbers deserve to be punished, and knowing one's own email addresses is a basic literacy requirement.

or just make a verified email address part of the required sign-up flow. No click on registration link, no further access to account.
Compared to the current status of doing nothing, where the malicious recipient has their email associated to the account of some other person without even having to click a link?
It's not the account of some other person. They can't use it because they can't verify the email to create a password.
Needs a follow up of "re-enter password" I think?
I have a similar situation.

My most recent one was Apple telling me my id was reset by my request. This definitely came from Apple, was verifiable... But it turned out some person entered my email on their support case and it almost gave me access to their entire Apple account, the support people were willing to go through everything with me as I had the email.

It was only when I asked for the transcript of what I'd apparently said to them that alarm bells rang on their end and they finally investigated enough and escalated enough and determined my email was not the one that had anything to do with the account in question.

Mostly I ignore the email I receive, but once in a while it has enough details that I can find the person involved and give them their train tickets, or car insurance docs, etc.

Yeah, I have firstnamel@gmail.com for my actual name. I get this from time to time, but 90% of the mixups are actually down to one guy, an older latino guy (judging by the surname used) with interests in car rentals, ford trucks on second hand sites, and dating sites. He's given my email so many times, I'm convinced he thinks it's actually his email.
At least Google Workspaces now shows the profile pic for the recipient. I can forget the exact right permutation of firstname.middleinitial.lastname@gmail.com, but when the profile pic is wrong, I can be sure I've mistyped something.
Not sure GDPR is related to typos or deliberate misdirection by users - though I feel your frustration.

By any chance does the numeric component of your e-mail alias form a shape on the 10-key pad?

Under GDPR, people have the right to have their PII stored accurately and can demand corrections from companies. There was a case where a bank couldn't store someone's name properly, because its legacy systems couldn't handle characters with diacritics. The customer sued, and won.

https://shkspr.mobi/blog/2021/10/ebcdic-is-incompatible-with...

Not a lawyer but I imagine this is a similar sort of situation and the same reasoning would apply.

My understanding is that the lawsuit is still ongoing. Maybe some legalese is going straight over my head, but was it ruled in favour of the plaintiff? How much was the fine? Will they have to pay it for as long as they are not able to change the customer's name?
Sadly, no. I only have 2 digits on my email to form a pattern. As said in the post, the guy whose bank statements I received had 5-6 more characters than my name, and didn't even have a number in it.
GDPR applies for EU companies, or companies dealing with customers from the EU.
Just a random thought: can it be that a part of 'darshit' (the poo part, I mean) triggers some code to remove bad language, does something unknown, and then your real e-mail address gets linked to the first known account the respective system can find? Maybe all the different websites use the same authentication method from another third party, so it can happen on seemingly unrelated sites.
I've never had such a problem before. My email is just not simply "darshit", but also has a couple of digits. Among the people whose mail I received, one of the guy's email had 6 characters more than mine, and totally unrelated.
does this describe the various companies that phone me

and then ask me to prove my identity to them?

Pet peeve of mine. Especially when it’s a bank or other finance company that really ought to know better.
And then are at a loss when you demand that they identify themselves to you. After all, all you've got is a voice at the end of the phone. Seriously I'm sure there's good ways to solve this using some simple crypto(graphy, not currency). We ought to be able to mutually authenticate without resorting to stupid questions about things we were doing 25 years ago and no longer remember.
We are able, I think.

Say, my bank calls me and ask to call back with an extension#. I look up their phone # on their website, call that number, and provide the extension.

They know who I am via The extension # I gave back to them, I know who they are via their phone # confirmed by their website SSL certificate.

Alternatively, I call them back on the phone number at the back of the credit card.

nice idea, that should be easy(ish) to implement
So, some random person had subscribed to Tata Sky (television set-top box channels subscription in India) with my mobile number. He wouldn't pay his dues on time, and Tata sky would call me every month multiple times. Their customer service would take down my request to change the number, but they never changed it.

I was able to track down his actual phone number and on Facebook. Messaged him and explained to him. He wouldn't act. He said he intentionally gave a random number since he didn't want to be bothered by their phone calls and asked me to "deal with it".

Finding no other option, I used Tata sky IVRS service calling from my mobile number(linked to his account) to subscribe to a bunch of expensive channels, totalling the monthly subscription fee to 10x of what his usual fee was.

He reached out to me requesting that he be allowed to take control of his account, as he is unable to change the phone number linked to the account, without an OTP (one time password) received on the existing number (which was my number).

Did take some sweet revenge by not responding to his request for a while, but eventually gave him the OTP after a week.

They didn't verify the phone number when he signed up (with a simple OTP)? Wow
A bunch of people use my email address for signing up to all sorts of websites (I have a common name, and my email is basically my name @ popular email provider). It is annoying to receive all this spam (usually I can unsubscribe), but the worst ones are people using my email for their bank accounts.

So now I get multiple password-protected monthly statements every month, and there is no way to unsubscribe since it's a bank statement. And the email subject doesn't have the full account number, and the email is from a no-reply address. Contacting the bank has been useless even when I found a way to do so. The most annoying one is from a bank where I have an account of my own (they used a capitalized version of my email address, which the bank thinks is a separate email), and so I can't block them all emails from this bank either.

The one fun time was when someone (in Asia) would frequently place food delivery orders using my email, and this service would send multiple emails for each order. Frustrated, I canceled their order once directly from the email, after which this particular problem stopped.

I have a 3 letter Gmail account. This is all I get.
Try switching to an email service that supports custom Sieve scripts, which you can use to permanently reject messages based on variables you configure.

These are handled differently than message user agent filtering. Incoming messages are immediately rejected and the sending server is notified.

It's much easier than trying to contact some company that doesn't bother validating email addresses. You already know they are technically deficient so just bounce everything. Problem's at their end, let them work it out.

Fastmail do this, as do a few other hosted email providers. Highly recommended. I also use Sieve filters to reject attachment types beyond the default set, such as Microsoft Office files (.docx, .doc, etc.).

Here's some documentation to get started. No affiliation, just a happy customer. https://www.fastmail.help/hc/en-us/articles/1500000280481-Si...

> Finding no other option, I used Tata sky IVRS service calling from my mobile number(linked to his account) to subscribe to a bunch of expensive channels, totalling the monthly subscription fee to 10x of what his usual fee was.

This is, presumably, a crime.

This was my conversation with a guy last night whose phone number I now own. I guess he let his mobile plan expire or something. I can log into a bunch of his accounts around the Web because the OTPs come to me. I found him on Facebook because I have all the details of his life, but I couldn't get any reply. So last night I logged into his account on TikTok and followed my own account so we could message each other:

https://kingcharles.one/all-your-phones-belong-to-us.jpg

Yup, had that problem with an airline. To avoid spam, I was using the + modifier — <normal-address>+<airline-name>@gmail.com — the booking form accepted it, the ticket-sending system and the account login system, didn’t.
For the past year, every weekday at noon I receive an onslaught on calls for people trying to reach Humana. These are usually elderly people that report that my phone number came up on their caller ID. I have had my number for 20 years. I tried to Google my number to see if something popped up on Humana’s site but nothing. I don’t have an explanation or resolution for this behavior so I just prepare to ignore all calls starting at noon for the next hour.
This has started happening to me also. Someone in my area of the country who has my same name accidentally put my email address on their registrations.

These companies aren't verifying that the email was entered correctly.

So I continue to get notices about what this person is doing even though I've reached out to the companies and this person to try to notify them of the error.

A very stupid pattern I've come across recently is Best Buy sending me an email with the subject "Password reset didn't work" and a body of:

> You may need to create an account.

> We received a request to reset your password on BestBuy.com.

> However, we don't have an account associated with this email address. You can try to sign in with a different email address.

> You can also create a new account using any email you choose.

> Happy Shopping!

My guess is that it's a bad actor doing something like password stuffing to try see if my email address has an account there that they can try compromise. It's also possible someone thinks my email address is their email address, I doubt it though because in the 16 years I've had the Gmail address I've never received an email intended for someone else.

Regardless, I've never lived in a country in which Best Buy operates, but some "genius" at Best Buy thought it would be a brilliant idea to email people who they know don't have an account with them, because there is no way anyone would ever try reset a password for an account on an email address which they don't actually have access to.

After getting these annoying emails a few times I landed up making a Gmail rule to always report them as spam, then delete them.

> there is no way anyone would ever try reset a password for an account on an email address which they don't actually have access to.

I think you overestimate your less computer savvy fellow humans :) Also it could be phishing?

I once got a series of password reset emails, and 6 of the 7 were genuine. The 7th was an obvious phishing attempt that seemed more genuine given that the first 6 were genuine. Had I clicked on the 'report phishing attempt' on the last email, it would have been game over.
This doesn't seem stupid at all.

BestBuy is considering two different scenarios and trying to handle both:

BestBuy is avoiding leaking account status on their password reset page. This is done precisely so that people who don't have access to the email account can't figure out where you have accounts registered. This is a pretty standard approach.

BestBuy is providing visibility to people who can't remember if they have accounts or which email they signed up with. Simply trying to reset your password and never getting an email leaves you in a situation where you are unsure if you waited long enough, missed the email, the business is having deliverability issues, or if you have an account. Having worked with businesses around reports of password reset email deliverability issues, it makes complete sense to me.

This all seems like a perfectly reasonable approach.

It's very normal for password reset pages to say something to the effect of "if this email address is registered with us, you will receive an email..." and they can could also add something like "you can also try create an account here".

Instead they opted for the option where every time a "hacker" is trying to use the form to compromise an account, it spams the victim with this email. As most of the world is not North America, it is statistically most likely that the email recipient is someone who's most assuredly never going to be a Best Buy customer.

I still see no problem with this implementation. If someone is trying to compromise or even locate accounts tied to your email, wouldn't you want to know?
> If someone is trying to compromise or even locate accounts tied to your email, wouldn't you want to know?

What course of action could be taken when you get an email like this indicating a "hacker" is trying their luck to see if your email address has an account on BestBuy.com even though you don't have an account there (and probably never will)?

I've had my email address for 16 years, lots of "hackers" are aware of it due to account list leaks from various services I have used over that time and there is an entire industry which tries to compromise accounts from these lists.

If I got notified of every automated script's failed attempt to do something malicious involving my email address, I would probably get several notifications a week, possibly per day, all of which are probably unactionable.

So to answer your question, no, I most definitely wouldn't want to know about someone trying see if my email address was used for an account on some random website I'll never use.

On the the other hand, if a password of mine was being used by a "hacker", that I would want to know about.

> I never received any further emails because the user probably never recharged his internet subscription.

> This wasn’t even a spam email!

I disagree, if it's not intended for you, then it's spam. Marking these emails as spam might affect the company's delivery rates and get them to actually fix the broken process that allowed this to happen.

I have a very short gmail email address which I’ve noticed intersects with several common names. I had not idea how rampant this issue is. I get a woman’s Victoria Secret orders and address, school progress reports for a child that is not mine, worship team updates for a Mormon church, a Snapchat account, vet updates, German emails I don’t even know how to read, and many more unusual emails for people who aren’t me. What’s worse is for group emails (e.g worship emails) I try to reply all and inform them of the mistake and only get more emails for the wrong person.
Every time I get a second message after my “wrong number” text I lose a little more faith in humanity. I regularly get voicemails and calls on my Google Voice number and people reply with stuff like “oh then tell him blah blah”.. sigh
But you don't get my south american security policies think-tank reports :) that really topped my own list of weird mailings, almost worth learning a better Spanish.
It not just emails where this happens. Some idiot has been giving out my work mobile number as his own. I got a call from his aunt to wish him happy birthday (she was incredulous when I explained that no, this isn't X's phone, and I don't know x). I get random texts from I assume his friends, and calls from collection agencies.
> “No company provides the email verification service”

Sounds like a really nice startup idea.

I have a very common name, and was lucky(?) enough to have gotten a gmail account with it back in the days you had to have an invite from a Google employee to get a gmail account.

I get misdirected emails like this at least multiple times a week.

The Stupid Pattern I encounter most is getting e-mail about some account, with a link in it to some completely-other domain that looks most like a phishing site.

Often these e-mails are not actual phishing attempts, they are just things made by absolutely phenomenally clueless hacks.

So there is this company that does e-mail list services called mailchimp. Apparently, by default all e-mail from their customers comes with links to a site something like "mandrill.com".

If mailchimp is that clueless about security, do you really want to let them manage your password login setups?

There is a stock-market accounts company, Carta, that uses mailchimp.

Do you really want your stock market holdings managed by a company clueless enough to let someone as clueless as mailchimp to manage their password login setup?

I too have a 'common' email with my first name at common email provider.

The most surprising offenders I've gotten were discord and spotify! Both of which were easy enough to resolve (I just requested the accounts be deleted, and then re-created for my own use).