It's like the google 2FA where you can accept the login on ANY android device where you are logged in.
and you can't disable the feature and the only way to remove the option from a device is to logout your account on the device...
I have an tabled and an phone which is used by other people in my family and I definitely don't want the 2FA requests on these devices...
Yeah - and what is crazy is when you think about it - Microsoft generates a 6 digit code.
So it is a "one in a million" to randomly guess what the code is on any given login.
But it is "one in a million" for each Microsoft account you know about - and if they have millions of email addresses, and automate it each day (I also get attempts 1-2 times per day).
Yes - the odds are small - but there is a greater than 0% chance someone can randomly get into your Microsoft account - and there is no way to stop it - even with 2FA etc - this bypasses all of that!!!
I'm a little confused. Does the code get generated on any attempt to log in, or only those that have the password and MFA is activated? Or when someone attempts password recovery?
Because I'm a bit concerned if Microsoft passwords are leaking.
When attempting to login to your Microsoft account, instead of typing your password you can do an optional "one time password" generation thing from Microsoft. So instead of typing your password +2FA - they email you a 6 digit "one time password" that you can use instead.
You cant disable this.
So all Microsoft accounts could have a daily 1 in 1 million chance of been overtaken.
Odds are low - but if you then spam this across thousands of attempts per day - they would statisically "get lucky" from time to time...
One would think Microsoft wouldn't be stupid enough to provide endless amounts of one time codes for a single account. I would guess they provide 5-10 codes before escalating the login.
Have you got an exchange email or Teams set up on a mobile device? These will generate 2FA requests (but not make any kind of notification on the device).
I thought this was the Passwordless account they implemented (EDIT: didn't realize you weren't talking about the Authenticator app), but I had it turned off. I somehow managed to make it stop by re-enabling/re-disabling both Passwordless and 2FA. So now they always ask me for a password and then I get the challenge.
To this day, I can't comprehend how this is supposed to be safe. So someone can just type in my username and wait until i eventually misclick in the Authenticator app? If it was from a browser I have used before at least, but I was getting these challenges from around the globe.
I would believe it. I recently logged out of facebook on each device and took a month long timeout. After a couple of weeks, I started getting facebook email notifications of things they figured I'd want to see. With the impossible to remove/hide facebook reels nonsense they force on users, I'm about to take a much longer facebook timeout.
My assumption is that it is engagement juicing. These seem to go out to seldom/casual users a lot of the time, and people respond by logging in and checking things out. Easy way to pump the MAUs
It's not that they don't have enough, it's that they try to always get more. If they no longer have anything to engage you with as you turned it all off, you will get a notification for some random post "we thought this might be interesting to you". And even if you always manually disable all possible options related to this particular notification, they will always find a way to nag you more.
Yeah, this is not far fetched as I noticed this only on an account I haven't been using for a long time, and in the past FB engaged in a ton of scummy tactics to force me to log in again.
I think the better question is why facebook sends mails from facebookmail.com and metamail.com? Any sensible person would expect those to be scams, but they are real.
If you ask a Meta employee this you’ll no doubt get some internal structural / political justification, and they’ll say it to you with a straight face.
Let’s also all think back to 2011 or so when Facebook thought it’d be a good idea to try to vacuum up all its users’ emails by giving us all @facebook.com email addresses, buying fb.com in the process. As I recall they killed it after a couple few years.
Common tactic to make sure that delivery of notifications is isolated in reputation from the main domains. That way, if notifications are be reported as spam and thus land in a number of distributed blacklists, at least corporate communication still works.
Why don't they use a more obscure domain for internal corporate communication and keep the widely recognized one for messages to end users? Is it just the vanity that people who work there like to be mark.zuckerberg@facebook.com?
Why does any company needs more than one 2nd level domain?
Microsoft, I'm looking at you (https://learn.microsoft.com/en-us/microsoft-365/enterprise/u...). It nerve-wrecking trying to figure out if some login box or link is legit. They claim to be transitioning to cloud.microsoft, but if you go there, you are redirected to yet another new domain (microsoft365.com) which looks like a scam site, which doesn't render properly in Firefox.
Domains used for bulk outbound email are typically separated from the normal corporate email domain to prevent employee emails getting blocked at customer mail gateways by anti-spam heuristics. Practically every large org gets burnt by this once, learns their lesson, and then splits their domains.
Microsoft has something like a hundred domains, including purposefully misspelled ones like "microsft.com", which is real, owned by them, and regularly used to bypass "security filtering" by paranoid admins.
> Microsoft has something like a hundred domains, including purposefully misspelled ones like "microsft.com", which is real, owned by them, and regularly used to bypass "security filtering" by paranoid admins.
You are off by orders of magnitude there on that number.
> Why does any company needs more than one 2nd level domain?
Re: the first part of your comment, the most common reason I've seen is companies using 2nd domains to send emails that are at higher risk of bouncing or being marked spam (newsletters, cold outreach, etc). And using your primary domain to send "more important" emails from.
I’ve accumulated, what, 3 Facebook accounts over the years? Many mornings I wake up to see that recovery codes have been requested for all of them, at a similar time. Surely this is enough of a signal to act on!? It really speaks to the fact that Meta really just doesn’t give a rats.
I mean a single attempt is always possible, even a number of attempts. But consistent attempts affecting what is probably millions of users over the span of years is a Facebook problem, clearly any measures they have to avoid repeated login attempts aren't working.
Happened the other way to me once. When I made my Gmail account I had a . in it. Emails sent from me go from this email address.
My Facebook email for ages was my school email (as is tradition, right?) and one day someone registered as my actual email around the time I was doing a bunch of address consolidation because my school was moving all historical accounts to a separate subdomain.
I clicked to confirm foolishly (should not have done that) and it became associated with someone else's Facebook account.
Facebook has a process for this. You request an email to your address and it sends you one and you reply and it removes the email from the other guy.
Well, I did that except he set it without the '.' and when I replied from mine it wouldn't accept it. I tried again as it was and only realized after three tries what the problem was. Facebook's difference in verification processes (click to confirm / reply to dissociate) meant that I was not doing the right thing.
Repeating the action means I looked like a fraudster so that must have been why even though I added the dot version as an email to send as it would no longer accept me.
To make matters worse, I decided I'd just fix it by resetting my password and logging in and removing my email.
Well, I succeeded in the password reset but Facebook protects you here by requiring friends to verify it's you. Well, I didn't know his friends so I just let it go: he could no longer log in except via phone number (I hope, or he was locked out) and I couldn't associate my email correctly.
Maybe unrelated, but I think some people do this to check (at least partially) what email is tied to an account. E.g. if you suspect an anonymous instagram user to be your friend Bob, you can invoke the reset email procedure to see
Well.. I have a theory. Maybe the threat actors are sending the recovery email with the hopes that the target does not engage. Then, the threat actor can indicate that they "no longer have access to this email address" to force recovery to an alternate address. Then, perhaps they have gained access to some people's old alternate email addresses either through credential stuffing or recreating deleted email accounts. If so, the TA can finish the reset and take over the account.
Best practice would be to display this message no matter whether the email address is correct or not, to avoid leaking information. Many sites do this.
Ah, sorry, I see now, but the underlying point is the same. You should not reveal any information. A "We have sent an email to the address associated with the account" would be sufficient.
Not if you have multiple email accounts. Many times these codes reset in just a few minutes, you should try to avoid forcing users to spend time logging into every single email they can remember just to wait for an email to pop into one of them. You can show a few characters of an email or the first character of the domain to give a lot of info out in relative safety.
Everything is about tradeoffs, and the only objectively wrong answer is this dogmatic "never do $X" nonsense.
The amount of disclosed information, and it's utility, is non-zero, but simply weighs less than the amount of damage from not hinting which account to check.
Accounts can grow to be 20 years old and even a "normal" person who is not actively using lots of addresses for security, will still end up having used several in the fullness of time and completely forgotten about some, yet, may still have or can regain access to them if only they knew to go look.
You don't see how that can happen or really be a problem? Oh well, consider yourself informed that it does happen and is a problem.
The GP is talking about a situation where you are not asked for an email address. You ask for a password reset for the username @coolanonguy. The website tells you that the reset email was sent to an obscured email address. The obscured email allows you to confirm (with high likelihood) or deny (with certainty) that @coolanonguy is your friend whose email address you know.
on the systems where i had to do this for my account i usually get a message like: "an email has been sent to the address registered with this account"
I have many email addresses. I don't necessarily know which email address is associated with my account. Therefore, the user benefits from knowing which email inbox they should check.
That said, it could be that the security risk outweighs that convenience.
The benefit is that people often don't remember which email they used for a service. They check their "main" email inbox but don't remember that they used their student email address 8 years ago when they signed up. By providing a hint they know which inbox to check and don't get frustrated because the email isn't coming.
So it is a privacy tradeoff for better UX. If it is a good tradeoff will depend on how much you value each.
That is the security researcher perspective, but it’s a UX nightmare resulting in a lot of confusion for normal users, because they don’t get any info if they even have an account or are trying to use the correct email address.
I used to think info about whether an account exists should not be leaked in the password reset flow, and I designed sites this way, but then someone pointed out that in practice a hacker would then just move to the account sign up flow to check for the existence of an account. (If account exists, you cannot make another with that email on most sites.) I never had a good response for that. I now lean toward the idea that not providing info is just not worth the bad UX.
> If account exists, you cannot make another with that email on most sites.
Many sites require you to verify your email before you can use your account. If you wanted to avoid leaking whether an account existed, you could show them a message like "if this account doesn't already exist, a message has been sent to your email asking you to verify it". If the account did exist, you might send an email like "someone tried to create an account with your email".
Folks in the thread noted that the recovery code sent was the same each time, which leads me to think it might have been a phishing attack. Send email that looks like FB recovery, but have the links go to some domain you own and snarf up creds, including MFA etc.
Not in my case; I've had two password reset emails in the past 3 days (having had none since February) and both have gone simultaneously to the different email addresses I have on the account, with different codes on all the emails (even the ones sent at the same time), and the click-through URL is certainly on the legit Facebook domain.
I actually lost my Instagram account because, I believe, it filled in my email field with a dummy one, user@example.com and then when I had to do verification, I could never recover the account. I believe it was in the very early days of Instagram although it's possible there was user error on my part in this case.
It is too bad because for symmetry I used the same use name in a number of places (not the one I have here).
I lost a yahoo account because I put in incorrect information (I claimed to be 99 year old female or some such thing) and then forgot the password. I never really did anything with my yahoo account though, so it doesn't matter other than I couldn't unsubscribe to some mailing list.
Lost my Yahoo account because it forwarded mail to another account and so I never logged in to it. Then Yahoo deleted it for inactivity ... No warning issued, just gone one day. So now I'm locked out of my YouTube account because it wants to send a verification code to the Yahoo address.
A variant I've seen was "We've sent you a recovery code to your email at gmail.com". I think it's useful for login name based authentication, since people will have multiple email addresses and may forget which one they used for that account.
(we have a 15 year old who's made at least four, probably more different gmail addresses for different purposes. Ironically, the one he used to sign up for porn includes his real first/lastname)
It’s a satiation attack (my term). The hope is you’ll get so frustrated at the frequency of the emails that you’ll eventually just press yes or ok or whatever it is that allows the reset.
This is how I'm going to describe that attack where you get a zillion authenticator push notifications because Microsoft has designed the damn thing to authenticate you to them but not them to you. Like, how freaking difficult would it be to put a transaction code in there like Apple so that you can match the notification on your phone with the session you're starting on some other device or service?!
I thought they already have that? When trying to sign in to a Microsoft service it displays a number which I have to type in to the Microsoft Authenticator before I am able to confirm the sign in attempt.
You only get the push notification, no session binding, when using Microsoft Authenticator in other scenarios. That's if you get the push notification. It's variable in my experience. (I use it as a backup MFA method when I don't have my badge reader handy.)
It shows you a code when the initiator is an unfamiliar device, but doesn't show you the code when the initiator is a familiar device. You can reproduce this fairly easily - open a private tab and try to login - you'll see the code in your app. Then logout and login again without closing the tab - you won't see the code.
Which actually makes sense, if not well-explained to users.
I just wish Microsoft would let me use any other authenticator app instead of their garbage one. So now I've got one from Google with 99% of my accounts on it, one for Microsoft for one of 4 MS accounts, and one for the USG for IRS/etc. Waste of space and poorly-duplicated functionality.
The funny thing is I have other MS accounts in my Google authenticator, but for one of my accounts specifically (maybe because it's the only one with Azure spend every month?) even though I have it in Google, I kept getting told on login I needed to set up MS Authenticator or SMS - no options for a different Auth app.
I'd attribute this to MS flakiness, or possibly AD policies. I've got work MS accounts, each connected to a multi-million dollar azure account, and each connected to a non-MS authenticator.
They will just wait for you to get used to this, then stop triggering Facebook to send you legitimate emails and start sending you similarly-looking phishing emails similarly often. It may happen to be enough to view a phishing email, let alone click anything in it to get pwned.
Very questionable. Some people will come to completely ingoring them (which isn't good either), some will click anything out of being too annoyed. Whatever, people can be manipulated into doing some statistically predictable actions with decreased awareness this way and this is a vulnerability.
What if they send you dozens of these, then one that actually looks legitimate, saying something like "We have detected 24 login attempts to your account in the past 30 days coming from this location, click here to see additional details and / or improve your account security", containing a phisher's login form.
Because of the username. Many people forget their own username, for example: my username is pineapple and someone else's is pineapple2. And they end up using their username to recover their password. If your username is a common namesake, word or homonym, this makes the situation worse.
I have a friend with a firstname.lastname@gmail.com account.
Someone out there apparently doesn’t realize that address doesn’t belong to them, because for 10 years he has been getting signup confirmations, appointment reminders, and very personal correspondence meant for the confused individual.
Over the years I have and continue to receive emails destined for other people. After years of trying to help people realize the errors of their ways (sometimes you just can't find the destined people).
Some of my favourites are the tax information (and other common business related correspondence) on their Disney songwriting royalties (I make more before my first coffee break than they do all year on streaming revenue, but they've got a fair number of songs), there is also a bank account tied it in Peru (CFO doesn't care but I'm not locking her out - I do have some compassion.. not much but it's there), but OTOH I've permanently locked people out of their brand new iPhones because they all choose to use my email address, or the person on the other end types it in wrong for them. I also think people don't read what their browser saves and later populates for them.
People will also just randomly give out fake addresses (that are real) when signing up to just to get a discount.
It's a single word that was popularized through pop culture years after I created it, and one letter away from being a traditional western name (and also one character toggled from a popular Hispanic one).
Also a very wealthy PTA mom in Mountain View uses my email address all the time. Our children are doing very well.
Sites should always confirm an address by having you authenticate a link before permanently using it in perpetuity. It would stop a lot of bad actions.
I mark as spam all emails coming from companies that don't have a link to remove the email from the account that triggered it because someone added it by mistake or maliciously.
Another theory is they have an efficient way and or bypass facebook ratelimit to bruteforce reset victim's password token ... regardless, i would make sure 2fa is enabled for extra precaution... or maybe just take a break from facebook :)
I suspect someone might have noticed a flaw and is trying to take advantage of it. I've seen two reset emails this past week - one on Sunday and one on Tuesday, and they both had the same recovery code. Others in the Reddit thread noticed the same thing, so it's possible that someone is trying to exploit this some way.
Noticed this as well. You can report the attempt to fb with a link in the e-mail and then the next recovery code is different. However, I hope they have some brute-force protection in place for the codes.
I have an alias that is a vaguely common name, which is firstname.lastname@gmail.com
Once a year or so somebody tries to get into that gmail or associated social media account with a bunch of password-reset emails. I'm pretty sure it's someone with a similar name who is slightly misspelling their email, messing up the dot (gmail ignores dots but other systems don't), etc.
The ones that get me are the recovery login emails for services I never used. Some of them might be shotgun phishing attempts but some look like they actually were allowed to sign up without ever verifying their email.
Several years ago I was getting multiple password reset attempts per day from my bank because I picked an easy username to remember 20 years ago. Luckily my bank allowed me to change my user name so I used my password manager to generate a password and used that as my username.
One trick I've applied with a wordpress environment is to change the default 'admin' password to something longer / more complicated, change the default location of the admin panel to something else (only works if the admin environment is set up for that), and change the default SSH port. This already defeats 99% of 'low hanging fruit' attempted login attempts.
I had a six character username at Fidelity. Every few weeks I'd get a few password reset emails (or something similar, it was a while ago) and my account would get locked. It was a real pain to deal with but I didn't have a choice, such is the suck of a 401k.
Eventually I went with a much longer username and the problem went away.
I don't know if this is related (probably not), but fun fact: Fidelity lets you log in to your account over the phone using numbers[0] -- one per character. Yep, passwords too.
> Use your telephone keypad to convert the letters to numbers. There is no case sensitivity. Substitute an asterisk (*) for all special characters. Here's an example:
> To enter a username, e.g., Smith123, press or say 7-6-4-8-4-1-2-3
> To enter a password, e.g., Lucky1$23, press or say 5-8-2-5-9-1-*-2-3
My 6 letter username mapped to numbers that corresponded to up to 4^6 accounts. That's really bad but not nearly as bad as what they're doing to passwords.
The longer username is both worse and better. Worse because it matches way way more possible accounts and better because (I presume) it matches fewer actual accounts so it gets fewer failed attempts. That's my guess, anyway.
Edit: it is possible that they only allow one account per "folded" username. That increasing the username length resolved the problem immediately suggests otherwise, but like I said, I dunno. I have no insight into their systems.
I was early enough to get my first name on Twitter and didn't, but did get it on Instagram.
The @tommy on Twitter was a dev at Gameloft who gets constantly harassed in his mentions to give it up. I had a similar problem on Instagram. I've mostly stopped using it, but when I did post and had an open profile I constantly got comments offering money for my username.
Eventually someone set up a follower bot on my account and I was getting hundreds of new followers a day. I made my profile private and don't post anymore, but it's still hundreds of new follower requests per day.
I'm close with someone whose FB account was compromised due to a shared password, and then didn't see the 'an email has been added/removed from your account' emails until after the revert link expired a few weeks later.
The recovery process is totally broken for them now. We eventually managed to revert back to the original email address by visiting facebook.com/hacked (not without the help of a weird youtube video to make sure we were selecting the right options, though), and we lost a ton of time on a weird issue where emails or recovery options were deeplinking to the app, which was opening but didn't know what to show us. After deleting the app, we managed to start generating 2-factor email codes, but the same prompts that generate them don't accept them. And the 'send in an ID to verify your identity' feature just doesn't load at all. I'm chipping away at it when I see them, but I give recovery a low probability of success.
Understandable that this is probably not very fair to those who can't afford it, but I wish there was a 'pay $100 to speak with a rep who can fix this now' feature.
My sister had her Facebook account taken over by a bot of some sort some years ago. It was odd – they changed her profile photo over time, so at first it was just the regular profile photo, then it was the regular profile photo with a little bit of a different profile photo sort of creeping in on top of it, like if they had pasted the new one into a photoshop layer. Over a few weeks the new profile photo crept up until it was the only one, and then it became a sort of "call me for hot fun" spam account.
I assume they were sidestepping some sort of detection algorithm, but it happened during a time when she was losing her mind in real life so it was a strange kind of metaphor.
I'm afraid this won't help. My closed FB account hits all three of these (unguessable local part, obscure domain, no other attached metadata) and I still get these reset emails. Seems like there's been an account-data leak.
Every week or so they lock my account due to "suspicious activity" even though I haven't used my account.
I have all the security features and such turned on like MFA and a strong password (that I have to change like every week after every time my account gets locked).
There is no useful info in the security logs. I have no idea what to do to stop this from happening.
I used to use an e-mail address a terrific domain name that I own. Without publicly disclosing specifics, it was like this:
<common_name>@<common_name>.com
Thousands of people with this name, who didn't want to give out their real e-mail address, used this e-mail address when signing up for things online. They probably never thought it would be someone's actual address. I finally had to quit using it because of the tremendous amount of e-mail that wasn't directed at me. Most of it looked legit enough to the spam filters to allow through.
I temporarily turned that account on about 5 years ago and it was getting about 3,000 garbage messages per day.
I thought having a cool e-mail address would be great, but not any more. I switched to an address that, while easy to say and tell people, it's very unusual and it's very unlikely someone else would ever come up with it.
I took was an early adopter of gmail and I imagine a person could guess what my email address is, especially if I said I keep forgetting my HN passwords.
Misplaced periods give me all sorts of other people's emails - new cars, new mortgages, new bank accounts, new home purchases that are not in my name or identity (based on the names I understand the confusion) - all sorts of things that I'm not doing IRL. Sometimes I try to reach out to the sender and get them to correct the email address, sometimes I just unsubscribe
Same, I get a lot of sensitive correspondence, things like divorce settlements from lawyers, mortgage applications, correspondence with doctors with a lot of personal details (that the person cc’ed me on), airline reservations, etc.
Usually I’ll reply to the sender and tell them they have the wrong email address, some don’t believe me, sometimes they ask me if I know the person (out of a billion gmail users), some complain that I took to long to tell them about the wrong address, and sometimes a lawyer will direct me to delete all copies of the errant email…
I always reply back to tell them that the email lands on multiple devices and is downloaded and backed up automatically and to see if they want to pay me on a time and materials basis or if they want a project based fee. None have been willing to pay me to cleanup their mistake.
Way back when I signed up with gmail, I was happy to get a first-initial.lastname@gmail.com address, now I wish I’d gone with something more obscure.
Same situation here! My HN Username @gmail and my last name is a very common last name in India.
I’ve received people’s tax returns (including their SSN), airline tickets and hotel reservations, matrimonial proposals, photographs, etc.
I often used to email back and let people know about the mistake, but rarely do it now unless there is sensitive/urgent information.
To deal with some of the repeated unwanted emails, I have rules created to label those emails with a specific label. I use Google scripts to auto-delete all emails from that label which are older than 365 days. It cleans up repeated transaction emails from Indian banks/credit cards, newsletters, etc. but also gives me a year to retrieve the email if it was actually meant for me.
I get the same with <common_name>@outlook.com ; managed to sign up right as the service was launched and thought I scored :)
After a couple of years gave up on that address as it was getting dozens of messages a day (a lot of them legit email, sent to the wrong address - including bank statements, shipping orders, etc.)
firstname.lastname@gmail.com can have similar problems. Somehow people miscommunicate or misremember their email address and I get a lot of misdirected messages.
I have firstinitiallastname@gmail.com and I get a lot of stuff meant for other people. Someone even used it to sign up for their bank, and said bank apparently didn't require verifying the email address. I don't even have that common of a name.
I'm in the firstname.lastname@gmail.com club too (common first name and very common surname) and I receive so many mistaken emails that I like to collate them to guess which homonyms are the same person.
I often see repeated attempts to create accounts without reconsidering the email address, and sometimes they succeed (I received repeated invoices for Sky and for an insurance, not to mention occasional ones).
Same thing here. The worst part is when websites don't actually require an email confirmation to keep using them. In the beginning I've tried to reach out to those companies to close the accounts without accessing them but by now I've started just resetting the password and then deleting them. It's just too difficult to do the right thing.
Welcome to the club. My gmail address is lastname.firstname@gmail.com and I keep receiving occasional emails for firstname.lastname@gmail.com who is actually some kind of a senior manager in one of the major TV stations. It works the other way around as well (he receives my emails - extremely rarely, but still). We simply agreed to forward them to the right person and delete afterwards so there is no issue per se, but it's still kind of funny.
Also, my daughter has firstname.lastname@gmail.com and there is another lady with the address firstnname.lastname@gmail.com (yes, a typo in her first name, duplicating one of the letters) and of course she keep receiving her emails and vice versa. Same solution - they mutually agreed to forward messages to the right person and delete them afterwards.
While not entirely on topic, I am implying that the person who is getting the unremitting password reset requests may have an e-mail address with a similar problem.
My <common-name>@<common-name>.com address gets incessant password reset requests for every major online site in existence. (I should have been clearer about this; sorry.)
I am suggesting that, by having strange or very unique e-mail address, you can fairly effectively mitigate this phenomenon.
Way back when, I got a Yahoo email like <HN_username>@yahoo.com. My last name isn’t unique, but it’s not exactly Smith. It’s amazing how many other people have mistyped it. To this day, I still get emails meant for other people.
I keep that old account for 2 purposes:
1. It amuses me. I log in and clear it out once a year or so.
2. At various times I’ve had coworkers who didn’t believe it was common for people to enter someone else’s email address when registering for a sensitive system. When that happens, I’ve taken them to my old Yahoo webmail. Oh look, another kstrauser’s loan paperwork!
I can only imagine what that’d be like if it were at Gmail and not Yahoo.
Mine is temporal at gmail. "Temporal" was my teenage gamer tag which I mostly stopped using decades ago, but it's been my gmail address for almost 20 years and changing it is not easy.
The problem is, "temporal" happens to mean "temporary" in Spanish. As soon as Gmail became popular in the Spanish-speaking world, people started using it as a placeholder address.
* Lots of people use it when creating throw-away accounts.
* Sometimes companies use it as a placeholder when they don't know a customer's address. Multiple telecom companies in various countries have done this to me, sometimes populating hundreds of customers' accounts with my email address, such that I receive all of their phone bills, sometimes even with detailed call logs.
* All kinds of students register for university classes using my address resulting in me getting tons of emails from professors. In many cases I could go drop their classes for them if I were evil enough.
* Once a Colombian school gave my address admin access on their school-wide Zoom organization. The really annoying part about this is that Zoom didn't give me any way in the UI to leave the organization, so my account was attached to this school until I complained on Twitter and someone silently fixed it.
* For the last couple months, someone has been scraping Shopify-backed web shops, entering my email address when prompted, putting things in their cart, and then abandoning it, such that I receive an email saying "Hey you left this thing in your cart! Do you still want to buy it?" The emails are always in Spanish, of course. I receive them from like 50 different web sites every day. (Luckily I was able to create a filter for certain Spanish words...)
None of this stuff gets filtered as spam because it does not look like spam to gmail's filters. I have learned it's more productive to block addresses than to mark spam, but this annoyingly takes four clicks per email. I have begged Google to give me a way to filter by language but of course no one is listening.
I know, I know, I need to change my email address and probably get off Gmail altogether. It's difficult because I have 20 years of history built around this address.
Nah, I don't think saying my address publicly has any effect. AFAICT none of the problem comes from people who are actually aware that the address has an owner.
I’ve had a gmail account since their first beta. Switching to another provider (Fastmail) took about an hour to run through so my accounts and swap emails out. There was one or two that didn’t allow changing emails (steam is one) but other than that it was much easier then I assumed.
I still check the gmail account ever so often and it still receives spam. My Fastmail account is perfect even after a year.
There's an idiot sharing my first & last name who never remembers to put his middle initial in his email address, and as a result I see he's an alcoholic, has financial trouble, keeps applying for artist grants, has a social sciences degree of some sort, is involved in local politics, and so on.
I could also choose to pwn his online betting, games, dating, and porn accounts any moment I want. I may or may not have changed his gender preferences on a dating site...
How? If his email is something like johnWsmith@gmail.com and he's accidentally entering johnsmith@gmail.com (you), how is he ever able to register? If he's sending password reset requests to the wrong address (yours) - wouldn't every site in existence realize that's not the registered account and the email would never end up in your inbox?
He has john.w.smith and is repeatedly typing in john.smith, and also hands it out to humans who then want to contact me about his things.
Apparently for many sites, user retention & money are more important than verifying an email address up front. He visits the scummiest betting and dating sites, so I'm not very surprised.
I'm getting similar behavior from another user with the same pattern.
I also get their college results, government assistance, a payday loan company, pinterest and subscriptions to newsletters sent to me for them.
Ive mailed them directly, multiple times but they dont seem to care. I'm now returning the favor, signing them up for all the crappy sites when i need a throwaway.
A surprisingly large number of sites will let you register without requiring an email verification.
I continually get a lot of emails, sometimes with private information to first name.lastname@gmail.com where people with my same name just use that without caring that it is not their email address. You probably aren't getting that job offer and you probably aren't getting that bank load approved without being able to see the emails.
For a while I tried to notify the senders but they rarely reacted or even provided a way to contact them. Now I worry about it becoming a scam vector so I just delete them.
Once you leave sites actually created by tech companies many sites don't actually verify that you own an address you just input anything you please that looks like a valid email. The extra step as it were isn't included in all online tutorials on "how to manage implement login".
To deepen the problem gmail actually ignores periods in email so even if johnsmith@gmail.com already exists its possible create accounts for both john.smith@gmail.com and j.o.h.n.s.m.i.t.h@gmail.com because although google will absolutely treat those 3 as the same thing and route all messages to any of the above to our first fellow randombob.com treats those as 3 unique email addresses.
This was actually exploited by the fellows that robbed Washington states unemployment system during the pandemic applying for unemployment for folks that didn't need it including humiliatingly enough actual workers who worked for the washington state employment security division. To make their robbery more ergonomic multiple fraudulent accounts were set up with email addresses that differed only by periods. In this instance it only worked of course because they were indeed able to verify their email accounts.
In other instances for example myFico has weak protections on signing up. You can use ANYONE's email address to sign up but strong protections on actually accessing information. This means in effect if someone signs up as you as actually happened to my wife you will never be able to get them to stop spamming you with that persons personal information nor make the person stop giving out your email.
I wasted 15 minutes of my life trying to explain that the address given actually was my wife's email address. Bitched to their credit union/other institutions about the persons financial data being leaked, created a complaint with the FCC. YADA YADA nobody cares about properly implementing email verification or leaking people's financial information.
I've got one who keeps forgetting he's got numbers on the end of his email address. He's a sheriff in a southern state. Also an idiot.
What's doubly annoying is the US gov is pretty lax at things like unsubscribe links, so I keep getting notifications about his Medicare account that I can't unsubscribe from.
If you are bob@gmail.com or bob@yahoo.com, I am sorry about the decades worth of product offers, porn subscription offers, forum or blog reply notifications, etc.
I use bob@smith.com for any service that insists on an email address when they have no business doing so (eg public WiFi portals). I used to use bob@example.com to avoid spamming poor Bob but many services now disallow example.com as a domain.
I usually use marketin@domain-of-the-website.tld when a website insists on an email address to let me download something. I also curse at the marketing team, just in case.
My email is <first initial><last name>. I also have the same first initial as my father, sometimes I get email intended for him. Fortunately our last name is unusual so that's about the extent of it.
You don’t need a custom domain, a gmail address is enough.
I have surname.name@gmail.com and I routinely used to receive emails for surnamename@gmail.com, because of some moron at google that though it was a good idea to ignore dots.
I haven’t checked that gmail account in a while (gmail is just trash at this point, beyond salvage) but I might still be receiving this guy’s loans solicitation or his car insurance certificates. Who knows.
At least with email you can change your address. I once had a process server come to my door to serve a summons, it was my first and last name with a different middle initial. When I pointed that out to the process server, he said "close enough" and walked away.
I had never been served a summons before so I was worried about it, I called a lawyer and the lawyer said to just throw the summons in the trash.
Although apparently the guy with the same name as me was going bankrupt or something, his bad debts started showing up on my credit report and I had to mail the reporting agencies to take them off, went on for a few years.
I have a decently common first name and last name and was eventually able to snag the domain of my name (firstnameLastname.ca) and switched over most of various online accounts to use it.
I'm not a big Twitter user, and when I went to log in Twitter for the first time in probably a year or two, I forgot that it was still using my gmail account. I couldn't remember my password, so I did a password reset, received the email, and reset my password.
After looking around a bit, I realized this was not my account. It turned out the previous owner of firstnameLastname.ca also used firstname@firstnameLastname.ca
I ended up making a twitter post basically saying "Hello, I think I accidentally stole your account. If this used to be your account, email me.". A few weeks later I got an email from a fellow with the same name as me, who used to live in Canada but had moved back to England. I was able to change the email on the account and give him back access.
My Gmail account is the same way. I constantly get people using it as a throwaway email address for various dating sites, commerce sites, and porn sites. After enough annoying emails, I’ll typically change the account’s password or delete it if I can. (These sites usually aren’t the most reputable, so often times about the most I can do is change the password to lock them out.)
I don’t get why people do this. It’s not like it’s difficult to get a throwaway email account.
Security is the reason all my personal info on social media is lies. They take your account, and can now use it to unlock other accounts, like at your bank, etc.
245 comments
[ 2.9 ms ] story [ 229 ms ] threadI wish I could just disable that form of login, I have a very safe password so the login via email isn't necessary.
Microsoft doesn't show you login attempt IP addresses like Google does?
So it is a "one in a million" to randomly guess what the code is on any given login.
But it is "one in a million" for each Microsoft account you know about - and if they have millions of email addresses, and automate it each day (I also get attempts 1-2 times per day).
Yes - the odds are small - but there is a greater than 0% chance someone can randomly get into your Microsoft account - and there is no way to stop it - even with 2FA etc - this bypasses all of that!!!
Crazy...
Because I'm a bit concerned if Microsoft passwords are leaking.
You cant disable this.
So all Microsoft accounts could have a daily 1 in 1 million chance of been overtaken.
Odds are low - but if you then spam this across thousands of attempts per day - they would statisically "get lucky" from time to time...
I suppose that's a decent rate, but it feels like most Microsoft accounts will just have something like Office or Minecraft set up.
To this day, I can't comprehend how this is supposed to be safe. So someone can just type in my username and wait until i eventually misclick in the Authenticator app? If it was from a browser I have used before at least, but I was getting these challenges from around the globe.
It is strange that they appear to be able to avoid being blocked for bulk/frequent requests though. Seems like a big flaw.
a) did this intentionally to improve their KPI numbers
b) did this accidentally-ish but won't roll it back because it's making their team's KPIs look good and is playing dumb
Which is guaranteed to generate press articles.
https://www.facebook.com/help/1634546593478660
Let’s also all think back to 2011 or so when Facebook thought it’d be a good idea to try to vacuum up all its users’ emails by giving us all @facebook.com email addresses, buying fb.com in the process. As I recall they killed it after a couple few years.
Microsoft, I'm looking at you (https://learn.microsoft.com/en-us/microsoft-365/enterprise/u...). It nerve-wrecking trying to figure out if some login box or link is legit. They claim to be transitioning to cloud.microsoft, but if you go there, you are redirected to yet another new domain (microsoft365.com) which looks like a scam site, which doesn't render properly in Firefox.
Why do we allow this?
Microsoft has something like a hundred domains, including purposefully misspelled ones like "microsft.com", which is real, owned by them, and regularly used to bypass "security filtering" by paranoid admins.
You are off by orders of magnitude there on that number.
Re: the first part of your comment, the most common reason I've seen is companies using 2nd domains to send emails that are at higher risk of bouncing or being marked spam (newsletters, cold outreach, etc). And using your primary domain to send "more important" emails from.
My Facebook email for ages was my school email (as is tradition, right?) and one day someone registered as my actual email around the time I was doing a bunch of address consolidation because my school was moving all historical accounts to a separate subdomain.
I clicked to confirm foolishly (should not have done that) and it became associated with someone else's Facebook account.
Facebook has a process for this. You request an email to your address and it sends you one and you reply and it removes the email from the other guy.
Well, I did that except he set it without the '.' and when I replied from mine it wouldn't accept it. I tried again as it was and only realized after three tries what the problem was. Facebook's difference in verification processes (click to confirm / reply to dissociate) meant that I was not doing the right thing.
Repeating the action means I looked like a fraudster so that must have been why even though I added the dot version as an email to send as it would no longer accept me.
To make matters worse, I decided I'd just fix it by resetting my password and logging in and removing my email.
Well, I succeeded in the password reset but Facebook protects you here by requiring friends to verify it's you. Well, I didn't know his friends so I just let it go: he could no longer log in except via phone number (I hope, or he was locked out) and I couldn't associate my email correctly.
Then one random day I tried again and it worked.
Everything is about tradeoffs, and the only objectively wrong answer is this dogmatic "never do $X" nonsense.
The amount of disclosed information, and it's utility, is non-zero, but simply weighs less than the amount of damage from not hinting which account to check.
Accounts can grow to be 20 years old and even a "normal" person who is not actively using lots of addresses for security, will still end up having used several in the fullness of time and completely forgotten about some, yet, may still have or can regain access to them if only they knew to go look.
You don't see how that can happen or really be a problem? Oh well, consider yourself informed that it does happen and is a problem.
there is no benefit to reveal any details.
That said, it could be that the security risk outweighs that convenience.
So it is a privacy tradeoff for better UX. If it is a good tradeoff will depend on how much you value each.
Many sites require you to verify your email before you can use your account. If you wanted to avoid leaking whether an account existed, you could show them a message like "if this account doesn't already exist, a message has been sent to your email asking you to verify it". If the account did exist, you might send an email like "someone tried to create an account with your email".
It is too bad because for symmetry I used the same use name in a number of places (not the one I have here).
Fuck this bullshit.
(we have a 15 year old who's made at least four, probably more different gmail addresses for different purposes. Ironically, the one he used to sign up for porn includes his real first/lastname)
It shows you a code when the initiator is an unfamiliar device, but doesn't show you the code when the initiator is a familiar device. You can reproduce this fairly easily - open a private tab and try to login - you'll see the code in your app. Then logout and login again without closing the tab - you won't see the code.
Which actually makes sense, if not well-explained to users.
My assumption is that they're just guessing over millions of accounts and are expect 1-2 to hit so they can take over those accounts.
Someone out there apparently doesn’t realize that address doesn’t belong to them, because for 10 years he has been getting signup confirmations, appointment reminders, and very personal correspondence meant for the confused individual.
Some of my favourites are the tax information (and other common business related correspondence) on their Disney songwriting royalties (I make more before my first coffee break than they do all year on streaming revenue, but they've got a fair number of songs), there is also a bank account tied it in Peru (CFO doesn't care but I'm not locking her out - I do have some compassion.. not much but it's there), but OTOH I've permanently locked people out of their brand new iPhones because they all choose to use my email address, or the person on the other end types it in wrong for them. I also think people don't read what their browser saves and later populates for them.
People will also just randomly give out fake addresses (that are real) when signing up to just to get a discount.
It's a single word that was popularized through pop culture years after I created it, and one letter away from being a traditional western name (and also one character toggled from a popular Hispanic one).
Also a very wealthy PTA mom in Mountain View uses my email address all the time. Our children are doing very well.
Sites should always confirm an address by having you authenticate a link before permanently using it in perpetuity. It would stop a lot of bad actions.
Once a year or so somebody tries to get into that gmail or associated social media account with a bunch of password-reset emails. I'm pretty sure it's someone with a similar name who is slightly misspelling their email, messing up the dot (gmail ignores dots but other systems don't), etc.
That's what 2FA is there for, but you still get the annoying e-mail notifications for attempted sign-ins.
Make sure to weigh the pros and cons when you pick your username on the internet.
A dedicated e-mail filter to limit the mental attrition might not be the worst idea.
Eventually I went with a much longer username and the problem went away.
I don't know if this is related (probably not), but fun fact: Fidelity lets you log in to your account over the phone using numbers[0] -- one per character. Yep, passwords too.
> Use your telephone keypad to convert the letters to numbers. There is no case sensitivity. Substitute an asterisk (*) for all special characters. Here's an example:
> To enter a username, e.g., Smith123, press or say 7-6-4-8-4-1-2-3
> To enter a password, e.g., Lucky1$23, press or say 5-8-2-5-9-1-*-2-3
My 6 letter username mapped to numbers that corresponded to up to 4^6 accounts. That's really bad but not nearly as bad as what they're doing to passwords.
The longer username is both worse and better. Worse because it matches way way more possible accounts and better because (I presume) it matches fewer actual accounts so it gets fewer failed attempts. That's my guess, anyway.
Edit: it is possible that they only allow one account per "folded" username. That increasing the username length resolved the problem immediately suggests otherwise, but like I said, I dunno. I have no insight into their systems.
0: https://www.fidelity.com/customer-service/faqs-managing-your... look for "telephone services"
The @tommy on Twitter was a dev at Gameloft who gets constantly harassed in his mentions to give it up. I had a similar problem on Instagram. I've mostly stopped using it, but when I did post and had an open profile I constantly got comments offering money for my username.
Eventually someone set up a follower bot on my account and I was getting hundreds of new followers a day. I made my profile private and don't post anymore, but it's still hundreds of new follower requests per day.
The recovery process is totally broken for them now. We eventually managed to revert back to the original email address by visiting facebook.com/hacked (not without the help of a weird youtube video to make sure we were selecting the right options, though), and we lost a ton of time on a weird issue where emails or recovery options were deeplinking to the app, which was opening but didn't know what to show us. After deleting the app, we managed to start generating 2-factor email codes, but the same prompts that generate them don't accept them. And the 'send in an ID to verify your identity' feature just doesn't load at all. I'm chipping away at it when I see them, but I give recovery a low probability of success.
Understandable that this is probably not very fair to those who can't afford it, but I wish there was a 'pay $100 to speak with a rep who can fix this now' feature.
I assume they were sidestepping some sort of detection algorithm, but it happened during a time when she was losing her mind in real life so it was a strange kind of metaphor.
- create an email address alias (random, unguessable)
- change your login to use that email address
- remove your phone number from Facebook
There are many ways to do this (plus addressing, apple hide my email, account aliases, etc.) Pick your own approach.
Every week or so they lock my account due to "suspicious activity" even though I haven't used my account.
I have all the security features and such turned on like MFA and a strong password (that I have to change like every week after every time my account gets locked).
There is no useful info in the security logs. I have no idea what to do to stop this from happening.
I think deleting the account would stop it :P
:p
<common_name>@<common_name>.com
Thousands of people with this name, who didn't want to give out their real e-mail address, used this e-mail address when signing up for things online. They probably never thought it would be someone's actual address. I finally had to quit using it because of the tremendous amount of e-mail that wasn't directed at me. Most of it looked legit enough to the spam filters to allow through.
I temporarily turned that account on about 5 years ago and it was getting about 3,000 garbage messages per day.
I thought having a cool e-mail address would be great, but not any more. I switched to an address that, while easy to say and tell people, it's very unusual and it's very unlikely someone else would ever come up with it.
Sometimes from the same person, there starbucks card seems to be linked to it for example. Annoying.
Misplaced periods give me all sorts of other people's emails - new cars, new mortgages, new bank accounts, new home purchases that are not in my name or identity (based on the names I understand the confusion) - all sorts of things that I'm not doing IRL. Sometimes I try to reach out to the sender and get them to correct the email address, sometimes I just unsubscribe
Usually I’ll reply to the sender and tell them they have the wrong email address, some don’t believe me, sometimes they ask me if I know the person (out of a billion gmail users), some complain that I took to long to tell them about the wrong address, and sometimes a lawyer will direct me to delete all copies of the errant email…
I always reply back to tell them that the email lands on multiple devices and is downloaded and backed up automatically and to see if they want to pay me on a time and materials basis or if they want a project based fee. None have been willing to pay me to cleanup their mistake.
Way back when I signed up with gmail, I was happy to get a first-initial.lastname@gmail.com address, now I wish I’d gone with something more obscure.
I’ve received people’s tax returns (including their SSN), airline tickets and hotel reservations, matrimonial proposals, photographs, etc.
I often used to email back and let people know about the mistake, but rarely do it now unless there is sensitive/urgent information.
To deal with some of the repeated unwanted emails, I have rules created to label those emails with a specific label. I use Google scripts to auto-delete all emails from that label which are older than 365 days. It cleans up repeated transaction emails from Indian banks/credit cards, newsletters, etc. but also gives me a year to retrieve the email if it was actually meant for me.
After a couple of years gave up on that address as it was getting dozens of messages a day (a lot of them legit email, sent to the wrong address - including bank statements, shipping orders, etc.)
I often see repeated attempts to create accounts without reconsidering the email address, and sometimes they succeed (I received repeated invoices for Sky and for an insurance, not to mention occasional ones).
Also, my daughter has firstname.lastname@gmail.com and there is another lady with the address firstnname.lastname@gmail.com (yes, a typo in her first name, duplicating one of the letters) and of course she keep receiving her emails and vice versa. Same solution - they mutually agreed to forward messages to the right person and delete them afterwards.
First world problems...
My <common-name>@<common-name>.com address gets incessant password reset requests for every major online site in existence. (I should have been clearer about this; sorry.)
I am suggesting that, by having strange or very unique e-mail address, you can fairly effectively mitigate this phenomenon.
I keep that old account for 2 purposes:
1. It amuses me. I log in and clear it out once a year or so.
2. At various times I’ve had coworkers who didn’t believe it was common for people to enter someone else’s email address when registering for a sensitive system. When that happens, I’ve taken them to my old Yahoo webmail. Oh look, another kstrauser’s loan paperwork!
I can only imagine what that’d be like if it were at Gmail and not Yahoo.
The problem is, "temporal" happens to mean "temporary" in Spanish. As soon as Gmail became popular in the Spanish-speaking world, people started using it as a placeholder address.
* Lots of people use it when creating throw-away accounts.
* Sometimes companies use it as a placeholder when they don't know a customer's address. Multiple telecom companies in various countries have done this to me, sometimes populating hundreds of customers' accounts with my email address, such that I receive all of their phone bills, sometimes even with detailed call logs.
* All kinds of students register for university classes using my address resulting in me getting tons of emails from professors. In many cases I could go drop their classes for them if I were evil enough.
* Once a Colombian school gave my address admin access on their school-wide Zoom organization. The really annoying part about this is that Zoom didn't give me any way in the UI to leave the organization, so my account was attached to this school until I complained on Twitter and someone silently fixed it.
* For the last couple months, someone has been scraping Shopify-backed web shops, entering my email address when prompted, putting things in their cart, and then abandoning it, such that I receive an email saying "Hey you left this thing in your cart! Do you still want to buy it?" The emails are always in Spanish, of course. I receive them from like 50 different web sites every day. (Luckily I was able to create a filter for certain Spanish words...)
None of this stuff gets filtered as spam because it does not look like spam to gmail's filters. I have learned it's more productive to block addresses than to mark spam, but this annoyingly takes four clicks per email. I have begged Google to give me a way to filter by language but of course no one is listening.
WIRED even wrote an article about it: https://www.wired.com/story/misplaced-emails-took-over-inbox...
I know, I know, I need to change my email address and probably get off Gmail altogether. It's difficult because I have 20 years of history built around this address.
I still check the gmail account ever so often and it still receives spam. My Fastmail account is perfect even after a year.
I could also choose to pwn his online betting, games, dating, and porn accounts any moment I want. I may or may not have changed his gender preferences on a dating site...
Apparently for many sites, user retention & money are more important than verifying an email address up front. He visits the scummiest betting and dating sites, so I'm not very surprised.
I also get their college results, government assistance, a payday loan company, pinterest and subscriptions to newsletters sent to me for them.
Ive mailed them directly, multiple times but they dont seem to care. I'm now returning the favor, signing them up for all the crappy sites when i need a throwaway.
I continually get a lot of emails, sometimes with private information to first name.lastname@gmail.com where people with my same name just use that without caring that it is not their email address. You probably aren't getting that job offer and you probably aren't getting that bank load approved without being able to see the emails.
For a while I tried to notify the senders but they rarely reacted or even provided a way to contact them. Now I worry about it becoming a scam vector so I just delete them.
To deepen the problem gmail actually ignores periods in email so even if johnsmith@gmail.com already exists its possible create accounts for both john.smith@gmail.com and j.o.h.n.s.m.i.t.h@gmail.com because although google will absolutely treat those 3 as the same thing and route all messages to any of the above to our first fellow randombob.com treats those as 3 unique email addresses.
This was actually exploited by the fellows that robbed Washington states unemployment system during the pandemic applying for unemployment for folks that didn't need it including humiliatingly enough actual workers who worked for the washington state employment security division. To make their robbery more ergonomic multiple fraudulent accounts were set up with email addresses that differed only by periods. In this instance it only worked of course because they were indeed able to verify their email accounts.
In other instances for example myFico has weak protections on signing up. You can use ANYONE's email address to sign up but strong protections on actually accessing information. This means in effect if someone signs up as you as actually happened to my wife you will never be able to get them to stop spamming you with that persons personal information nor make the person stop giving out your email.
I wasted 15 minutes of my life trying to explain that the address given actually was my wife's email address. Bitched to their credit union/other institutions about the persons financial data being leaked, created a complaint with the FCC. YADA YADA nobody cares about properly implementing email verification or leaking people's financial information.
What's doubly annoying is the US gov is pretty lax at things like unsubscribe links, so I keep getting notifications about his Medicare account that I can't unsubscribe from.
That's forwarding rules are for. Preferably to the email of some judge in his precinct.
(That's what we're doing here right? Bashing on the old and the tech-illiterate?)
Sorry Bob!
It was a really, really bad idea that sounded funny in my head. That number is scrawled on every toilet wall with "for a good time call: ..."
Every hour of the night...!
See also:
https://www.wired.com/1998/09/woz/
EDIT: https://www.wired.com/1998/09/woz/
(a large article, search for 888-8888)
I have surname.name@gmail.com and I routinely used to receive emails for surnamename@gmail.com, because of some moron at google that though it was a good idea to ignore dots.
I haven’t checked that gmail account in a while (gmail is just trash at this point, beyond salvage) but I might still be receiving this guy’s loans solicitation or his car insurance certificates. Who knows.
I had never been served a summons before so I was worried about it, I called a lawyer and the lawyer said to just throw the summons in the trash.
Although apparently the guy with the same name as me was going bankrupt or something, his bad debts started showing up on my credit report and I had to mail the reporting agencies to take them off, went on for a few years.
I'm not a big Twitter user, and when I went to log in Twitter for the first time in probably a year or two, I forgot that it was still using my gmail account. I couldn't remember my password, so I did a password reset, received the email, and reset my password.
After looking around a bit, I realized this was not my account. It turned out the previous owner of firstnameLastname.ca also used firstname@firstnameLastname.ca
I ended up making a twitter post basically saying "Hello, I think I accidentally stole your account. If this used to be your account, email me.". A few weeks later I got an email from a fellow with the same name as me, who used to live in Canada but had moved back to England. I was able to change the email on the account and give him back access.
I don’t get why people do this. It’s not like it’s difficult to get a throwaway email account.