Who shared my data?
You did not have my permission.
Many years ago a guy at a company walked out the door with their database and from that day on I received a wall of spam.
But this story isn't about him. This story is about how I knew it was him.
Unique email addresses
Every time I sign up for a new account or fill in a form I put in a fresh, unique email address.
I have my own domains and for those I have sub-domains and on those sub-domains I have a wildcard. Any email sent there ends up in my Inbox. That means I can give a fresh, never seen before, email address to everyone and then I can track down who they've given it to. Please sign up for FastMail. I have a referral link!
On some mail providers you can also use "plus addressing" which is where your email address can have a plus and another word added to it. eg, "steve@gmail" becomes "steve+twitter@gmail". Some websites don't allow this: they are wrong.
Keeping track of it all
Unique email addresses, unique passwords, unique date of birth - woah. How do I keep track of it all?
Simple: I don't.
I let my password manager handle that for me. It contains notes on each of my accounts: what the website is, what my email address is, my password, my date of birth, anything else required.
Use a password manager!
Who has shared my data?
Alright, who shared my data?
The first person to fall afoul of this was my mate Seth. He's a good guy. Great at sports. Funny. Energetic. Not a privacy or computer security expert. Who is?
At the time we were using Hotmail - pre-Microsoft acquisition - and somehow a person got into his account and grabbed all of the emails out of his address book.
Spam ahoy!
It might not even have been him. He might have forwarded a joke to me, Sarah, and all our friends. We used 'CC' and all of our email addresses were on display. One of his other friends might have had their account broken into and there they'd find my email address. It was quite common at the time.
End result: my buddy Seth played a part in letting my email address become public. It's fine. We were young and it wasn't his fault.
I still remember the first spam email I received: printer ink. Why? I didn't even have a printer. I was very confused.
Sometime later I found a giant line printer when dumpster diving. That was great fun but it didn't use ink, it used ribbons.
Further companies that let me down
Parachute Music Cyber Store
Many years ago a company named Parachute Music had a music festival, Parachute Music Festival, and they also had a website where you could sign up. It was the '90s and they called their store: The Cyber Store.
One day a staff member left and walked out the door with their customer database. How do I know? Because on my Cyber Store exclusive email address I received an email from an ex-store employee announcing his new venture.
And he had everyone in CC.
Macromedia
Many years ago there was an amazing multimedia software company named Macromedia. They had amazing authoring tools: Macromedia Authorware, Macromedia Freehand, it was genius stuff. You could put an animation on a multimedia CD-ROM which would pop up a full screen window when someone inserted it into their computer!
I had an account on their website. They got broken into and my email leaked. Was it pre- or post-acquisition? Dunno but there's a lot of spam.
Free software lists
For a while I had a bunch of software I had developed available for download. My email address was in the release notes. Those release notes were scraped and spammed. That's my reward for publishing free software: spam.
A large company picked up some of my software and incorporated it into their software. They charge a high monthly subscription for it. They make a lot of money.From memory the company was cPanel, but searching around I cannot find mention of cPanel and my software on Bugtraq. Whether it was disclosed in another venue or whether it was another company I can't figure it out, but I did find a bunch of my old posts on Slashdot. Did [......] ever send me anything as a thank you for writing a chunk of the software they were selling? Nope! The closest I got to an acknowledgement was when I was named as the original author of that part of [......] when a vulnerability was found in it. (Classic OWASP top 10 stuff, but I was young.)
I developed free software and all I got was this CVE. And a lot of spam.
Mozilla Bugzilla
Ah the days of contributing to software development in public. I discovered some rendering issues in Mozilla Firefox and dutifully sent them in. A spammer scraped the bug repository. Goodbye that email address! Bugzilla now masks email addresses.
php.net
Another software development project I contributed to leaked my address in the same way. Were they also using Bugzilla at the time?
Bugtraq
Whilst researching this list I discovered that back in 2002 I found a directory traversal in Filezilla 0.7.0 and disclosed that to the developers who fixed it. No CVE because this was back in 2002 and we just got things done: no nickname, no logo, no press release, just fix it and post on Bugtraq afterwards. Although it would be nice to have "TWO DECADES OF SECURITY" on my LinkedIn.
Also I left my email address hanging out for anyone to scrape from their archives.
qbik.ch
qbik / Marcus was responsible for some Linux USB drivers. Back in those days I would compile my own kernel, applying patches from NVidia to get the best performance out of my GeForce graphics card. That way I could play Half-Life under Cedega (a subscription fork of WINE). There was also drama around the AMD USB driver. It would work with one of the standard HCI modules but a typically disabled one was far superior.
I also had a Sharp Zaurus which ran Linux. Tiny little PDA that could do pretty much anything you dreamed of, including Wardriving. 2005 was a wild time!
Adobe
Adobe acquired Macromedia. Then they got broken into. They leaked my Adobe account and a Macromedia account that hadn't leaked earlier.
Mailing Lists
Remember mailing lists? You send an email to a specific address - linux-kernel-tweaks@example.com - and then all recipients on the mailing list get a copy of the email!
This worked well for several decades until a combination of kind people putting the mailing list archive and its wisdom onto the World-Wide Web (WWW) along with spammers indexing the mailing list.
Remember how I said I have multiple domains and multiple email addresses?
If I make multiple email addresses and a spammer gets hold of it, then I receive multiple copies of the same spam. address1@example.com, address2@example.com, address3@example.com ... addressN@example.com. (This is partly how I detect spam. If I get 7 copies of the same URGENT email about my Netflix password I get immediately suspicious.)
Then my mail server needs to receive that email, process the headers, think about it, spam check it, do some work, and then it discards it.
But if I put those on a sub-domain and the sub-domain starts to get cluttered with spam I can simply drop that sub-domain from DNS and it never receives any connections ever again.
Crystals / Numberology
I can't remember exactly which hocus pocus mumbo jumbo website this was. They promised they'd tell you great things if you gave them your email address. I was skeptical. My hypothesis was I'd get a lot of junk. I was right. What a prediction!
The "great things" turned out to be vague imprecations, a lot of solicitations, followed by an awful lot of spam.
Hey buddy, what do the numbers tell you about selling my email address?
WHOIS data
When you register a domain you need to provide email addresses for the person who owns it as well as for the billing and technical contacts.
Back in the day this was all fine to publish until someone figured out they could scrape the WHOIS information and send spam to the domain owners.
I complained to the Te Tari Taiwhenua / Department of Internal Affairs who are responsible for enforcing anti-SPAM legislation.
The Anti-Spam Unit then asked me if I'd like to submit an affadavit that my email address was only used for my domain name and I had never ever asked to receive spam emails for bath mats and genital lengthening.
By golly I would!
After I submitted that paperwork, signed and dated, things went quiet for a while until I read in the paper that the Department of Internal Affairs' had secured their first conviction under the brand new Unsolicited Electronic Messages Act 2007.
As they don't publish enforcement actions before 2013 on their website I couldn't remember the exact details or whether I had been the crucial piece of evidence that brought down a SPAM empire. I contacted the team at DIA to see what they had in their files. Here comes the fact check:
The investigation in question was regarding Dolche Design Limited (trading as 4U Shops). You had notified the Department of an unsolicited electronic message you had received from the electronic address 4unews(at)4ushops.co.nz on Thursday 20th of May 2010.
We had also received a number of complaints from other members of the public and as such, conducted an investigation in the electronic marketing practices of Dolche Design Limited. As a result of our investigation, the Department elected to issue Dolche Designs Limited with a Civil Infringement Notice of $1500 for 6 breaches of section 9 of the Unsolicited Electronic Messages Act 2007.
Not quite as dramatic as I recalled, but still important.
Nice to know that in 2010 a single email to me was valued at $250. Keep your address books safe.
X-Mods
When the original Xbox came out - believe me it was huge - there was a great modding scene. You could sign up for forums, get the gossip, purchase mod chips, get wiring diagrams, etc.
Sites would come and go. X-Mods was one I had an account on until someone got my email address and started selling it.
I have another bad email address from this time, simply known as "XBOX". I can't recall which site that's from but that's not the email for my Xbox Live account ... I mean Games for Windows Live ... Microsoft Games ... oops ... Microsoft Passport ... whoops ... Games for Windows Marketplace ... er ... Xbox Games Pass Ultimate Gold.
Free Sweet Site
Sweet Facebook advertising! Put in your email and we'll start sending you free bags of lollies!
By which I mean a lot of spam. And no lollies.
Zynga
Who else used Facebook except good old Zynga. Was it some farm game? Who knows! It's getting spam! Turns out it was "Words with Friends". Thanks HIBP for the clarification.
Stephen D. Cope
I recognise this name. How did I leak my own email address?
Oh, I put it on the front page of my own website. That will do it.
And now I receive beg bounty
emails where scanners drive past and send me a vague email about a speling mistake or a double-reflected DOM XSS bypass on my site, cross me palm with Bitcoin guv'nor
!
Little Chef
In 2011 I visited the UK. On the side of the motorways there were some shops to get a meal and that included the Little Chef chain. We could sign up for their loyalty programme and get something. Maybe an extra egg on our sarnies. Who knows? But a few years later I started to receive spam on that email address. They've never admitted to a breach.
Vistaprint
Wow! Free business cards! That's a price I can afford ... wait a minute, $25 shipping to have them sent from the Netherlands? No thanks! And then in 2019 suspicious phishing emails?
I messaged them and they replied:
Thanks of sharing your concern and we're sorry to hear of the of the issue being experienced. Please procide (sic!) us with the affected email address so we can look into this further.
I declined: I'm not the one who leaked it. Get your Privacy Officer and maybe your security team to figure out where you're leaking email addresses from.
Besides I don't understand this tack they've taken. My email address only exists in two places in the world: your database and my password manager. It didn't leak from my password manager. How will providing my date of birth and a retina scan help them ... share ... my concern ... with the issue ... eh???
Apple iTunes
This is an odd one. I installed the Lazada app to get a coupon and purchase something from Lazada. Then I uninstalled it. A few days later they emailed my Apple iTunes email address to ask why I left. Why not email my Lazada email address? How did they get my iTunes email?
PayPal (but this is intentional)
This is how it works. It's not a leak.
When you pay someone with PayPal then PayPal exchanges email addresses. I get the seller's PayPal email address and they get my PayPal email address. So far, so good with those sellers keeping it secret; some have signed me up for their mailing list twice: once for my PayPal address and another time for my actual email address.
Network Solutions
Somehow I didn't get spam from this, but Network Solutions was breached a few years ago whilst I had an account with them.
Lazada
I mentioned that Lazada somehow had my iTunes account email address. I had also signed up on their website and they suffered a breach which likely contained my data.
Miscellanous
There are a lot of miscellaneous ones in here that I don't have good notes for.
Government Departments
Government, the same Government that enforces privacy laws, should be at a good standard, right? They sort of seem to be.
Inland Revenue / Te Tari Taake
Good old government, collecting my tax, and giving away my email address. WHAT‽
They've done it twice:
Back in 2010 I signed up for Kiwisaver (a mandatory savings programme) and they randomly allocated me to a fund provider. They rolled the die and found AMP, who they sent my details to - including my birthday, address, and email address. This is how it's supposed to work to maintain the Kiwisaver scheme. It saved me a lot of hassle when I moved address, moved country, moved address again, and the only thing that hadn't changed was my email address.
Later I rectified the problem: I changed my email address and shifted my Kiwisaver fund from the disgraceful Australian-run AMP to an Aotearoa-based fund.
During 2020 when people's minds went to how they'd keep their company open, IRD flicked my email address over to another government department, Business.govt.nz, who added me to their mailing list. They're not the only ones!
Companies Office
This one is fine.
When you register a company in Aotearoa NZ you can add a company email address. It's optional. That email address got signed up for the Business.govt.nz mailing list. It was also passed over to Employment New Zealand.
All three are part of Ministry of Business, Innovation and Employment. This sharing appears to be legitimate.
Cant type, wont tpye
These people don't know their email address. They do, however, stumble onto mine.
Please, website developers, other than an initial verification email - with a clear opt out link - do not send email to unverified email addresses! No matter how much the user swears that is their email address.
Georgia, Sales
I don't know who these people are. They think they have email addresses here. They don't. They sign me up for stuff. Stop it.
Info
This is a pretty good guess for a generic email address at my domain. Try also: webmaster, sales, office, and hello.
Stephanie
Stephanie signed up for a lake run with my email address. She used the correct phone number. I sent her a message to let her know I had her race pack pickup if she wanted them.
Stephanie was at first very angry that I had this information before she said she didn't care.
Kim
Seriously Kim, we've been over this. Stop it.
Jane Doe
She likes boys - according to her dating profile - and enjoyed her trip to Greece.
Donna
Donna might work at the Selwyn District Council who has a domain name similar to mine. I've told her a few times, but I still get misdirected email. That's why I have had to block one of my own email address because of her!
They also got a new guy who was very excited by his new role at the Council. He signed up for a mailing list. I found him on LinkedIn, corrected his email address, and signed the right one up for the mailing list whilst unsubscribing myself. Did he thank me? Of course not.
Jane Doe #2
Performing well at school but if she uses Facebook during the day her older sister will smash you
. She has wisely deleted her Facebook account.
Could Facebook kindly confirm an email address before it blasts me with junk?
Advocacy
I don't know their name, but I do know their bank balance! They're overdrawn by 379.64. Please deposit funds by 11:45pm today to avoid OD charges.
It contains the standard footer:
This email has been automatically generated, please do not reply.
ASB Bank Limited.
This email may contain information which is confidential and/or subject to legal privilege. If you are not the intended recipient, please immediately notify the sender and delete the email.
Please immediately notify the sender
and please do not reply
. I see that you are a stranger to logic or perhaps you're some sort of ancient god that likes to set impossible challenges for Hercules.
Way back in 2018-10 I managed to get hold of someone at ASB Bank. I had tried sending it to their phishing email address. Nothing. Can't get hold of them on the phone because I don't have an account. They stopped the emails and promised, swore on their Mother's life it would never happen again.
Let's find out what happened the next month:
From: ASB Alerts
Subject: Your latest banking alert
At 03:41 on Tue 06 Nov 2018, your Streamline 50 account is now overdrawn. Please deposit funds by 11:45pm today to avoid OD charges.
Current balance of: -$379.40 OD
Note: Unarranged OD charges are debited from your account at the beginning of the month.
To modify, STOP or learn more about alerts, go to FastNet Classic, call 0800 662 226 or visit www.asb.co.nz.
Mobile Banking Terms & Conditions apply and are available from www.asb.co.nz or any ASB branch.
This email has been automatically generated, please do not reply.
ASB Bank Limited.
This email may contain information which is confidential and/or subject to legal privilege. If you are not the intended recipient, please immediately notify the sender and delete the email.
Great work, team A.S. Bank Bank. Welcome to my rubbish bin.
Who did it well?
Dick Smith Electronics
DSE was a great store for components. You need a single resistor? Hop on your bike, pedal over there, great job.
Eventually they turned into Yet Another store flogging flat screen televisions. Rubbish. They had an IPO. Turns out they had juiced the books. The flat screens weren't as valuable as they thought and Dick Smith's went into receivership.
The receivers emailed everyone: we are going to sell your email address. Click here and we will purge your details before we sell the database. I clicked. They purged.
I haven't seen any leaks out of that one. Nice work, receivers for Dick Smith Electronics.
Wrap up
Anyhow, that's who has been leaking my email address.
My advice:
- Use a unique email address for every site
- If they want a birthday, give them a fake one. They're not the Birthday Police.
- Use a password manager to remember this information
- Ensure your organisation complies with the Privacy Act 2020.