I shot out a quick little tweet about this and there was some interest so I thought I’d dash off a longer blog post.
For a long time I’ve used the habit of using custom email addresses for each online service I sign up for. I’m planning on discussing this (and some other related tactics for real world use) in my Crushing Your Head newsletter soon, but in essence all the email addresses go to one unified email box and let me figure out who is doing what. This way if one unique email address starts getting spam (or email from another party), then I know who the leaker was.
I was trolling through my spam folder and found this today:
And all the emails were being sent to an address known only to Seesmic. I don’t actively use Seesmic (I’m a Tweetdeck and Brizzly user for now) but did sign up a while ago (and switch for a while) when Seesmic had some advances in their client that no one else had. You’ll notice that the first spam sent was on 6/10/2009, then another on 6/22/2009, and then the barrage starts in mid December.
So what does this tell me? Somehow Seesmic’s database has been compromised somewhere in the chain and now the email address they have for me is in the wild (UPDATE: apparently this was reported and blogged about by Seesmic here). This same thing happened to me a few years ago with an email that Ameritrade had for me. I complained to them and they said in essence “we’re looking into it”. A few months later a class action lawsuit was filed (not by me) and was recently settled (I think).
So what are you doing to protect your customer’s personal information?
{ 4 comments… read them below or add one }
Good catch, Sanjay! I’ve been using this technique for years as well.
For Gmail users interested in implementing special emails for every service they sign up for, it’s easy: simply give your normal email address with “+sitename” before the @.
For example, instead of giving your normal email address:
joe.schmoe@gmail.com
Give it like this:
joe.schmoe+evilsite@gmail.com
The emails will still come to your normal inbox, but you’ll be able to filter (and block entirely) based on the recipient when you get sold out. How cool is that?
As a side note, Gmail ignores periods in email addresses, so:
joe.schmoe@gmail.com
…is the same as:
j.o.e.s.c.h.m.o.e@gmail.com
…but the recipients will be different as with the other technique.
Just an FYI. And thanks again for being a good web citizen, Sanjay!
our supplier, aweber, was hacked and we immediately blogged about it and emailed everyone with apologies. We are changing supplier for our newsletter. Privacy and respect for our Teamseesmic members is our #1 concern.
@loic totally agree and I hope I didn’t imply anything contrary. It was clear that the leak happened somewhere in the chain and I would never assume that any legitimate service would ever release email addresses willingly.
I’ve been doing the same thing with gleep.org for about 12 years now. I have created hundreds of “accounts” for all kinds of stuff.
The GMail trick is neat, though. Also, you can use OtherInbox and create aliases on the fly or even in advance if you want to. I haven’t actually tried that – I just use them to scrub my inbox out and get rid of all the quasi-spam I don’t really care to read.