People who use different emails everywhere, who sold you to spammers?

I mostly use one single address, but I can tell you exactly where all the spam comes from: idiots whose name is the same as mine.

They give my address as if it belonged to them. Probably they created addresses like narag33@server and they believe that it's narag@server instead.

So not only I receive all the spam from dubious sites that they suscribed to, but also their legitimate mail from lists and friends.

My namesakes are idiots. But some of the companies responsible of the subscriptions, like Paypal, are assholes. They allow the creation of accounts without verifying the email, then refuse to admit it's their problem and do something about it.

When my kids were young, I set them up with two emails addresses: one for emailing friends, the other for emailing businesses. The assumption was this would protect their personal friend emails from spam. The reality was by the time they were older teens almost all the spam they received came in on their personal friend emails and almost none of it came on their commercial-use addresses.

My assessment was businesses were not stupid enough to sell email addresses (they knew they'd be reamed for it if word got out) but just enough of their friends' machines had sketchy browser plugins, malicious android apps, back-doored aimbot cheats, and etc harvesting contact addresses and sending the data back to spammers.

This was years ago, but I once contacted Barracuda to inquire about buying one of their Spam Firewalls. I used "myname-barracuda@mydomain". Before I even got a response from the salesperson, I got a spam e-mail to that address.

Then I got a response from the salesperson. I asked if he knew that I had started getting spam to the e-mail address that only they had, and he said there was no way that was possible.

I figured that his machine had some malware on it, and that harvested my address and sent it to the spammers. But the cynic in me wondered if they wanted to make money from selling the spammers my e-mail address AND from selling me a spam firewall.

The absolute worst offender are political activists: (In the US)

I attended my town's meeting for a political party in 2016. I put my name and email on the list with an email address that I made up on the spot. It continues to get HAMMERED by every up-and-coming politician in the state who's trying to make a name for themselves.

A few years ago I attended Senator Ed Markey's roadshow for the Green New Deal. I again used a unique email address. Someone on the staff sent the address a LinkedIn invite promoting their puppet show business.

I interviewed with Microsoft in the fall of 2004 and used a unique email address on the application. It started getting SPAM. I think I blocked it in my email provider.

Looking in my SPAM folder, most of the spam is going to my gmail account, and most of it is recruiter spam. (There are a lot of recruiters who just SPAM, and I report them.) But: I have 2 emails in German to an email address I used with the Computer History Museum in Mountain View probably sometime between 2005-2007.

Speaking of resume spam: Next time I publish a resume I'm going to do "jobboard_year@...". I'm getting hammered with resume spam, a lot of it from recruiters who either haven't read my resume, have poor comprehension, or hit send with glaring errors.

Years ago I blocked a bunch of addresses in my email provider that I never used. (I'm not going to look them up now.) They were very random, but somehow they just kept getting emails. I have no idea why.

And finally: In 2003 I put out a resume with "resume@..." That got hammered with SPAM. A repeat offender was someone trying to sell a car detailing franchise. I had to block that address.

There have been plenty of small companies, but the ones that have been most egregious are Adobe and Avid.

Adobe are just a bunch of idiots who have no clue what they're doing. There's a whole story, but let's just summarize by saying they have people working for them who both want to argue about how it's "not possible", yet have zero insight in to how their data is stored.

I couldn't get anyone at Avid to listen even though our company has bought millions of dollars of equipment and software from them, so I walked up to the president of the company at an event and told him. They reacted very quickly and affirmatively after that.

Right now I'm dealing with the government of the local town. I filled out a form on their web site asking something, and in the months since I've gotten emails that have the EXACT DATA that I put on the form with phishing URLs in them. I'm still waiting for the Town to explain what happened and whether the compromise was in Mailchimp, Linode or Sendgrid.

My wife and I have used a unique address for every company/service for 15 years or so (both online and physical stores).

We’ve gotten less spam than I expected and from fewer sources.

The big ones are dropbox (likely breach related), justworks, [email addresses listed in Whois records - note: Whois privacy features are absolutely worth it], and emails associated with open source projects and businesses that get listed in repos/project/business websites.

I have blacklisted 1 video game discussion forum whose owners sold it and all its data and 4-5 misc retailers (mostly in fashion/clothing) for either outright spam or having non-functional un-subscription features.

We continue to use this email strategy for a variety of reasons, not only spam management. I don’t think I would set such a system up if my only goal was spam reduction as breaches and publicly posted addresses account for the vast majority of the spam and those will get you either way. There is merit to having your main personal address be separate from the ones you publically post for business/open source purposes.

As an aside: the experience has led me to an anti-spam idea that I wonder if anyone has tried on a larger scale. I have multiple different addresses that were clearly involved in a breach or I post on public websites where they get scraped. However, I know that both addresses are unrelated to each other so I end up getting listed on some spam lists multiple times. In these cases, any message where you get separate copies to multiple different addresses is spam 100% of the time.

Ah, finally, my time to shine. Amazingly - not too many, given that I use hundreds of unique emails. Tbh this confuses the hell out of people when I give a CSR at AcmeBoutique the address AcmeBoutique@myowndomain.com

The offenders that I remember:

- Men’s Health magazine

- local gym

- online flower shop

- agency that at the time handled visa applications for a local Indian consulate

- couple of infoproducts from Producthunt (think “free e-book of 10 most effective cloud practices” type of stuff) gave my email without consent to other sellers of infoproducts.

U.S. political campaigns are by far the worst offender. If you give your real email and phone number to one candidate, twenty unrelated candidates will contact you next cycle.

I buy a lot of stuff from AliExpress, eBay and Alibaba, it goes without saying you should use a separate email address for those. My email was not only sold, I started getting malware themed links shared to me as Google Drive files. The moment you click on it (and I did from another test env.) - it straight up runs some clever JS and then downloads a DMG or EXE file which is clearly spyware (multiple flags from AV providers) in the exact name of the Google document.

I have also received pornographic images with embedded code which somehow seems to run JS code when you open them. In short, they try to con you once they know you're a frequent buyer. Oh, and they also WhatsApp me directly with lot of links to porno-like malware or actual malware directly from new numbers every week. I had to stop using my WhatsApp after all this happened.

But, it is what it is and I have learned to move on.

Mostly cryptocurrency stuff in my case. Over the past 5 years, almost all of my spam (a measurable but manageable amount) has come via my old btc-e address. I've probably been getting this shit for more like 7 or 8 years in total, long since before they got shut down, and I mailed their support when it first started. They said there was definitely no hack and definitely no breach. Not sure whether that makes this worse or better ;)

I get the odd one from the address I used when buying my ledger hardware wallet in 2017. Their address list was famously leaked a while ago, and this email address was on it - luckily not my address or phone number though.

Then occasionally I get one to my amazon-specific address. I figure via one of the vendors I've ordered from via Amazon? But who knows. Bezos didn't get his billions by not trying everything.

It's worth pointing out, that if you use PayPal to buy anything from any site, the site in question gets to see your PayPal email address (whether they need to use it or not). If your main email address is used as your PayPal login, and an e-commerce is site is hacked or they just straight up sell your data, then that's your main email address totally compromised.

Source: I've implemented PayPal integrations for several sites over the years, and saw first hand what data is exchanged during the API workflows.

I've been using my domain name for email for over ten years. The two surprising usernames that I got bad emails at, were turbotax@ which I used with TurboTax a long time ago, and andrewyang@ when I donated a dollar to his campaign near the start. I basically was getting borderline scam emails sent to both.

I used to. Stopped doing it as it was too much hassle to keep track of, but the biggest spammers were tech recruiters. I think some of them post fake jobs just so they can harvest your email address when you apply. Then that email address gets passed around on various lists for years.

In Germany there are lots of freemail providers. Some of them sell all the contact data to spammers:

- web.de

- gmx.de/net/com

I reproduced this with a new domain, a nowhere occuring email on an email server that does not list its accounts via imap, and a single email from those services to the new email was enough to receive spam afterwards; even when the email wasn't listed anywhere on the web.

On a couple other addresses they receive spam mostly from Ghana, Botswana, or rural Delhi, so they're easy to identify. I keep the reddit-trained reply NLP bot active to reply to spammers and keep em busy.

At some point I might go the offensive route, cause they always seem to use standard software on outdated Windows machines, with couple of aliases of Western sounding names (well, at least in their own imagination).

My opsec mandates that I split up email addresses by security level and purpose, and the emails aren't related anyhow, don't use the same name and are basically random emails that cannot be correlated. I'd also encourage everyone to use a password manager and use only random passwords everywhere to prevent account stuffing or stupid script kiddies trying to compromise your accounts.

If there's one thing the BreachCompilation has taught me it's that every humanly chosen password is based on patterns and/or easily gathered social structures that surround them on a daily basis.

The most surprising was the local public transit system. Somehow the local Democratic Party office got the email address I used for signing up for my transit card. Over time, that email address got into the databases of lots of other left leaning groups, some fund raising, some pushing activism. My guess is that the transit system didn't actually sell the email address to the local Democrats but someone working for the agency passed it along. Having worked for many government agencies, my experience is that access control to PII is very loose.

I've been using a catch-all domain with unique addresses (example: ycombinator@mydomain) for every service/site/etc. for more than 10 years.

Surprisingly, none of these email addresses have gotten spam, outside of what the original service sends.

As someone else mentioned, most of the spam I received comes from people with the same name as me. I was an early gmail adopter and my gmail is my firstnamelastname@gmail. I get spam, people's rental agreements, dating profile information, mortgage closing papers, etc for people with my name from across the country. There is someone who has been convinced they can create a gmail with my firstname.lastmail@gmail who has signed up my account for facebook, netflix, and espn+. This is much more of a problem for me.

Hostmonster (a Bluehost brand) have been the worst, since they were so blatant about it. I'd only had legitimate correspondence to that address, until the week I cancelled my account, and since then the spam has been relentless. So as part of my account cancellation, they clearly sold my email address on.

The most amusing was the UK Parliament petitions site, since you would have thought they were a bit more careful with the email addresses given to them.

But the strangest is the persistent use of specific email addresses that I've never used anywhere - about half a dozen common forenames, and one forename-plus-three-numbers. I've no idea where they originally came from - perhaps someone padding out their email lists for sale with semi-randomly generated ones? - but that set of addresses has been used and reused for over a decade. At least it makes it easy for me to train spam filters, since even novel emails are easy for the filters to spot when multiple copies arrive together.

I have used different email addresses for ever recipient/registration for 20 years. There have been very few incidents.

More than 15 years ago the addresses I had used for Financial Times and Finnair started to get Viagra etc spam. At least one of them was after a big leak at an online marketing firm that made headlines. I closed the addresses so I have no idea whether the flood has ever stopped.

Maybe 10 years ago I booked a cruise to Saint Petersburg using a coupon from Groupon. After that I started to get spam in Russian. I don't read Russian but online gambling was obviously a topic. I contacted Groupon and asked about their sharing. Talked to their head of don't remember and he claimed it's simple: They don't share the address with anyone. It was obviously not true befause I never had any contact with Russia before or after and the timing was very evident. I closed the address.

Another address is in the Linux source / LKML. It gets Nigeria letters all the time, but with low frequency. Less than 1 a week on average. Maybe 1 or 2 in German and French over the years.

Those are the biggest cases. Maybe some other odd one over 20 years. It's worse with completely stupid tech marketing on my work address (which has been the same for 4 years).

The absolute worst offenders are political campaigns, PACs, parties, and candidates. I believe because they're exempted from robocall and spam legislation so feel they have carte blanche. I've donated to local candidates from several different parties, and subsequently my addresses ended up in lists with national organizations and their associated PACs. I get what I would call "extremist" content endorsed and sent by both major parties in the US (DNC and RNC) about their opposition, often on the same day about the same issue, although begging for money.

The worst part though is they also SPIM me, I predominantly get text message spam from these campaigns. The Democratic party is the worst here. I volunteered to man the phones one year for a candidate during the primaries, and now they are CONSTANTLY texting me to try to get money or otherwise support candidates on the national stage, most of whom I despise. The Republicans send me postal mail and email, but no text messages or IMs.

Just as a heads up, Zillow will ban your account if you use zillow@domain for violating their terms. Happened to me in March 2021.

It happens about once a year for the 15 years I've had my emails set up that way, and as far as I can tell, 90% of it has been hacked systems rather than sales.

The worst was when spammers got ahold of my email from a hotel chain and would add random letters to the username. So, for instance, the email address I provided to the hotel chain was something like hotelchain-jawns@example.com, and the spammers would send to aaahotelchain-jawnsaaa@example.com, bbbhotelchain-jawnsbbb@example.com, etc.

That forced me to stop using a catch-all and only accept usernames that conformed to a certain format.

There are a bunch like AliExpress, eBay, Paypal and kickstarter where 3rd parties get your email address too (or used to), so you don't know which one leaked them. I tend to change the email address every few years when it gets too much and block the old ones after a while.

I suspect that most of the entries on the list got hacked. There are a few exceptions where companies do not honor unsubscribe requests and keep sending you emails or flat out sell your email address.

Here's a list that was collected over many years:

- Cory Doctorow's mailing list (twice)

- bitcard

- Achatzi, CSV direct, easynotebooks, foto-erhard, hivilux - (german online shops)

- dcemu, gbadev

- Dropbox

- funcom

- gawker

- Kimsufi and OVH

- GoodLuckBuy

- Mails listed in WHOIS

- Mails used in Yahoo groups (RIP)

- MiniInTheBox

- monster.com

- moneybookers

- pianostreet

- Usenet (duh)

- Typepad

- UnternHammer

Most recently I got an email that was clearly spam (had a link to a website with a .zip file that was clearly malware) that was a reply from an order I placed with a supplier a few months ago ($8,800 worth of 105Ah rackmount SLA batteries) - the entire email I had previously sent was quoted. It's pretty sad when your legitimate suppliers are getting compromised and leaking data like a sieve.

Most spam I receive are dictionary attacks, or emails harvested from my web site and places where I make it available.

Such as my profile here on HN.

But there some that must have been leaked or sold from specific services. These include, but are not limited to: USwitch, Linked-In, Disqus, and a forum to support LGBTQIA+ people in academia.

There are others where I have strong suspicions and some evidence, but where it's not airtight.

Ticketmaster gave one of my email addresses to their parent company, Live Nation. They started spamming me with event stuff pretty much immediately. Their unsubscribe options don't work. I complained to their support and they told me to just not use it, and that the emails would go away? Screw that, I changed the email address I used for Ticketmaster and deleted the original one. No more spam since, thankfully, so it seems they didn't pass the new address along.

The one that puzzles me is that some recruiting database got my personal email address, the one I only give out to people I care to keep in touch with. I've never, ever given that email address to a recruiter! I asked them how they got that email, and of course they just said "some AI-powered recruiting tool we use". It's sad because that email address is super fun and I had managed to keep it private for so long...

The biggest source of spam to my personal addresses are the breaches of the LiveJournal and TVTropes sites, both years old.

The biggest source of spam to my orporate addresses is Linked-In.

I used special emails for my kids’ savings accounts at a major brokerage, and then started getting weird emails to one of them. This was on a private domain and the addresses weren’t really guessable, so that’s how I knew they had been breached before they announced it weeks or months later.

I use spamgourmet, these are my most spammed emails:

  id            emails  creation    notes
  =======================================
  freepsp       37177   2005-09-23
  mtgox         21229   2011-06-19
  scriptaculous 10408   2006-03-27
  winex         5103    2007-05-01
  patriciafield 4293    2007-03-09 
  rms           3472    2007-03-10  www.rmsexperts.com
  wallstsense   3310    2009-04-01      
  panda         3300    2004-11-02  panda antivirus

Edited for formatting

You raise an interesting point from a security perspective:

Unique passwords aren't the only need these days, often unique email addresses are too.

Credential stuffing has become so prolific that people are often finding themselves locked out of their own accounts, due to failed attempts. It has the added benefit of letting you know who was breached.

I encountered roughly the same when I received a Bitcoin extortion email, with a unique password in it. I correlated it with my password database, to discover who had been breached. I reached out publicly to the company to ask what was up, as they never notified me of a breach. Initially they played it down, but then finally confessed they had been breached.

The sad thing is, ever since I started using unique addresses years ago, they've caught exactly no one. I get buckets upon buckets of spam, but only from the first party companies I actually have a relationship with, and zero from 'partners'.

Mayhaps just having an email domain that isn't from a big webmail provider keeps out the spam? But then again, I get plenty of actual spam to my work email which I've never given to anyone.

I'm not very pedantic about it but I do create a few ones. I don't do catchall as my domain has been on the Internet for a very long time and the catchall usually gets pretty badly spammed (I tried).

For instance;

- I have something like NetflixJio2021@familydomain.com, which is the free Netflix account that I got from my Jio Fiber connection. I gave that to the In-laws.

- IndiaPassport2022@familydomain.com because Indian Passport Office won't allow more than 5 Passport (I think 5 was max, last time I checked) applications from an account. I'm usually the person dealing with the Internet and digital stuffs for our family, and most of the relatives. The limit gets hit pretty easily.

I used to sign up for almost every Startups that pops up from friends, acquaintances, and people whom I had even interacted once in the hope that I'm helping them with one more account. Unfortunately, especially Startups in India, will bombard and spam relentlessly (emails and phones) that I have totally stopped signing up for anything. I either use a throwaway or the "+" method when I really have to -- brajeshwar+StartupName@gmail.com

A few years ago, I started logging the ones that specifically spammed my phone number. I visited a Startup and agreed to give them my number for the visitor log entry. I trusted them because I helped them with their product during the MVP to pitch Investors. They started spamming me after I left and before I reached home.

I stopped the logging and now I have declared SMS/Text Bankruptcy. https://drive.google.com/drive/u/0/folders/1jI0DxmZ586cBmyu1...

The consular services of Russia in France, or their visa processing service (VHS France). I used this email exactly once to apply for a visa for the Russian Federation. Now I get spam there every other day.

Two sources:

1. Companies who use dark patterns to spam you even though they implied they wouldn't, and who continue to spam you even after you try and unsub from them. Even Google are bad at this... you can explicitly unsub from everything but dare to purchase another product and they'll yet again include some tiny checkbox somewhere that has resubbed you. These feel like Sisyphean subscriptions.

2. Individuals with similar names who cannot get their own email right and seem determined to never receive their travel documents, insurance policies and other things, and who leave you subscribed to obscure local mailing lists like the one for dog rescue in Florida which I am a BCC on and I can't get the list owner to effectively unsub me, or the school in North Carolina who keep telling about my namesakes child who needs to prep some piece of homework and they tell me this via a no-reply address.

There's not a lot of "leaked email address is used for spam" as one imagines... at least, it's almost zero.

I use different email addresses for everyone, and have a catchall on my domain. Been using this setup since the late 90's.

My spam comes from a few sources:

- data breaches that leaked an email address (Adobe, Dropbox, LinkedIn, GoDaddy etc)

- family that used to forward all kinds of crap using the TO: field instead of BCC:

- some companies sold my email which then started to propagate more and more

- some just figured it out. If you own a domain firstlast.com you'll get spammed at first@firstlast.com

- dns records

There are more I'm sure. These are the sources I'm certain of.

Your email is only as secure as the weakest link that has that address.

By far it’s US political campaigns and non–profits. I’ve regressed to only using one email address for pretty much everything except financial accounts and political campaigns. For political donations I now give either a campaign or year specific address that immediately routes to spam or trash.

I have three addresses which match my hn account that I first registered in the 1990s and over time have received bank account logins, credit card information, legal documents, and a huge variety of extremely personal information. So many top online services utterly fail to verify email addresses…I now have multiple instagram accounts simply to block others from signing up with them.

Not sold, but shared internally across multiple clients with no functional opt out: Once Democratic party digital firms like NGPVAN and ActBlue get your email, be prepared to get multiple emails per day from candidates across the country you've never heard of (much less could even vote for) constantly sending you garbage emails. The unsubscribe buttons do nothing.

I signed up for Skrill with a "+skrill" alias thinking it might be a good alternative to PayPal, and soon began receiving shady casino and gambling related spam emails from third parties sent to that Skrill alias, which they didn't even bother to strip out.

I could not trust them as a financial service provider after that, so I closed my account.

I use a different email for everything so I have been waiting very patiently for this and guess what… so far no one.

Absolutely no one.

And I've been using this system for over 5 years now

For me, it was Foodora Germany (before they merged with / were sold to whoever owns the brand now). I pointed this out to their support as soon as I started getting spam on my foodora-exclusive email. They politely told me to go tf away.

18 months later, they announced a major security breach that they had "just learned about". https://www.infosecurity-magazine.com/news/foodora-data-brea...

Honestly, not very many. I've signed up for 300+ companies, maybe more, everyone with a different email. Many of them signed me up to their mailing lists that I didn't ask for and didn't want but they usually made it one click to unsubscribe.

One that sticks out is Kohl. I never signed up for them and they spammed the shit out of me 15 years ago. I've never shopped there and from the spam I never will.

Otherwise, a conference running company in Japan spams me and they use a new email address on their end for every new conference.

It actually happens extremely rarely, perhaps less than once a year. Though that may just be an artifact of my already heightened discretion in who I give an email address to at all.

The most recent offender was my kid's tee-ball league.

I actually do this for every service I put my email down for. It’s been about 2 years since I started.

Fortunately (unfortunately?) my email has only been sold once, and it wasn’t as egregious as you might think.

Amplitude, the user analytics company, sold my address to at least 3 companies who simply started emailing me as if I’ve always been a subscriber to their newsletter.

I do use their free plan though so I’m not mad about it.

Netflix, Uber, Airtel, Reliance Jio, Paytm, Swiggy, almost every bank and neo bank (India) I’ve tried, hospitals and diagnostic centres (I’ll be shocked and devastated if they’re not selling my health data to everybody who’s willing to pay a paisa or more), insurance provider, Coinbase, PayPal, TrueCaller, Facebook, Dell, Amazon, LinkedIn, Amex etc are few I remember.

And the great people who think it’s okay to use the most natural sounding email address as per their name while filing forms (including banks and cards) and moron corporations like banks, telcos, Amazon Business etc who think it’s perfectly fine to not verify emails.

And my personal@my-domain that I use to communicate with friends etc. So apparently my friends aren’t lesser idiots - they think their phone and gmail contacts are to be shared with the world. So maybe use a unique email for every friend and personal contact? :D

In my list I have: Canva, Splunk and SublimeText.

I made some noise on Reddit about the Splunk one and I didn't receive anything else after a quick exchange with them, I reported the SublimeText one but a couple of years later I got other spam to this address, and I didn't bother doing anything with the Canva one.

A few of my blacklisted recipients ..

waltr2@ wemo@ elara@ curse@ gizmodo@ lastfm@ macheist@ monster@ myspace@ skillshare@ dropbox@ meetup@ dribble@

And digitalocean because their unsubscribe page didn't work. If they won't stop sending, I will stop receiving.

For me the biggest "dog that did not bark" was real estate agents. I used both a separate email and VoIP number to my main one, which was handy as it meant I could switch them off at times when I didn't want to deal. I got plenty of calls and emails during the process, but as soon as I made a transaction, crickets. To the extent that I think they must share a negative list. I guess they value their own time and know that once you made a transaction, you're not going to be making another soon. Surprisingly this continues to hold, no "are you thinking of moving again" now it's been a while

I have multiple emails for most online accounts. None of them are generating unwanted emails. There are two accounts that I have had for a long time prior to this newer practice and these are constantly receiving unwanted spam. I was able to correlate this to a project I worked on 15 years ago when one of the other contractors on the project gave me a thumb drive to install software related to the project. It blue screened my laptop - but it was too late - my laptop was hacked. Ever since then those emails have been out in the wild. I learned my lesson about good thumb drive hygiene after that.

I don't actively monitor this, unless stuff gets through my spam filter - there's a few I notice I'm getting spam from though:

* The NDP party of Canada * Animal Jam - a mobile game that my daughter wanted to play, and I had to provide them an email address. * Imgur * Linkedin * GitHub (although my github email address is in all my commits, so it's obviously public).

The vast majority of my spam comes from someone named Mya who used my gmail address (I assume by accident) to sign up for a job board. After she did that, my spam exploded.

I have a primary mail (me@mydomain.tld) I use for normal communication and as a fallback in case the catch-all subdomain is rejected (some companies don't like them; or are inconsistent for which form/account they allow it and for which not - I'm looking at you, Deutsche Post/DHL!). The remainder goes to *@subdomain.myotherdomain.tld.

I still get a lot of spam on my primary mail, I'm pretty sure it has been leaked by breaches and from friend's address books. My spam folder contains mail for these services: btc-e, bitcoinforum, Heroes of Newerth, hearthpwn, hifi-manuals.com, gcc-bugzilla. Most of these have been breached (for HoN I even recall it was during their early alpha/beta, and they did not acknowledge the breach when I informed them - they implied I must have used it somewhere else and that it got leaked from there). On the GCC bugzilla the address might be visible (at least to logged in users), so that's probably scraping. The hifi-manuals is pretty fresh, but IIRC they have been breached shortly after that.

A lot of businesses know both business@catchall and paypal1234@catchall, but I'm happy to say that I have not yet noticed 3rd party spam on these. Same for real life encounters for which I used the catchall (though the look on sales people is often priceless). However, aliexpress is pretty annoying with their own spam, as are some other retailers.

Failed to double-opt-in, many (wildcard, v. short domain based on a finger-roll on the keyboard) - budget being my favorite because it let me cancel peoples reservations without authentication for a long time.

auction.com - absolutely resells your email for years to come, thanks whoever subscribed to that.

The RNC is way worse than the DNC, but both resell their lists quite a bit for political purposes. Voter registration similar, but I think that's just open records stuff.

But a lot of failed double-opt-in. Massive amounts of it.

In my case it's been from sites that got hacked or were discontinued. I don't investigate every single item of spam to see where it's addressed to, but some of the major data breaches like LinkedIn and Dropbox feature prominently. There's also an address I used as admin for a long-defunct domain.

In practice it's hard to differentiate between the sale of an address and a data breach, especially for smaller sites where the breach may not be publicized at all.

I used to use individual email addresses for every site (I run my own email infrastructure, so it's easy). To be honest, didn't really see much of any spam to the site-specific accounts so after a few years I got bored of doing it and mostly use my primary address everywhere these days.

For the large sites like fb, linkedin, twitter, etc I do use unique emails. Not so much for spam, just to compartmentalize them away from my primary email so they don't have it.

    195 x+kickstarter@xxx
  57148 x+newrelic@xxx

The rest doesn't even register.

I use many aliases, few dedicated like amzxxx @ mydomain.tld where xxx is used as a variable part of the alias, the first for me to immediately identify the address target, few catchalls like tmpalXXX used when I need to quickly drop a valid mail but have no time/will to create a proper alias on the spot, few dedicated to nl/ml stuff etc

Results so far, I just seen a spam mail from an eBay vendor, not one who I bough something from so I suppose eBay give the address, one from an Amazon Marketplace vendor from who I bough something from, few from few supermarkets that have asked for a mail for the fidelity card. I do not active monitor my SPAM folder so those are just messages who defeat my antispam, can't really tell reliable stats about all spam.

So far the overall arch works, in the sense that I do have a bunch of temporary address of "quick" usages (for instance on the go) and not much stress creating and deleting aliases but using mobile crap and very little number of services compared to the mean of people I know it's hard to say if it work or not. Surely works well for easy sorting messages (autorefile via MailDrop), and that's a good thing for me anyway.

Very few were deliberately sold; almost all leaked through negligence, ignorance, or simply getting hacked.

Hacked sites seem to be the most common source, and I often find out a service I use has been hacked before any public announcements.

Sales and support teams are the second most common. They use enrichment tools and CRMs that pull data from sources like ClearBit—but they also submit data. This is pervasive in B2B industries. I’ve confronted sales teams about this in the past, and it’s contributed to our company leaving one service for a competitor who isn’t leaking our employee data.

Ever since I noticed this happening, I’ve started using fake names in any forms that are likely to end up in a CRM. Even if they try to guess my primary email from my name—which many of these enrichment services do—I’ll know which sales teams I want to avoid. It occasionally leads to some awkward conversations when I have to explain that I’m not actually the named person and that person doesn’t actually exist, but anyone in sales is going to understand—and, if they’re smart, watch their step.

Everyone's already named the big culprits and hacks, but I'll name a smaller one.

I tried Huel (UK soylent clone) a very long time ago, and a few years later, I started to get phishing emails to the address I used.

When I told them, they just ignored me. I'm fairly sure they were hacked or breached. The emails didn't contain any real info though, so I assume it was just their mailing list they lost.

I've had a different Gmail account a while ago.

And I noticed that the amount of spam had increased after I emailed a recruiter from an IT recruitment consultancy.

After a while, e-mails from recruiters from other companies started coming in. Some were terribly persistent. And then outright spam began.

I closed the old account and am using a different one.

For work purposes, I use a separate domain name and Email Forwarding by Cloudflare. Mail is routed to the personal inbox of a new Gmail account. Google allows me to send outgoing email from the domain through their SMTP servers. However, sometimes they end up in the recipients' spam boxes, probably because of the MTA chain.

I actively use SimpleLogin in cases when I register on a new website when I am not sure about its security in terms of storing user data or possible mailing lists.

In addition, I own a free domain where Email Forwarding is set up as Catch All with sending to Protonmail. It cut the time to manage unwanted emails almost to zero.

I have lastname.surname@gmail.com and it was used from a person with my name to register on electronic online shops, religious activity and also porn site access.

Few months ago, I used an alias to post on the monthly "Who want to be hired" here in HN and I am full of spam: a "company" is following up on me every week about "Project for estimate".

Annoyingly, park mobile. Their emails were leaked, now I get parkmobile@foo.com emails quite often.

https://considertheconsumer.com/data-breaches/parkmobile-dat...

they suck.

This has been my pattern ever since switching to ProtonMail. The biggest surprise for me was how little purpose it serves for spam prevention.

Coming from GMail, I expected an untenable amount of spam - but that seems to only be a GMail problem? I’ve only had two incidents of unsolicited spam from a vendor sharing my email address since moving to ProtonMail.

One I don’t remember the details but I gave a yoga accessories company my email address, like a year later I got an email addressed to that email address from a cannabis company.

The other time TicketMaster shared my email address with Warner Bros.

However my public email addresses (like the ones I use on GitHub, npm, git commits, etc) receive a lot of spam - but those are harvested, not shared.

Now my email address actually serves another purpose: limiting the ability for leaked user databases to connect my identity across providers. I’m starting to use a different username, email address, and password for every service I use that isn’t linked to my professional identity.

The list is long and I'm on my phone. Several were from breaches like Adobe.com and Park mobile. MyFitnessPal. Cadillac (used email for a free brochure).

I think the real worst offender is LinkedIn. I put one email on my resume and a different one for logging in to LinkedIn that should not be public. And yet I get direct recruiter spam there all the time.

The SMTP standard allows you to add a "suffix" to part of your email address that is ignored when delivering the message.

I never give out my raw email address, I use: - name+twitter@gmail.com for twitter - name+amazon@gmail.com for amazon - name+hacknews@gmail.com for HN etc

Makes it very easy to track down who sold out me email -- and filter on it.

Life pro tip: xyz@gmail.com and xyz+abc@gmail.com are equivalent in the eyes of the mail server

All the emails to xyz+abc will be routed to xyz@gmail.com. This is because the server ignores everything after the +

I use the + to identify the website I provided my email to so if I was registering for facebook my email would be xyz+facebook@gmail.com

So far I’ve received the most spam from 2 companies an Indian startup called dunzo(5-10spam a day) and adobe

Ive tried to get my data deleted from their site but I guess it’s too late now

I do this for most services for a number of years, and so far have actually failed to detect an email getting sold. It might also be that gmails spam filters and the like are tuned enough that I don't notice.

I'd love it if the tags were available in SSO as well, as the more stuff that logs in using SSO just reveals the main email. So I definitely got into some sales databases that way for $work email that had a constant flood of cold outreach.

The largest spam problem I have, is the email domain I use is a typo away from another company. So I sometimes get quotes, or emails destined for people at that company that don't hit the spam filters. One time, someone signed up for their online banking under my domain. Recently, I get all the service advisories for someone's Honda car.

I get a ton of spam on my Amazon email. I assume this is via some sellers getting it as part of the return process. I just rotate the mail every six month and drop the old ones into a auto delete rule.

Another is the mail used in domain registries but it’s low volume

The worst offenders are mailing lists I subscribed that fail to respect unsubscribing. I find the smaller they are the worse they are. So many just re-add the mail six months later. There I have a rather fun mail rule.

Any mail from their domain gets an auto reply with an explanation that this isn’t cool, with every support, admin, sales mail I could think of in cc. It includes a list of all the times they mailed me and all the times I asked them to unsubscribe in a list, handily auto generated my a node-red flow.

Yes, it’s pedantic, No I feel no shame.

https://www.ordersnapp.com/, who do order processing for a local pizza place.

They got hacked and didn't even reset customer passwords, very glad I use unique passwords and limited the blast radius to them.

GoDaddy leaked my account's email address about ten years ago. Contacting GoDaddy support resulted in absolutely no response. (My guess is an unreported breach).

Also: Do not ever give a non-throwaway email (or worse, your phone number) to a politician. Ever.

Most of the spam I receive these days comes from DNS registry contact info. I always select the domain privacy option when possible, but certain TLDs like .us do not allow this option.

I’ve been using unique addresses for almost everything for several years now and I don’t get nearly as much spam as I anticipated when I first set it up. There’s one app I used years ago with a custom address and still get consistent spam from different people… I always wonder if the data was sold or stolen.

It is a bit humorous when a sales person asks for an email address and I give them something like theircompanyname@mydomain.com and they’re unsure if I’m openly blowing them off or that’s my actual address.

I've been doing this for years. Very few companies have actually sold my address. Federal Express and USAA traded lists for a while.

The largest source of spam is from domain registrations and other public records.

The next largest source is from breaches: Ameritrade (they lost a backup tape), MtGox, and a bunch of small vendors over the years.

One thing that is interesting to note... when I get unwanted mail from a source I recognize, the unsubscribe links both work and do not lead to more mail. (Example, the parking vendor at the local stadium started sending me event newsletters for the stadium... but sending it from themselves, not having shared with the stadium.)

Reposting from https://news.ycombinator.com/context?id=30980625

tl;dr: Used a burner email signing up for Comcast Xfinity and have been constantly receiving phishing emails on that address. (Last one was this morning.)

These days I mostly use unique addresses, unique passwords, and where possible MFA to secure my accounts. Reduces the risk of brute force attacks and other weak account compromises.

Historically though my intention was to track who sold my email address and combat spam. It worked great.

The most notable one was the address I registered with ISC2 when signing up to take (and pass) the CISSP in 2002. The unique address I gave ISC2 and only ISC2 in 2002 was used to send spam and scam email not long after.

It was a fairly common occurance in the early/mid-2000's to receive spam where I registered addresses. These days it seems to happen much less.

I use unique addresses for almost everyone, and the spam fits a consistent pattern. Mostly, the emails don’t get sold unless I order from a somewhat shady site (grey market items not regionally available for example). Most of the time when I get spam from a ‘legitimste’ source, it’s right after a news announcement about a data leak. For example, my PayPal address gets a bunch of spam, and that happened after some user leak many years ago.

I used to have my email account hacked. They also hacked my Origin account, luckily I only had one game there (the account got banned for suspicious actitive). Now this is understandable. But for some reason, my email since then got used to sign up to universities in places like India and Singapore. Every week I get 1-2 emails from various branches of these universities. I don't understand why would anyone do that. I replied to some of them that they aren't reaching their intended recipient, but then I get emails from another department the next week.

I don't get a lot of spam but those that I do are to ye olde addresses. Think monster, orkut, and myspace. The vast majority come to a postgres mailing list address I sent one mail to, about ten years ago. A few to whois contacts on domains, before I signed up for the anonymous service. Guessing all those were allowed to be scraped by spammers.

I get a few others to an apartment building I once got on a mailing list to, and other random stuff like that. Probably folks that use Windows and got worms.

In short, I don't think anyone sold me out... but I could be wrong.

I get most spam coming to my main personal email address. I've signed up for exactly nothing using it - but other people have sent me ecards (remember those?), shared things from random apps, and/or presumably had their contact lists stolen.

I had always intended to do some analysis of my catch-all address spam, but there's just so little of it that it isn't that interesting. A quick glance through my spam folder shows these have been hacked or sold emails:

Dropbox, Canada Computers, Last.fm

I've also seen a couple forum accounts in the past, but nothing else noteworthy.

If you include various information disclosure incidents, I counted 23 or so, and then a bunch where I can't recall exactly what the address was used for at some point in the past.

Adobe (twice), NetTeller (twice), Boxee, IceTv, LinkedIn (a few addresses), TheTVDB, Paypal, some old forum sites, ableton, dropbox, last.fm, plex, smartdraw, PokerTracker, PartyPoker, several other poker related sites, some shopping discount sites, various small restaurant sites and tourism email addresses, various quote aggregator websites.

So far, the one that sticks out in my spam bin is Nordstrom

https://i.imgur.com/DA8njVs.png

(I changed the numbers around, but the point stands)

After doing this for nearly 20 years I can say I’ve been pleasantly surprised at how rare it is to get spam unrelated to the company I gave my address to. What it’s been very useful for, in the other hand, is filtering email from companies that don’t honor their unsubscribe links or unchecking their “please send me marketing emails” boxes during signup. The common pattern is for them to invent a new kind of junk mail category and then act as though your opt-out obviously doesn’t apply to this totally new category.

The only obvious one I've had after many years of unique emails everywhere was when I got a blood draw for some blood tests ordered by my doctor. It wasn't clear if it was the guy drawing my blood, someone who works at the blood draw company, or someone who works at the place where the labs were run on the blood.

It was pretty concerning that someone in that chain is selling my personal info. The spam wasn't commercial spam - it was Nigerian prince stuff, crypto scams, etc.

Sometimes your address isn't maliciously being sold but is just leaked through incompetence.

I worked for a company who's mailing list ended up being leaked to spammers.

Our (otherwise seemingly legit) mailing service we used for our opt-in-only mailing list got breached.

We got lots of irate customers (there are surprisingly many people who use catch-alls), the mailing list provider put up a blog post saying "they were investigating" with no followup, and suddenly month later they redesigned their blog and the old post was gone...

Some of it is from friends. I lost count of how many mates I signed up to gay porn sites, nazi news letters and furry forums. And they did the same to me. It’s fun messing with friends.

Years ago (> 10) I used me+hertz.com@mydomain.com registering for Hertz.

I started getting spam on it. Tried contacting them to let them know someone was selling customer email addresses and of course they just responded that obviously I had a virus or something.

Mostly unrelated, but just before I responded I was modifying a custom milter to filter messages based on the byte string "Copyrights =C2=A9 Xsolo All Rights Reserved" because this particular spammer likes to copyright his gmail spam. Weird but convenient.

I signed up for newrelic with unique email (myemail+newrelic@gmail.com) and I was surprised after couple months to receive spam email on that address. I am not sure how spammer got that email address - I would not expect newrelic to sell emails just to anyone - maybe business partners but not to just random spammer. Also, I have been getting spam on that email only from one spammer which makes me think maybe email was not sold but was obtained by some unauthorized way.

The worst offender in recent memory was Walt Disney World. Starting about nine months after a physical trip to WDW, my Disney hotel reservation email address received spam from the following Disney-related enterprises before I finally black-holed the address:

- Walt Disney Studios Home Entertainment

- FX Networks

- shopDisney | Disney store

- ABC News

- Freeform

- National Geographic ("Now streaming on Disney+")

- Walt Disney Pictures

- Storyliving by Disney

You could argue that this wasn't a "sell out" since it was all Disney, but not a single one of those enterprises had much to do with a trip to Orlando. :-)

About 70% of my current spam is to a throwaway email I listed here on HN. Seems obvious (public addresses are easy to scrape), but it didn't occur to me when I listed it.

I use a pattern of somecompany@mydomain.example for everyone I deal with.

Never made any effort to determine if they were leaks or sold, but here are the ones I've had to send to /dev/null over the years due to obvious spam.

adobe, godaddy, ebay, sirius, vonage, dzone, snapfish, walgreens, US postal service;they just continued their model of selling physical address data into the online space. Seems to have been sold to typical catalog vendors, JC penny, crate and barrel, etc.

Some loosly related questions: What are people using to manage their individual address-per-service aliases?

Is there a good provider which does this well and lets you manage the mail to each alias without logging out and in to each account?

I could see how self hosting with something like mail-in-a-box could do this, but requires a ton of knowledge and maintenance. It would be easy to just set up multiple gmail accounts, but a nightmare to manage after a while.

Lots of responses here about people getting mail to the wrong gmail address. This never happens to me because I have a unique domain; that seems to cut down on the problem a great deal.

Most of the "wrong" email I get is genuine spam but it tends to be from companies I signed up for that have since gone out of business and sold my address to spammers, or companies that have had a data breach (naturally).

For my part:

Bell Canada (got hacked a few times, notoriously)

So. Many. ATS. (Applicant Tracking Systems)

Several small time online stores.

The first two probably got breached and the emails stolen (although I have never ever received any disclosure of being breached from any ATS ever. Small time stores they probably sold it for actual money, they weren’t exactly trustworthy in the first place.

I use spam gourmet so I know exactly where any email address was first used and thus who leaked it.

The worse spam I've seen in when a crypto hardware device company got hacked and my email got leaked.

The worse constant spam I've ever seen, some of it use legit expensive mail services, and a lot of it doesn't land in my spam folder.

I have another email that's put publicly in a website and it gets crawled, and I get no spam from it, just legit emails that are probably automated from people that wanna do business.

On a related vein, I managed to identify the source of a leak via the scammer emailing me with the password I used only on LiveJournal: https://kitsunesoftware.wordpress.com/2018/08/09/anatomy-of-...

I have no idea but I'm super annoyed my main email that I've used for almost 20 years has suddenly attracted a ton of spam.

I have a separate email account for all the trivial and unimportant website sign-ups (which I can mostly ignore since it's nothing critical), but my mail account was only used for "higher risk" accounts. I assume it was a leak of some sort (insurance or utilities).

You don’t get a lot of spam when you give a different email address to different companies. They can’t correlate with other data to tie your accounts together. The value of spam marketing is being able to cross sell taking advantage of the one unconsented email they can send.

Scammers on the other hand contact me on all my emails that have leaked/compromised. Latest being xfinity.

Submitting a resume on a job board is the fastest way to disclose an email address to every recruiter with an Internet connection.

Interestingly, ever since I've started doing that a few years ago, I don't get a single spam on the catch all domain.

The only spams I'm getting are the ones that come to the address I used on many places (mainly used for accounts that are used for paid services) in the past and still getting spammed every day.

Have services stopped selling addresses these days?

If the spammers knew about FOIA requests they could harvest a gold mine. Our attorney general was conducting a training session about FOIA compliance--I worked at a community college. I raised my hand and asked if I had to respond to requests for the email addresses for all of our students. The answer was the same, comply as quickly as possible.

Nothing, NOTHING relates to the time I sent an inquiry on Alibaba.

Nearly 10 years later I still get sent random quotes for custom USB drives.

BoA. I know it for a reason similar to unique email.

When I first came to the US I opened a BoA account and they managed to misspelled my name in a unique way, may be only in the mail but not on the card, I don’t remember this detail.

Anyway, when I got promotional mail out of nowhere addressing to the same misspelling, I knew I was sold by BoA.

Santander.

I have an email address that I've only used for official things, and it was used by an employer as my contact email for pension savings with Santander.

I've had the address for 10+ years and never gotten spam. The same day I got an email from Santander about being signed up for pension there I started getting lots of spam emails.

Avery (the brand that makes those label stickers you get at Staples) spammed me even though I explicitly declined their marketing list.

Once a month or so I get unsolicited mail to my LinkedIn email address.

Other than that, I was surprised to find after a good 5 years of monitoring that I haven’t gotten spammed through unauthorized sharing of my email.

When I started doing this, many years ago, I fully expected to see spam coming to some of these addresses. I was pleasantly surprised to find that, so far, not one of these addresses has been compromised. All my spam comes to addresses that are essentially public, or random names, as I use a catchall.

I do not have a "catch-all"; I have a single domain which I set up a separate email address for each correspondent, which I must manually add to /etc/aliases to accept mail at that address; anything send to an address not listed there will be rejected.

I do not think I ever received any spam.

Public libraries, who provided patron email addresses (supposedly collected to send overdue and renewal notices, etc.) to municipality "newsletter" spam lists.

I assume they'd also happily hand over a list of all the books you've checked out and whether any of them were overdue.

An online drinks shop here in Switzerland. I sent them an email asking WTF, but no answer. Still not sure if it was malicious by them or someone else. Haven't used them since.

Aside from that, I'm guessing it's mostly my Git commits on GitHub being the source.

Any of the Kickstarter projects I've participated in. I used an alias for my Kickstarter account and I know for a fact that at least one of those projects sold my email because now I get random Kickstarter-type project emails in my spam folder.

The us government. Register to vote? Change your address? Register a new vehicle?

Drown in very well targeted spam containing personal information like your name, the vehicle you purchased, the dealership you bought it from, your address, family members names, etc.

I personally was really annoyed trying to change/rotate emails. So I created this one here - feel free to give it a try and let me know what you think.

https://non-public.email/

-

I use unique, long random-character addresses, and the biggest company and sold my address was IBM. I've followed them up, but their excuse was that it was leaked from when they were hacked. I don't know who to believe.

The worst, by far, is Camping World / Good Sam. It’s just amazing how they are willing to sell my email to anyone and everyone. My local branch has a good service department though so I just setup a filter and keep going back.

I sent a couple messages to representative Jackie Speier (the IRS id.me shitshow and whatnot) and never got a reply till they started sending campaign advertisements my way. The address doesn't seem to have been sold though.

Since 2016 I’ve given out 422 unique addresses in the form @example.com, and so far zero messages have come in from an unexpected sender. I don’t know whether to feel reassured, or just lucky.

My wife and I use an e-mail pattern of someprefix-(.*)@ourdomain.com and give each site a different "alias". It keeps out the trash, but lets us filter nicely, and also catch data leaks. So far we caught one.

Amazon vendors, several times.

I’ve been using @ for over 20 years.

Perusing my spam folder, adobe is the worst but still less than 10%. Most match the leaks listed in haveibeenpwned.com.

I really need to put sales@ and root@ on my blocklist.

yep.. I use a xxx@zoho.com webmail account to register for 100% of anything that required a "regwall" ( registration firewall ) as you are 100% going to get email from them all even if you opt-out.. also any events like webinars or free ebook or whitepaper downloads that say "work email only" allowed I use https://temp-mail.org/ to teach them to not be so stupid about this "only work email address" nonsense..

After doing this for years most of my catchall email spam is from breaches.

I've done this for a very long time. Practically all my spam is sent to my CPAN (Perl module archive) address. Which indicates that it's just the thing that's most easily harvested.

TIL about Fastmail's "masked email" feature which integrates directly with 1Password to make it really easy to use unique email addresses when signing up for services.

I answered a survey with a fake name, not email, for one of the two major political parties. I now get horrible spam from scammers addressed to that name which I never used anywhere else.

Mostly email addresses from forums that got hacked. Or addresses used while my domain was owned by someone else (I didn't renew it, but then they didn't renew it and I got it back)

I have been receiving tons of lame sellers from @gmail.com email addresses trying to sell things like toenail clippers. Emails were sent to the email address I used to sign up for hired.com.

It's not so much sold as "got hacked". Often the spam for an address starts shortly after an announcement of some sort of breach. Pandora is the one that springs to mind.

one of my single use emails that gets consistent spam from various places for some years now, was only used to sign up for a hostgator hosting account.

Now I can't be 100% sure - but I am 99.9% sure that was the only place that addy was used.

I have several that get spammed heavy that were used to sign up at various forums some years ago as well.

I just starting sorting these into folders more last week, trying to remember the ones I didn't have ti mess with that were already going to folders - but that's on a different system.

Most spam comes to me via email addresses I post publically, e.g. on my website. I used to get spam from an address I had created for SourceForge, but it has tapered off.

My "linkedin@mydomain.com" email gets a LOT of traffic at the moment - I suspect that was a breach rather than being sold on (but that's being charitable).

I keep an e-mail for anything I suspect I will get spam from, one for anything official like work/job hunting, and a gmail mostly for anything google-related.

I once had the admin of a MUD sign my email up for spam because I pissed them off.

I also had a friend "helpfully" sign me up for information for some insurance company.

The most common thing I see is companies emailing me after I've asked them not to. In that case I just disable that site specific email and move on.

Dropbox stands out as 1) a company I didn’t expect would sell my email, and 2) some of the worst spammers in terms of phishing/scam attempts.

123rf.com was 100% hacked or breached.

Received SPAM on a really old account which I do not use, unique email address and from one day to another it was daily SPAM.

Kickstarter regularly sells my address, even soon after changing it. I don't think any other entity did that, which is mildly surprising.

Amazon. Amazon Pay has been the worst offender and every purchase using Amazon Pay has leaked my Amazon email to third parties.

I get some scam/phishing/malware emails sometimes from an account I've only ever used to sign up for comcast.

Just took a quick look through the spam folder and found spam (real spam, like fake fedex invoices or whatever) from:

pretty much anything vaguely related to crypto

edaboard.com

lastfm.com

pcbway.com

asus.com

side question:

if you use the name+tag@gmail.com trick to tag the business or website where your are using that email

can't a scraper remove all +tag portions using a regex and send spam email directly to plain email address

you won't know the source of the leak if that happens

businesses can themselves do this if they deliberately want to sell or misuse your info

Question: can you recommend any service to quickly create new accounts, but redirect them to my main one?

I should curate a list. Most recently: Venmo. I expect news about a data breach soon. Before that: epik.

For me the big ones have been:

- Adobe

- Equifax

- Zappos (prior to their acquisition by Amazon)

- Gizmo (defunct VoIP service aquired by Google)

- Tumblr

- Amazon (though that's likely via a seller)

I started getting satellite radio spam to the address I used at the car dealership/service.

No one has sold me out in the 2 years. I think they know and scan for it before sales.

I always use unique email. So far this problem only happened once with Zenni Optical.

A coffee-shop where I applied for a job. A freaking coffee shop? Really?

Just this year, Angi (formerly Angie's List) did. I requested contact from a few providers for a specific home repair job. Not only did I get emails from other providers, but a few weeks later, I was on mailing lists for completely unrelated types of contractors.

I’ve done this for about 30 years. USPS is by far the worst offender.

Amazon sold me out, because I bought a flight ticket using Amazon India once. Amazon's partner was cleartrip, so I started getting spam from ClearTrip on my amazon@ email address. I complained loudly to Amazon, which didn't care much.

In 10 years only happened once, by CBS after they bought Last.FM

In India, it's majorly job portals like Naukri, monster etc

After using this technique for 4 years, only Reddit so far!

GitHub, linkedin, couple of smaller stores, who were hacked.

Our utilities sold us. Cal Am water and Greenwaste.

Adobe getting hacked

Dropbox and gravatar breaches.

In particular recruiters (including from 1 faang) have picked up the gravatar breach, and after some gdpr digging I've found a few of the unscrupulous vendors that laundered the breach data into the recruiter spam industry

No idea because I use Trashmail everywhere :D

Contentful was hacked and leaked my email.

Robinhood, Comcast, TicketMaster, Linkedin

Skrill, sold to some gambling company.

Totally hilarious thread. Thanks all!

So far only one: Hinge dating app.

MyHeritage either sold my email

ledger hardware wallet, invisionapp.com and my public github email

LinkedIn & MySpace

United Domains

LendingTree.

Contentful

LinkedIn

Oregon DMV

linkedin, a few times now