While reading about the things happening to the people caught up in the 2015 Ashley Madison breach, I decided to write about my own adventures with a pwned (compromised) email address. (No, I did not get caught in the A-M breach!)
This old Yahoo! email address was responsible for many IRC/Yahoo! Chat shenanigans. I received my first digital photos on this account (hey, pinkbutterflybaby!), and applied for my first job from this email address. Over the years it has become the address I give when a valid email is required, and a grrl.to address won’t suffice.
Starting around Feb 2019, I’ve had three interesting examples of this email address being used to sign up for various things.
The first (and most interesting one) was an early morning Instagram account creation –
I woke up to this login attempt and tried to get into the account with the password reset. That worked, and the account did not have any followers/posts. I felt like owning the account, so I changed the password to a secure one. Post this, I saw one attempt by the other person to login on that day, and then a few more attempts in the next few months. This one was fun (for me), as I now have two “desirable” Insta handle.
(My other insta handle is desired by a namesake. That person keeps trying to get into the account every few weeks by resetting the password. By the look of his friends who tag me in random pictures and comments, he is an annoyed teen.)
The second one was a more straightforward account creation –
The third one happened two days ago –
Outside of the first instance, the remaining account creations have been rather tame – simply more spam that I did not sign up for. However, it has been interesting to see the life of a pwned valid email address. I’m lucky in the fact that this address is not used for any major accounts. That said it probably has been tested against major sites, like Disney+ to attempt account takeovers. Given that many popular services have been publicly breached – and many have probably been breached, but not found out/revealed the details – it is a good idea to set up alerts for your email addresses on services like haveibeenpwned.com. Changing your passwords to strong passwords, and using a good password manager to secure and manage them will help keep your digital life secure for a long time.
Tushar Richabadas is a Product Manager for the Barracuda Web Application Firewall and Barracuda Load Balancer ADC. His current areas of focus are Cloud and automation. His prior roles ranged from leading networking product testing teams and technical marketing for HCL-Cisco. Tushar closely tracks the rapidly increasing impact of digital security and is passionate about simplifying digital security for everyone.