Adventures of my pwned email address

While reading about the things happening to the people caught up in the 2015 Ashley Madison breach, I decided to write about my own adventures with a pwned (compromised) email address. (No, I did not get caught in the A-M breach!)

Some background – the email address I’m talking about is my first ever email address. I think I created it in 1998/1999. It was among the first things I did when a new internet parlor opened in my area in Chennai, India. I was in 11^th grade.

This old Yahoo! email address was responsible for many IRC/Yahoo! Chat shenanigans. I received my first digital photos on this account (hey, pinkbutterflybaby!), and applied for my first job from this email address. Over the years it has become the address I give when a valid email is required, and a grrl.to address won’t suffice.

Given how old it is, and how much it has been shared, it’s shown up in a bunch of breaches. HIBP ‘s annoyingly long list shows Disqus, Tumblr, Trillian (yes, I’m that old!), Zynga (darn you Farmville!)  etc – and these are about right. We’ve been able to source a lot of these lists for the Barracuda WAF Credential Stuffing Detection Database, and I’m “pleasantly” reassured by how complex and unique my old passwords were.

Starting around Feb 2019, I’ve had three interesting examples of this email address being used to sign up for various things.

The first (and most interesting one) was an early morning Instagram account creation –

(While the first email in this search talks about a new login, the account creation was not done by me – I could not find those emails, and immediately changed the Y! email password)

I woke up to this login attempt and tried to get into the account with the password reset. That worked, and the account did not have any followers/posts. I felt like owning the account, so I changed the password to a secure one. Post this, I saw one attempt by the other person to login on that day, and then a few more attempts in the next few months. This one was fun (for me), as I now have two “desirable” Insta handle.

(My other insta handle is desired by a namesake. That person keeps trying to get into the account every few weeks by resetting the password. By the look of his friends who tag me in random pictures and comments, he is an annoyed teen.)

The second one was a more straightforward account creation –

This happened when I was awake, and decidedly not signing up for their newsletters. Unfortunately, closing the account has not been possible.

The third one happened two days ago –

Royal Panda is an online casino that someone has signed up for, with my email address.

Outside of the first instance, the remaining account creations have been rather tame – simply more spam that I did not sign up for. However, it has been interesting to see the life of a pwned valid email address. I’m lucky in the fact that this address is not used for any major accounts. That said it probably has been tested against major sites, like Disney+ to attempt account takeovers. Given that many popular services have been publicly breached – and many have probably been breached, but not found out/revealed the details – it is a good idea to set up alerts for your email addresses on services like haveibeenpwned.com. Changing your passwords to strong passwords, and using a good password manager to secure and manage them will help keep your digital life secure for a long time.