Disposable email address compromised? Could be this...

General discussion re sg.

Disposable email address compromised? Could be this...

Postby planux » Wed Jan 03, 2018 8:21 am

I've been using SG for several years and on ~10 occasions, one of my (>100) disposable email addresses inexplicably started receiving mass quantities of spam. I've always been quick to finger the website on which I used the (now, compromised) disposable email address -- but several of them seemed, intuitively, very unlikely to have such terrible security as to be leaking my (disposable) email address. One in particular such example was Dropbox, which seemed to have leaked my disposable Dropbox email address because of the spam I started getting soon after registering... and they have reasonably good security.

Today, I read this blog article:
https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/

Which describes a (fairly) long-standing attack that websites can use against your web browser based password manager. Now, I try to remember to disable the web browser based password manager as I use a separate password manager application, but I'm sure I've accidentally clicked "remember this password" or "save this email address" on a few occasions. This article lays out a very compelling explanation of how the email address portion of the items saved in the browser's password manager could be read by a third-party site. And, if you're like me, that email address is very likely to be a SG disposable email address.

So, next time one of your disposable email addresses is compromised and starts receiving a boatload of spam, check to see if it's one of the elements saved in your browser's password manager before jumping (as I did) to the conclusion that the site(s) on which the disposable email addresses was used are responsible for the leak.
planux
 
Posts: 2
Joined: Mon Apr 15, 2013 8:49 pm

Re: Disposable email address compromised? Could be this...

Postby josh » Thu Jun 14, 2018 4:15 am

yikes - thanks for the writeup
josh
 
Posts: 1342
Joined: Fri Aug 29, 2003 2:28 pm

Re: Disposable email address compromised? Could be this...

Postby vertigo » Wed Sep 05, 2018 5:14 pm

As you pointed out, the built-in browser password manager should absolutely NOT be used. I think they're even starting to do away with it or disable it by default. I personally recommend KeePass or KeePassXC. Some people prefer online ones like LastPass, though I don't because they can be hacked (though I suppose you could use 2FA if they have it). In fact, LastPass got hacked right after I set up an account and loaded it with all my logins and passwords; go figure. But while this has made you question how your emails were compromised, you can rest assured that companies definitely do share them, I suspect willingly in most cases, but sometimes due to being hacked or accidentally leaking the info. In the years I've been using alias addresses, I've had 3-4 out of 300+ emails receive spam, so that's actually really good, and much better than I expected. I've also never, to my knowledge, received any spam using a modification of an alias. After all, they're not going to manually look through the lists and figure out what emails are using aliases and go through the trouble of modifying them; it's all automated.
vertigo
 
Posts: 5
Joined: Mon Jun 13, 2016 10:58 pm


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 2 guests