Since nearly 10 years, I use dedicated email addresses/passwords for every single website or company I register online.
That may seem cumbersome to many, as I need to log into a custom platform to create a new email address during registration, and I need to keep a record of all those passwords/emails/credentials somewhere, to remember what and where I’ve done, but this has numerous benefits :
– Automatic sorting my incoming email to dedicated folders, and prioritize between private and commercial emails. A simple rule on my Thunderbird client does it perfectly.
– Detect database leaks. If any company/website gets hacked or resells their user base to third parties, I’ll start receiving spam or emails from third parties with the leaked email address, and quickly figure out the reason.
– Stop the infection easily. If I really need to keep registered on the website, I only need to update my records and change the email address to no longer receive spam, and « reset the trigger » to see if it will happen in the future.
– Prevent propagation since if a company’s database is hacked/leaked, my dedicated credentials won’t work on other websites. Most people have to change all their passwords on every website when there is a breach, since they tend to use the same email and password everywhere.
– Publicize and tell such companies they may have been hacked, or confirm they resell user databases.
– Discard old credentials and registration details from websites I don’t want to use anymore, since all my credentials are kept on record, and I sort them chronologically.
e-Carte Bleue : Virtual One-Time use Credit-Card !
And because I’m paranoid on this (several years ago, my bank account was hacked and I had numerous issues with fraudulent online payments), I also use a One-Time-Use Credit Card Number each time I make a transaction online ! Yes, that’s possible thanks to e-CarteBleue service. My bank provides me a virtual credit card, I just log into their system, enter the amount of the purchase, and it generates a unique code, that can only be used once, and for the specified amount. That’s very convenient.
My updated list of leaked email addresses
Here, I keep a list of companies that seem to have issues keeping my email address secret. I’ll update it whenever I get new spam.
2016 : Kickstarter. Received a spam in German, coming from Russia. Waiting to see if I’ll get some more. A friend of mine just told me they seem to forward their users email addresses to project funders, that may explain a bit. So if it’s the case, I should create a dedicated account and email address for any new kickstarter project I’m interested… that’s getting heavy to manage.
2015 : Linkedin. They seem to make my address sort of public to my contacts, since I already changed my email address several times, and started receiving spam on it a few days after the change.
2015: Weezevent. Receiving a lot of spam in French, mostly SME business-targeted. I’ve contacted them and they swear they didn’t resell the database. That’s interesting.
2013 : ASIS International. This one is funny, because ASIS is one of the most important non-profit security professionals association. They clearly got hacked, and the full database was leaked to spammers, including numerous details of important security professionals… When asked about this, they never admitted they were hacked although it was obvious… that’s non-professional.
2010: Air France: I starting receiving spam shortly after I got my frequent-flyer card. First, it was advertising from third-party (meaning they resold the database), but soon after, I also received spam written in different languages. I guess one of their third-parties got hacked or resold it too… anyway that proves all those marketing incentives are wrong.
2009: CDiscount: This major French online shop just got hacked. Since I no longer live in France, I just didn’t care and « canceled » my account (whatever it means).
2007: QTEK : smartphone manufacturer (rebranded to HTC). They got hacked too.
Comment by lym on 2016-01-05 12:41:26 +0200
Lots of mail providers now propose to create aliases that’ll get in the base email account. This is probably less perfect isolation (reference to the base account may remain in the alias header? Single mail login thus a single password per account policy will be even more important…) but less hassle too. And the aliases are revocable.
Comment by Bruno Kerouanton on 2016-01-05 14:20:15 +0200
Good point Lym. To clarify, I use email aliases too (my provider gives me 1000 per mailbox), and that’s easy to manage.
Comment by Denis on 2016-01-05 22:38:18 +0200
You can add soekris.eu to your list. Don’t know if they were hacked of if they sold though.
Comment by Bruno Kerouanton on 2016-01-06 11:04:29 +0200
Thanks for the feedback. I should create a git repository to update this list collectively.
Comment by Denis on 2016-01-06 20:10:20 +0200
That’s a wonderful idea 🙂
Comment by Varun Agrawal on 2016-01-30 21:37:17 +0200
I use a homegrown password manager that generates a unique password based on the domain name. It is very convenient to use (just few key presses). I also use CryptoTE to store very secure details like bank details, domain registrar account, Google/MS account,..
Also many bank here requires 2FA (password+unique SMS code) for each debit card transactions and don’t enable international usage by default. So you can have one of those to save hassle of getting of Virtual Card.
Btw Most of the spam I received is from Neteller. They definitely sell your contact details to gaming/betting related sites.