Testing some emails in haveibeenpwned i realized something terrible about these leaks.
In isolation, ok, you have just your personal data like birthdate, name, phone number leaked just based on an email.
But now that there was so many leaks, just taking a single email, you can easily map an important part of the profile of a person. Give me an email, I now have: - All identification details, sometimes scanned id documents - linkedin details about the professional details of a person, which company when, ... - Even without the clear official address, you can have an average estimation of where the person live by looking at the countries or location of breached companies. - I can see with leak of big and small retailers like CostCo where the person is doing is shopping. Sometimes it can be worse for specialized retailers, like knowing that you might be vegetarian, or like buying electronic products. - With telecom providers breachs, you know the internet and mobile provider of a person, you can also discover that the person has multiple phone and mobile lines. - With leaks of forum and so, you can see if a user is into specific topics. - With things like leaks of airline providers like that, you can know if the person is a frequent flyers, might be a frequent visitor of some countries or area of the world as companies are often highly linked with their HQ country base. - You might also know that a person is frequently living in another place/country than its official residence ...
Makes me feel OK about my strategy to use a different email for every sign up
if you run your own domain and have a wildcard for email this is a very good strategy. I also never provide my real birthdate for (almost) anything. The vast majority DO NOT NEED IT, and the rare case where it might be required (still doubt it, but maybe age of majority or consent, or a waiver) I use Jan 1st of the real year. This has caused problems (ex: doesn't match your id) but on the balance seems to be positive.
Even without your own email hosting, Gmail kind of lets you do this by appending +whatever to your address before @gmail.com. Obviously this can be trivially detected and stripped but I suppose it is better than nothing. Multiple real Email addresses are definitely a best practice.
Like: myname+whatever@gmail.com?
Yep. I do this a lot. It occasionally doesn't work (eg: some sites don't think + is valid).
To be fair, I don't think it's made a huge difference in my life. In fact it's possibly been more of a negative than a positive.
You do realize if this your strategy, you must own that domain FOREVER. Whomever purchases that domain after it expires now owns all your email aliases. Assuming you do a good job of changing all your emails at every service you ever used, there is still that potential leak. Large cloud services such as google do not allow name reuse. Of course paying for a domain name forever is probably still a better idea than a provider who can be purchased, but just a reminder!!
It’s a good call out. I’m glad that I used one domain instead of scattershot across all the ones I’ve owned: at least I’m only bound to renew the one domain. It’s a cheap TLD and hopefully it stays cheap!