It's me, Sean Patrick Payne!
PAYNEful.co.uk | The Site Where Humour Goes to Die - a Repository of Things by Sean Patrick Payne
Sean's Facebook Wall Sean's Twitter Feed Sean's YouTube Channel Sean's DeviantArt Page Sean's LinkedIn Profile Sean's PSNProfiles.com Page Sean's Steam Profile Sean's GitHub Profile
Return to Main

The Saga of People Keep Using My Smegging Email Address to Sign up to Stuff

I have one of those email addresses that’s generic enough to be accidentally entered as I signed up for it with a particular service back when they first launched their email service. Without typing it out for all the world to see, it’s basically my name. It’s such a generic email address that I get sent all sorts of things accidentally. I wrote a blog post about it a while back, you should probably read that before continuing to read this one.

I can’t quite show the correct level of anger and bewilderment I feel towards this blog post using my physical features so here’s one of my cartoons showing it for me. Thanks, Ralph.

Since then, things have gotten worse. I’m not just getting people emailing me by accident, I’m also getting people signing up for things using my email address. This is absolutely baffling and utterly frustrating, primarily because I work in I.T. and take the following stance:

  • I have locked this email address down with two-factor authentication (and you should with yours, too!) as it has access to some fairly sensitive accounts, often involving bank details.
  • If someone signs up for an account with my email address, that service could be compromised at some point and then a hacker could feasibly find out about my (actually quite guessable) email address.
  • I don’t want to receive emails and materials from services I haven’t signed up to.
  • If you sign up to something using my email address, as far as I’m concerned that is now my account and I will take ownership of it.

The Small Stuff

The earliest example I can remember of someone using my email was for a banking service in America. The bank emailed me to let me know that they had set up an account and would be using the email to send secure documents and passwords and the like. This is a bit like a mouse proclaiming that a lion’s mouth is the door to their new home and voluntarily walking in past the sharp teeth and into the stomach. A less scrupulous person would have possibly considered asking them to transfer monies to another account (their own) and then shut the account down. As it stands what I actually did was contact the bank and informed them that they had the email address incorrect. I can only imagine the embarrassment for the bank that this should have happened.

I had someone’s plane tickets come through to me once. I then had to send a support ticket to the airline to get in touch with the person as they presumably hadn’t received their tickets. I genuinely think this one was a typo instead of an act of ignorance.

The Bigger Stuff

We now move on to the situations where I genuinely believe that someone has signed up for accounts using my email address, presumably not thinking that it is a real email address.

The first occasion was for a Christmas messaging site. I can’t remember the domain but I believe it was a John Lewis thing or some such, a website where you could generate videos with messages to people. I think some kid signed up to the site using my email and naively just assumed it wasn’t a real address. Either way they locked themselves out (I know because I received the password reset emails) and then because I like to channel the spirit of Ebenezer Scrooge I reset the password myself, logged into the account and deleted it from the face of the earth.

The second notable occasion was for some body and health shopping website. I received the “thanks for signing up!” emails along with a load of newsletters for them I didn’t want. This one was dodgier as, once I’d reset the password and logged into the account, I discovered that the account actually had banking details and a street address! Rather than delete the account I changed the email address and password and then sent a text message to the person’s mobile using a free web SMS service claiming that the shop had had to reset the password due to a data breach. I also, at the suggestion of some work colleagues, sent a Gideon’s bible via a web service1 to their address along with the personalised message of “please stop using my bloody email address”. I actually have no idea if the text message or the bible got through or if the person ever got back into their account.

The Biggest yet (This One’s a Doozy!)

It had been a while since any incidents like this to the point where I actually had the fatal thought the other day of “it’s the end of the year and nobody has signed up for anything with my email address for once, how nice!”.

On boxing day I received an email from Apple informing me that Shannon Payne had signed into their iPhone 6+ using their new Apple ID. The staggering, baffling thing was that she had signed for an Apple ID using my email address. Even more frustratingly I was actually looking to sign up for my own Apple ID very soon as there are various iTunes exclusive tracks I need to add to my extensive music collection.

So I thought “that’s fine, I’ll just claim the account because it’s my frigging email address, delete all of her info and use it for my own nefarious purposes”. Oh ho, if only it were that simple!

You see, Apple are one of the more secure tech companies out there. While I managed to reset the password with no problems, Shannon had been prompted to provide three security questions! Bollocks.

Boxing day evening was spent on the phone to Apple support regarding a problem I had with an account I didn’t create2. To my pleasure the first support agent was as confused to the situation as I was, because why would somebody willingly sign up to something using somebody else’s email address? The chap put me on hold for five minutes and consulted an advisor. When he got back to me he had the following:

“It’s alright Mr. Payne, since Shannon doesn’t have access to the email address she won’t be able to verify that it’s her email. So you should be able to sign up for an Apple ID and you can then verify the email to your account as you actually have access to the email address.”

Brilliant! Makes sense. I confirmed that two separate emails had been sent to me already asking Shannon to verify and I had not clicked the links in either. Hanging up, I went to create an account…

…Only there’s another problem. The Apple ID is the email address. Because Shannon has already used my email address I can’t enter that email address as the one I want to use. It’s already been claimed. Frustrated, I got back on the phone to Apple support and explained to a second support agent the situation in reference to the ref no. of the support ticket I already had open. This support agent is just as baffled as the first as to why this Shannon lady has done this but confirms the advice of the first support agent.

“That’s fine,” I said, “but when does the email verification period expire? I have both of the verification emails and I have clicked neither link, but I also cannot create my own Apple ID with that email as it’s already been claimed!”

I reiterate the point that, as far as I’m concerned, this is a breach of privacy in terms of my email address. We’re now at a stalemate; I can’t claim the account because Shannon has locked it with security questions but she equally can’t get back into the account as I’ve changed the password! If anything the account should default back to me as it’s my frigging email address.

I just want to reiterate that I don’t want access to Shannon’s bank details or to do anything malicious like remotely wipe her phone. I just want control of any accounts that utilise my email address, mostly so I can lock them down or, if I don’t need them any more, delete them. Incidentally, I would happily reach out to Shannon directly, except there’s about 30+ Shannon Paynes on Facebook and, haha, I don’t know what her email address is as she keeps using mine.

As it currently stands Apple have had to escalate the issue to their engineers and one of them sent me a code I had to read out to confirm that it is my email address. I’ve noticed that the Apple ID can’t be logged into at the moment and I can’t reset the password on it so I guess they’re doing something with the account. Fair play to Apple, for a company I’ve always been cynical about their tech support seems very prompt and understanding. I’m quite impressed.

The Accidental Hacker

In these situations I find myself being made the villain. If I was actually a malicious hacker and complete bastard this is the ideal situation of people signing up to accounts using credentials I have control over. If I was a burglar it’s basically like building a house, filling it with expensive stuff and then handing me the master keys!

In the instance of the health shop, I even went to the lengths of sending a fake password reset SMS and all the while I’m thinking that this is probably the sort of tool a hacker would normally use to get into the account, not let someone back into theirs.

Except I don’t like being the villain, and I’m fed up of people using my email address, maliciously or otherwise. I’ve made the decision that I need to pick another, more obscure email address and start transitioning stuff over to it. I can still use my current email address and link the two but maybe I’ll make my current one a “public” address and stick it on the website for randoms and spammers to email me with. I’m pretty sure my email address was exposed when bit.ly got hacked a few years back anyway.

Here’s what to take away from my little anecdote:

  • While having an email address that’s one of the “first” ones sounds great, it’s actually a bloody nuisance. Pick something obscure with some numbers in it3.
  • DO stick two-factor authentication on your email address. I understand that SMS can be intercepted so use a code generator when you can4.
  • DO use a password manager. I went through all the accounts I could find the other month and it was frankly terrifying as to the amount of accounts which used the same email address and password. I’ll be rectifying this by changing both my password to something random and my username to a more obscure email address.

If this was a YouTube video I’d probably end this with a sponsored link to a password manager or a VPN service5, but it’s not so I won’t.

Hope you’ve had a good Christmas and all the best for the new year!

  1. I can’t remember the web address for this but I remember it was a service local to the person I was trying to send one too and that the website looked like it was built in 1995.
  2. Read this sentence back through a few times, it’s absurd.
  3. I feel sorry for anyone who claimed a “joebloggs@” or “example@” address.
  4. Although I have had this fail on me too! In those circumstances all you can do is email the service you can’t log into and ask them to temporarily remove the two-factor authentication, which sort of negates the point but what can you do?
  5. What’s a VPN you ask? This is PAYNEful Blogsplosion, not bloody Wikipedia. Look it up on your own time!

Post by | December 28, 2018 at 10:30 pm | Real Life, Technology | No comment

Tags: ,