Options

People keep registering stuff in my email address

TetraNitroCubaneTetraNitroCubane The DjinneratorAt the bottom of a bottleRegistered User regular
I have an email account that is very old. It is a google mail account. Easily over 20 years old at this point. When I registered it, it was early enough in the history of the internet that I got a fairly short and succinct name. Which I thought nothing of at the time, but in recent months has proven hellish for me for the following reasons:
  1. Spam. So much spam. Tons of spam.
  2. People often list my email address when they want to sign up for something and don't want to give their legit email address.
  3. People often mistype their email address, and instead register my email address.

People try to break into this account, either to gain control of it maliciously, or because they think it belongs to them. I've done my absolute damnedest to secure this account. Absolutely lock it down. I've done the following:
  • Migrated any dependent accounts off of this email address.
  • Ensured IMAP and POP3 are disabled. I only ever check it via logging in via web, and logging out after checking the account sufficiently.
  • Given the account the most secure password I ever could.
  • Enabled two factor authentication with a physical security key. Google advanced protection is on.
  • Kept an eye on login history and connected devices for the account (My connections and devices are the only ones ever listed).

This morning I woke up to find someone had registered a Hilton Honors account not in my name, but with my email address listed as the account's email address. There were two emails, about five minutes apart. The first contained a link for use to "create or reset the password for your Hilton Honors account", and the second was an email verifying the account's creation, complete with account number and first name of a person who was not me.

I called Hilton via a number I looked up on their website via a different computer, and they verified the account is legitimate. They refused to take my email address off the account, because I'm not the account holder and can't verify the phone number on file. Which, whatever - I'm less concerned about the account, and more concerned that it's legitimacy means someone activated the account, which ostensibly should only be possible via the link in my email inbox.

I check the connection log, and the last entry is my IP from two days ago. I checked the connected devices list, and the only thing on there is my computer. The emails were still unread when I found them in my inbox.

I'm completely unsure what's going on, but this latest event is enough to make me fed up. I want to completely torch this account and everything associated with it, because it has been making me nothing but paranoid for months now.

If I delete this account, I am worried that someone else can steal it that much more easily, though. Either by using account recovery after I've deleted the account, or else by stealing the account name after the account is gone.

1. Is it possible to verify when an account is absolutely, truly gone? To know that is is deleted forever, instead of the limbo of "Soft deleted, but still recoverable"?
2. If someone tries to recover the account after I've deleted it, is there a way to get a notification about that?
3. If I attempt to delete the account, will this send notice to anyone else? Will there be a way for people who are NOT me to know that deletion has happened?
4. Is it possible for someone else to snatch my old email name after my account is deleted? I've migrated everything off of this account, but I've seen old, insecure sites that will always accept the first email account you registered with, rather than respecting updated information. I'm worried someone can use this account to worm into other email addresses of mine, even if they are no longer connected.

And if anyone has any freaking clue what might be going on here at large, I'd appreciate any insight.

Thanks much.

Posts

  • Options
    AiouaAioua Ora Occidens Ora OptimaRegistered User regular
    "activated account" almost certainly means something different to the call center rep than whether the email validation link was clicked, there is basically a 0% chance anyone but you ever saw that email

    life's a game that you're bound to lose / like using a hammer to pound in screws
    fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
    that's right we're on a fucked up cruise / God is dead but at least we have booze
    bad things happen, no one knows why / the sun burns out and everyone dies
  • Options
    TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    Aioua wrote: »
    "activated account" almost certainly means something different to the call center rep than whether the email validation link was clicked, there is basically a 0% chance anyone but you ever saw that email

    So if I'm interpreting you correctly, this was something were the account was activated likely via alternative, non-email means?

    Perhaps if the person behind the counter at a physical hotel location were to create an account for the individual in question?

  • Options
    AldoAldo Hippo Hooray Registered User regular
    edited May 2023
    I think it would be safer for you to keep the gmail account and just migrate stuff to a new account. If you ever realize a weird service is still connected to your old mail, then you can still access it. Google is weird with deleting old accounts and I don't think there is anyone alive who can give 100% guarantees that anything works logically enough for you to rely on it.
    Aioua wrote: »
    "activated account" almost certainly means something different to the call center rep than whether the email validation link was clicked, there is basically a 0% chance anyone but you ever saw that email

    So if I'm interpreting you correctly, this was something were the account was activated likely via alternative, non-email means?

    Perhaps if the person behind the counter at a physical hotel location were to create an account for the individual in question?

    Yes, or an activation link was sent as a text message to the associated phone nr.

    Aldo on
  • Options
    MichaelLCMichaelLC In what furnace was thy brain? ChicagoRegistered User regular
    Agree with Aldo, remove everything connecting you to the account but leave it active.

  • Options
    TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    Thanks much for the advice.

    I've disconnected everything I can, honestly. Google won't allow removal of the recovery email or phone number, though.

    Can't shake the feeling I've forgotten something, and the sheer amount of crap that gets flung at this address is heart-stopping. But I guess better being in control than not?

  • Options
    MichaelLCMichaelLC In what furnace was thy brain? ChicagoRegistered User regular
    Can you change recovery email and phone?

    Create a throwaway email since it may need to confirm? Phone shouldn't matter.

  • Options
    CalicaCalica Registered User regular
    edited May 2023
    Mildly evil solution to the Hilton thing: use account recovery to change the password, login and remove the email address yourself.

    Won't work if they have 2FA or security questions, of course, but it's worth a shot.

    edit: and if they have a phone number listed you can even text the account owner to let them know they're using an active email address that doesn't belong to them.

    Calica on
  • Options
    Phoenix-DPhoenix-D Registered User regular
    re calica's suggestion- I have told people they have the wrong email before. A weirdly large percentage refuse to listen.

  • Options
    TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    Phoenix-D wrote: »
    re calica's suggestion- I have told people they have the wrong email before. A weirdly large percentage refuse to listen.

    I confess this is what has me worried. The minute I try to log into that account is the minute it looks like I'm doing something nefarious. And given people's behavior in the past, I worry about their trying to take over my email address even more - Seeking out help from Google, etc. - When I try to tell them that it's mine and not theirs.

    It's part if the reason I want to nuke the entire account permanently.

  • Options
    GilgaronGilgaron Registered User regular
    I kind of doubt Google would help anyone take over an email address without receiving several increasingly angry letters from the same judge

  • Options
    m!ttensm!ttens he/himRegistered User regular
    I've had this issue in the past, there are two doppelgangers with a very similar name to mine that sign up for stuff and either they or the clerk mistypes the email address and I get emails. The latest and worst one was from Best Buy who kept sending me receipts and promotional crap and I didn't want it, and their online chat CSR said they couldn't remove an email online because I'm not the account holder. I had to call their phone number, wait on hold, escalate one or two levels to get the right level of support for them to eliminate my email from the account. Crazy.

    (the fun and amusing one I got was when my UK doppleganger got invited to a hen do which had all kinds of fun and lurid details in the email itinerary. I had a lovely email correspondence with the maid of honor who was somewhat embarrassed, and I'm glad that my doppelganger didn't miss the party invite because it sounded like a lot of fun)

  • Options
    JasconiusJasconius sword criminal mad onlineRegistered User regular
    this happened to me on a regular basis a couple of years ago and I did some research... first understand that your email address is perfectly secure if you've properly taken all the steps you describe.. none of what I am about to say is scientific but I've been working in software for nearly 20 years and this is my take...

    1) The attack probably doesn't have to do with the simplicity of the address but the age of it. If its old and you've used it in the past for registering accounts, your email address is part of leaks, possibly with old passwords. This tells attackers that the address was at one time or another used to register for other accounts, even if the password is outdated

    2) There is no direct attack against your email address. As best as I can figure these attacks are for frontrunning the accounts. The attacker sets up an account in your name and hopes that you'll forget about it and activate it at a later date. They might even set it up with the old leaked password associated with your email. Whatever the case may be they're trying to leave themselves a back door into the account so that they can get into at a future point. I am not specifically sure what they'd get out of a hilton account, but most the ones I had this done against me with were either finance or travel related.

    There is no defense against this that I can think of. The best thing you can do is use another email address as your primary and continue to use strong passwords. This, like many types of email driven attacks, is targeted primarily at people who are not tech savvy at all and will get easily confused by the registration emails.

  • Options
    CalicaCalica Registered User regular
    Jasconius wrote: »
    this happened to me on a regular basis a couple of years ago and I did some research... first understand that your email address is perfectly secure if you've properly taken all the steps you describe.. none of what I am about to say is scientific but I've been working in software for nearly 20 years and this is my take...

    1) The attack probably doesn't have to do with the simplicity of the address but the age of it. If its old and you've used it in the past for registering accounts, your email address is part of leaks, possibly with old passwords. This tells attackers that the address was at one time or another used to register for other accounts, even if the password is outdated

    2) There is no direct attack against your email address. As best as I can figure these attacks are for frontrunning the accounts. The attacker sets up an account in your name and hopes that you'll forget about it and activate it at a later date. They might even set it up with the old leaked password associated with your email. Whatever the case may be they're trying to leave themselves a back door into the account so that they can get into at a future point. I am not specifically sure what they'd get out of a hilton account, but most the ones I had this done against me with were either finance or travel related.

    There is no defense against this that I can think of. The best thing you can do is use another email address as your primary and continue to use strong passwords. This, like many types of email driven attacks, is targeted primarily at people who are not tech savvy at all and will get easily confused by the registration emails.

    3) They genuinely think that's their email address because a) they don't understand how email works b) they keep forgetting to include their middle initial or whatever

  • Options
    TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    Welp. Just checked that email address after work, and after a less-than-24-hour period, there was a "Please rate your satisfaction with your stay" email from a Hilton in a state I've never set foot in - Plus a full name that could easily be typo'd into this email address.

    There were also 70 Spam messages. In less than 24-hours!!
    Jasconius wrote: »
    2) There is no direct attack against your email address. As best as I can figure these attacks are for frontrunning the accounts. The attacker sets up an account in your name and hopes that you'll forget about it and activate it at a later date. They might even set it up with the old leaked password associated with your email. Whatever the case may be they're trying to leave themselves a back door into the account so that they can get into at a future point. I am not specifically sure what they'd get out of a hilton account, but most the ones I had this done against me with were either finance or travel related.

    This is interesting to me - Could I ask you to please unpack your meaning when you say "Leaving themselves a back door into the account"? How would a Hilton account be leveraged to get into the email account? Phishing/Malformed links?
    Jasconius wrote: »
    There is no defense against this that I can think of. The best thing you can do is use another email address as your primary and continue to use strong passwords. This, like many types of email driven attacks, is targeted primarily at people who are not tech savvy at all and will get easily confused by the registration emails.

    I've migrated off of this account for the better part of a decade at this point. I'm still a little worried about the potential exposure of the recovery email and/or phone number (It's like inviting SIM jacking if that number gets out). I'm still tempted to torch the account to the ground, but at least with a physical security key and advanced protection enrollment, I hope the account can be secure despite the strangeness and overwhelming spam.

  • Options
    Magic PinkMagic Pink Tur-Boner-Fed Registered User regular
    Yeah, this happens to me all the time too with my very very old Gmail address. I get emails for email accounts close to but not directly matching my email account as well.

    I just report the account as fraud if it's easy to do so or block it as spam

  • Options
    spool32spool32 Contrary Library Registered User regular
    The last time this happened to me, it was someone who signed up for internet service in another state and got my address wrong. Eventually I called the number on all the bills they were sending me and told them to fix their damned account.

    To say they were surprised would be an understatement. But they did fix their account. Turns out it was the customer service person who typo'd it.

  • Options
    tynictynic PICNIC BADASS Registered User, ClubPA regular
    this particularly issue doesn't sound like an active attempt at a hack - 9/10 times the Hilton sort of thing is an idiot who doesn't know their own email.

    eg. I'm presently engaged in a multi-year correspondence with some old duffer in Malta who keeps emailing me scans of his boarding passes, drivers license, even his passport once, because he thinks he's emailing himself. (If I could pass myself off as a septuagenerian with a beard I'd have a very easy path to identity theft).

  • Options
    Magic PinkMagic Pink Tur-Boner-Fed Registered User regular
    tynic wrote: »
    this particularly issue doesn't sound like an active attempt at a hack - 9/10 times the Hilton sort of thing is an idiot who doesn't know their own email.

    eg. I'm presently engaged in a multi-year correspondence with some old duffer in Malta who keeps emailing me scans of his boarding passes, drivers license, even his passport once, because he thinks he's emailing himself. (If I could pass myself off as a septuagenerian with a beard I'd have a very easy path to identity theft).

    I CAN pass off as that, let's head to Malta

  • Options
    fedaykin666fedaykin666 Registered User regular
    edited May 2023
    With reference to account activation question,

    "If you don’t have your Hilton Honors number or preferred email, you can receive an immediate call from customer care by clicking the 'Request a Call' button or the 'Chat Now!' box (both available from this page) to connect to an agent who can help."

    I'm curious how the call centre does it if they push an sms to phone on file but it's on Hilton website this is a method if someone doesn't remember their email.

    Therefore guy may not need control or visibility of the email in order to activate and you have login monitoring data to support this.

    Assuming guy is a legit customer who typoed or didn't care the (from your description) short generic email, he's the one taking a massive risk with his rewards points/saved info/payment etc. that can be accessed via an email he doesn't control.

    fedaykin666 on
  • Options
    VeeveeVeevee WisconsinRegistered User regular
    edited May 2023
    My email address is my username here at Gmail. I get a shit ton of people using my email address when they meant ymail.com or email.com or a variety of other things. I get contacts about bills owed by a business in India, someone's emails from their kids school in South Africa and New Zealand. I think I even made a similar thread here once.

    When this happens and I feel like doing more than nothing I just go into whatever account was signed up and change the password to some gibberish. Generally, my smile grows with each password retrieval email that comes in.

    Veevee on
  • Options
    VoodooVVoodooV Registered User regular
    yeah I'm pretty sure I share a similar email address to a boomer that occasionally gets his email wrong when booking vacations. It's adorable.

    Back in 2013, I also got some accidental email meant for a Fox handler that shared my name who was going to work with Tony Kushner (writer of West Side Story) that shared with me his itinerary for the BAFTA awards.

  • Options
    BursarBursar Hee Noooo! PDX areaRegistered User regular
    My gmail has ended up being the same combination of letters as the [first initial]+[last name] for a handful of people over the years. Often sending the company a "Hey, this is the wrong email address, please call whoever it is and make sure you get your accounts straight" message will work, but not always. One guy registered his car at Jiffy Lube with it, so whenever he gets an oil change I get sent the receipt, including his license plate. Because it comes from a no-reply email address, I don't have a way to tell the company to get in touch with this person to have it changed, and I don't think he knows he's supposed to be getting a receipt and isn't wondering why he never gets one.

    I did once get the itinerary for someone's mother's funeral, and just last week somebody started tagging "me" to a bunch of photos from someone's college graduation. I try to be respectful with my responses, but in the end I do have a folder named "Idiots Who Don't Know Their Own Email Address" that this all gets filtered to.

    GNU Terry Pratchett
    PSN: Wstfgl | GamerTag: An Evil Plan | Battle.net: FallenIdle#1970
    Hit me up on BoardGameArena! User: Loaded D1
    Spoilered until images are unborked. egc6gp2emz1v.png
  • Options
    DarkewolfeDarkewolfe Registered User regular
    There is some dude in Seattle who has used one of my e-mail addresses every once in awhile for all sorts of random shit. We must be one character off or something. He has no access, he has tried resetting them a few times. He's just losing random shit into my inbox. It's not a security concern for me. I'm not sure how he feels about me getting all his uber trips but whatever.

    What is this I don't even.
Sign In or Register to comment.