this post was submitted on 28 Sep 2023
55 points (100.0% liked)

Privacy

31975 readers
859 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

My password manager told me that my info was leaked, including IP address, address, email, personal information, and phone number, in a data breach of eye4fraud.com. However, I don't use eye4fraud, so it must have been a site that uses their services. I would like to change my login credentials on the site that shared my data with them (and stop using their service since they're sharing my info with a security company that was breached), but I don't know which site that was. I found this list of sites that use eye4fraud, but that list has over 1,600 entries. Other than reviewing every single sight on the list, is there a way of finding out which site that I use leaked my info?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 25 points 1 year ago (5 children)

Probably not.

The best advice I've heard is to use a variation of your email (assuming you use Gmail) on every site you sign up for that indicates that website. This would allow you to immediately know.

So what is a Gmail Plus address? Say you have an email address like [email protected]. If you append a “plus” sign to your email username, Gmail will ignore anything written between the + and @ sign in the email address and still deliver the message to the same mailbox.

More info

[–] [email protected] 8 points 1 year ago (1 children)

Scammers are well aware of this trick and can easily strip out everything between the + and the @ on a huge database of email addresses. A better approach is to use Proton Pass or simplelogin, which creates a brand new email address that forwards to your real one. That way you can create a new email address for every site. Both services automatically append the site name and incluse a few random digits to the new email address. So if you want to make a new alias for your LLBean login, it'd create LLBean.gv4gk7.passmail.net which would forward all emails to your real email address.

[–] [email protected] 2 points 1 year ago (1 children)

Why would a scammer care if you figure out which 3rd party sold you out? I don't think the risk is worth paying for another subscription.

[–] [email protected] 3 points 1 year ago (1 children)

Because after you setup the filter to remove that plus sign label, your email address is worthless without removing it.

[–] [email protected] 2 points 1 year ago (1 children)

Why would it be worthless? It's still a valid, deliverable address to a real person (you). The only difference is the receiver knows which company sold their information AFAIK

[–] [email protected] 2 points 1 year ago

No it's not, because the whole point of it is so you can filter them out. Which is exactly what you do when you realize you're getting email from someone you didn't give that address to, and at which point it becomes worthless. But stripping out the plusses is trivial and yields an un-filterable address.

[–] [email protected] 4 points 1 year ago (5 children)

Does something similar exist aside from Gmail? Cus you know. Gmail.

[–] [email protected] 9 points 1 year ago (1 children)

I think it's a fairly standard feature. At least Protonmail also supports this kind of "alias".

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

If I'm not mistaken it's part of the original spec, Dylan beattle had a bit in a talk about email at some point

Edit: I was in fact mistaken it's a Google only thing and not part of the spec

[–] [email protected] 8 points 1 year ago* (last edited 1 year ago)

You could use something like simplelogin.io to create aliases.

Integrates with password managers like Bitwarden nicely to generate aliases.

I think many other services support the + trick though too. The downside is that spammers know the + trick and can find out your base email easily; they can’t if you use an alias.

[–] [email protected] 5 points 1 year ago

Protonmail supports + addresses as well. Not sure about others.

[–] [email protected] 4 points 1 year ago

YMMV on all of these. These are things I use or have considered.

[–] [email protected] 2 points 1 year ago (1 children)

Afaik this is not a feature unique to Gmail, it's a feature of the email system as a whole. Same with a dot. Any characters after a plus or dot in the first part of the email are ignored.

[–] [email protected] 4 points 1 year ago

I'm fairly certain you're wrong about the "." in an email address

[–] [email protected] 3 points 1 year ago

This breaks a lot of sites that try to sanitize addresses (don't ask me why they do it)

Had it happen a couple of times that I would register and then it wouldn't recognize my email for the login or the confirmation email would never arrive. Never tried it again after that because it also ment I was unable to use that email for that site as well.

[–] [email protected] 3 points 1 year ago

more than that, dots don't matter in gmail. [email protected] is the same as [email protected], or as [email protected]. they all funnel into the id with which yiu had signed up.

this allows you to put various permutations of your email id for varioua online services.

[–] [email protected] 1 points 1 year ago

I do this with passwords, too. For example, generate 15 digits and add 5 digits (like +LMY!) to end. Many of those sites will list which passwords were stolen, easy to see to see which sites have unforgivably poor security.

For email addresses, the variation is useful, but it's probably inevitable that it's eventually sold, stolen or guessed. Still nice to have the evidence.