Yeah I know about that trick. I’ve run into problems using that in the past because the + notation isn’t universally supported, and also some companies sell their customer lists to other companies. I forget the specific details because it happened years ago now, but I found one of my + addresses signed up to a mailing list I didn’t want to be on. The form used to unsubscribe from that list considered the + an invalid character, so I couldn’t unsubscribe. As I recall it took a week or so of emails to various contacts at that company to get me unsubscribed.
Besides, it wouldn’t help at all in this particular case. Look at the screenshot. It’s redacting everything in the email address before the @, so I still wouldn’t know which one they are referring to.
Yeah, the redacting is weird. How did you even receive this? I thought it came via email itself so you would know but it’s still redacted in case you’re using aliases. Or perhaps they assume people have only a single account with any provider and thus could infer.
I’ve had my identity stolen multiple times over the years and had everything from fraudulent tax returns filed to get refunds, to credit cards taken out in my name. I was one of the victims of the federal governments Office of Personnel Management data breach 10 years ago (think the HR department for the entire US Federal Government). That resulted in me getting what amounts to free ID/credit monitoring with a really good company for the rest of my life. They send me alerts similar to this one fairly often, and it’s also next to useless. My guess is it’s based on lists of usernames & passwords stolen from websites and offered for sale by scammers. It’s not uncommon for those types of lists to have been collected from multiple websites, and merged into one giant list since lots of people still use the same password everywhere. So there’s likely no way of knowing what website a given set of credentials came from.
As for the masking of the email address, seeing that different monitoring services are doing the same exact thing it makes me wonder if either these are all coming from the same third party service, or if there’s some sort of law/regulation that is requiring them to mask it…
Yeah I know about that trick. I’ve run into problems using that in the past because the + notation isn’t universally supported, and also some companies sell their customer lists to other companies. I forget the specific details because it happened years ago now, but I found one of my + addresses signed up to a mailing list I didn’t want to be on. The form used to unsubscribe from that list considered the + an invalid character, so I couldn’t unsubscribe. As I recall it took a week or so of emails to various contacts at that company to get me unsubscribed.
Besides, it wouldn’t help at all in this particular case. Look at the screenshot. It’s redacting everything in the email address before the @, so I still wouldn’t know which one they are referring to.
Yeah, the redacting is weird. How did you even receive this? I thought it came via email itself so you would know but it’s still redacted in case you’re using aliases. Or perhaps they assume people have only a single account with any provider and thus could infer.
I’ve had my identity stolen multiple times over the years and had everything from fraudulent tax returns filed to get refunds, to credit cards taken out in my name. I was one of the victims of the federal governments Office of Personnel Management data breach 10 years ago (think the HR department for the entire US Federal Government). That resulted in me getting what amounts to free ID/credit monitoring with a really good company for the rest of my life. They send me alerts similar to this one fairly often, and it’s also next to useless. My guess is it’s based on lists of usernames & passwords stolen from websites and offered for sale by scammers. It’s not uncommon for those types of lists to have been collected from multiple websites, and merged into one giant list since lots of people still use the same password everywhere. So there’s likely no way of knowing what website a given set of credentials came from.
As for the masking of the email address, seeing that different monitoring services are doing the same exact thing it makes me wonder if either these are all coming from the same third party service, or if there’s some sort of law/regulation that is requiring them to mask it…