Not OK Cupid – A story of poor email address validation
122 comments
·March 21, 2025RandomBacon
red369
Someone signed up to Amazon with an email address of mine, and saved their credit card details.
I couldn’t get any attention from Amazon, and just got generic responses telling me I could reset my password, etc. In the end, I signed up to Amazon prime, I think to test some reassurance they had given me - I wasn’t expecting it to work.
The email saying I had just accidentally made a purchase with someone else’s credit card got Amazon’s attention. I think they also gave me a telling off, which I thought was ridiculous.
Not long after, someone else signed up to Spotify with my email address too. I think it was a child/shared account or something. I spent a while trying to improve their music taste, but I think we both were suffering from the clash of algorithms because they cancelled it soon after.
I haven’t had any people reverse-hacking themselves for a while now.
jayknight
I thought about doing something mildly nefarious with someone's PayPal account that they added my address to, but didn't want to chance legal problems. Instead I just logged into their account and removed my email address and logged out.
red369
PayPal is certainly trickier. I felt more comfortable testing with buying Amazon Prime through an Amazon account, because it would be easy for them to refund.
I assume I thought of trying to remove the email address! :) I sometimes forget they’re not necessarily the only identifiers, and some accounts let you use a mobile number instead. Probably there wasn’t a mobile on the profile.
It would be nice if all accounts used a username, and allowed you to not have an email or phone if you tick a box saying “I don’t care if I get locked out of this account forever if I forget the password”.
maxerickson
You are probably technically violating the CFAA when you do this. Having your email address accidentally associated with the account isn't authorization.
rendaw
Aren't they the ones violating CFAA? They made an account for GP then accessed it without authorization.
LeifCarrotson
What email are you using that's so popular that dozens of people are (inadvertently?) entering it in all these businesses?
Are you "john.smith@gmail.com" or something like that?
I'm firstname@firstnamelastname.com, and I have had maybe a half dozen instances in the past decade.
Spooky23
I have first initial / last name at gmail for a common Irish name. My wife has first name last name.
There’s about a dozen people who routinely use my email address. The Washington post let someone subscribe for a year without any validation. One dude lost a job offer because they couldn’t contact him. One woman was the general manager of a factory and emailed “herself” with a VPN client and excel spreadsheet with passwords to access the factory’s IT and SCADA systems. A detective sent crime scene videos. The most recent is a guy in Scotland who isn’t paying his electric bill.
My wife had someone who has stolen her accounts via retail employee resets at CVS, Sephora and others. She’s an executive at a big wall st bank, and spends a lot on makeup - my wife got lots of points when she reset the Sephora account back.
freitasm
I have a common lastnameinitial @ email provider. It's the same username from my mainframe days. Some people with similar surname use that, probably because they either don't want to receive emails or because they are just... I don't know, clueless?
Usually I takeover an account and change the password. Then add a 2FA if possible and update the details to my name and address. This way people can't say it's their account anymore.
A couple of times there were credit card numbers. I just delete those if possible.
I have cancelled hair appointments and car services. I have received flight information multiple times. I have locked out an account on a French dating site, which had some interesting exchanges (the guy's missing out!).
I did not cancel a vet appointment. Pets need to see a vet and their owners being dumb is not an excuse. I won't interfere with that. But I did book a full grooming for a week after.
When I takeover I just use a random password from Bitwarden and don't even bother saving the account, as I don't plan to ever use these again.
rixed
Have done all that without suffering any sense of guilt ?
Foobar8568
Generally speaking, it seems people gets it wrong when things are created over phone etc. My firstname lastname is not common, but if one use firstname.middlenameinitial.lastname you can be sure that several people when noting their email will skip the initial, same if you have a suffix. I had banks, credit cards, social securities related stuff being registered to my email, generally it last a few weeks to be fixed.
toast0
I have lastname first initial @ gmail, and I wish I didn't. I have started using it for school related stuff for my kid, and other places where I want to present as normal, but mostly I get garbage from a set of about 4 people who share my last name and first initial, but don't know their email address (I don't know it either!).
Lots of car dealers and travel reservations. Ugh. I've got a couple job application responses, and usually get a nice email from the sender when I respond and let them know the email was misdirected.
I used to get a lot of mail directed to people whose organization's domain has an extra letter compared to mine, but I think they must have figured it out, or closed down, I used to add their mistaken addresses to be rejected if sent to and have to update when they got a new employee (their IT person sent me the new user stuff once sigh), but that stopped happening. I got some invoices for them that looked kind of shady, but they're in Brazil, and I can't navigate the system down there to have forwarded it to someone who would find it interesting.
RandomBacon
first.last@gmail.
Common-ish English names, uncommon combination, but apparently common enough (did a quick search and there are at least 20 in the U.S.)
The Apple one was a catchall @lastname.com (a different first name than mine, but same last name)
omoikane
See also:
https://xkcd.com/1279/ - Reverse identity theft
Having an email address that resembles a real name is a blessing and a curse.
nyrikki
Ashley Madison is another, then they tried to change for delete.
Twitter is another back in the day, but that doesn't impact employment like Ashley Madison does due to the leaks.
Semaphor
Accounts: Don’t remember all, but at least Instagram, TikTok, Ebay and some dating site (not OkC) had accounts created for my mail.
Newsletter: A German plushie store (Steiff) and some kind of wellness place. 2 democratic congressmen.
In all cases it’s the same, I mark them as spam and block them.
foresterre
Also Uber, I keep receiving mails from users who used my domain, on my catch all mail
Balinares
Ah, Apple -- I had that happen to me with them too. Had to contact their support to get the account closed. Infuriatingly, they were adamant that I must have approved the sign up email. Obviously I never received such an email.
To this day I wonder what path the mystery usurper followed to sign up my email address without validation.
flutas
Add AT&T to your first list.
kmos17
venmo does it too
DidYaWipe
Ugh. Then there's the general stupidity of forcing people to use E-mail addresses as user IDs. It's not just annoying, but also a security blunder. The general public can't be counted on to understand that when they're forced to use their E-mail address as an ID, they don't have to use their E-mail account's password for it.
That makes every one of these sites a gatekeeper to the user's E-mail account. All it takes is one shitty security regime or one disgruntled employee to expose these credentials.
Then there's the fact that everyone's E-mail addresses are on thousands of spammers' lists. When you combine those lists with lists of common passwords and start probing accounts, you have... once again... boatloads of compromised ones.
It's sad to see a company like Apple fall into this dumb behavior and then try to patch it up after some high-profile "hacks." Originally, Apple IDs did not have to be E-mail addresses; when they implemented this dumb policy, they wound up with scads of customers with multiple Apple IDs and purchases scattered across them willy-nilly. And when people rightfully complained, Apple huffily declared that it would NOT consolidate them for anyone. Nice attitude: Create a problem and then refuse to provide a solution.
But back to the perpetrator here: OKCupid took this to a new level when they started insisting that you provide a phone number. I got into some loop where I couldn't log in and I couldn't log out, because they kept hounding me about the phone number that I couldn't access my account settings to provide. Or something stupid like that. And you know what, OKC? You don't need my phone number, so piss off.
It's too bad. OKCupid was the best of the dating sites during its heyday.
Terr_
Related stupidity: "Security Questions" that enable someone to take over your account just by collecting not-so-secret information that is often shared because the site insists you pick from their own set of questions which other sites have already used.
torton
The best way to tackle "Security Questions" is to generate a passphrase, store in your password manager, and use that for the answer.
In the unlikely event you ever need to recover your account with the Security Answer, it's much easier to read out a few words than a 16+ character random password.
phanimahesh
That is an unattainable standard for the average joe though. Savvy people have their ways to keep things secure, even if it's inconvenient. It's the masses that fall prey to these avoidable traps.
mdaniel
1Password actually has built-in support for that very flow: https://support.1password.com/generate-security-questions/#c...
The only thing is you sometimes have to warn the customer service agent that you have an unusual answer to "childhood best friend" but otherwise I've never had a problem with it
charleslmunger
There's other good reasons not to use a random string! Try calling up customer service, they'll ask you the question, and you can say "oh it's just a bunch of random letters and numbers".
Unlike a code or password, these security questions are fuzzy matches generally based on the judgment of human on the other end.
mitthrowaway2
Definitely, but it's very hard to convince your whole family to adopt this practice...
Sohcahtoa82
I choose answers that only barely make sense. ie...
"Where is your favorite vacation spot?"
Narnia
"What was your first pet's name?"
Falkor
Even my closest friends who know me would never guess those, even if they knew I was giving bullshit answers, simply because I was never into "The Lion, The Witch, and the Wardrobe" or "Never Ending Story".
(Note: These are not ACTUAL answers I've given, but you get the idea)
I save the bullshit answers into my password manager. But yeah, it's probably a better idea to just use an actual pass phrase.
AbstractH24
The problem becomes when a CS rep needs you to answer those questions on the phone.
How do you handle that?
Terr_
Not parent poster, but generating a sequence of randomized dictionary words will work provided the answer-field isn't too small and none of them are too hard to spell.
DidYaWipe
This question reminds me of another brain-dead and rather incredible password policy I encountered. I was trying to set a password for United Healthcare. Their password requirements were shown, and I was complying with all of them. Yet it was failing over and over.
I finally called them to report the problem, and the first question out of the rep's mouth was, "Does your password contain swear words?"
I shit you not, UHC secretly audits your passwords for "swear words." Doing so is bad enough, but not mentioning it in the rules is doubly offensive for deliberately stealing users' time.
RandomBacon
Make sure it is a plausible-sounding answer.
Don't give an attacker an opportunity to social engineer and say, "it was a bunch of random letters or words" and the customer service person lets them in because it looked like someone was just typing random stuff.
(Insert xkcd here)
gausswho
Unfortunately you're right. Your email is an identity that follows you everywhere. In the world we live in, we need to make an email per service.
tzs
Another problem with email address as user ID is that much of the public (most I'd guess) does not have a permanent email address.
Many use an email address provided by their ISP. What happens when they move out of that ISP's territory? Or, if they are someplace served by multiple decent ISPs decide to switch providers?
Many use addresses from gmail, outlook, yahoo, and similar. Those at least keep working if they move, but still have some risk. If you use multiple services from the companies that own those and do something to get banned from one of those company's services that might also get you banned from their email service.
Best if a site insists you use email as user ID is to use an email at a domain of your own. That won't be free because you'll have to rent the domain, and pay someone to handle your email (most people will not be up to running their own email server), but if the domain is at one of the long established TLDs and you don't do anything too illegal and it isn't close enough to the name of an established company that you could lose it over trademarks you can probably keep it for the rest of your life.
Whoever you use to actually handle you mail might go away or kick you off, but as long as you still have the domain you can switch to some other mail handler and point the domain's mail records in DNS to that new handler.
If you want to be sure that there is no risk of being accused of being a domain squatter or losing the domain in a trademark dispute pick a name that will not be at all similar to any business name or famous person name. I've got my ham radio callsign as a domain under the US TLD for example.
If you aren't using your own domain, at least check with any important site that you use that requires email as user ID to make sure they have a way to change the email so that if you do end up losing your current email you can update the site. That might not work if you lose the email without warning, but at least it can help in cases where you know you are going to lose the email such as switching to a new ISP.
It might also be a good idea to keep a list of all sites you are using where you will need to change the email as user ID if you are going to move, so fixing it can be part of your moving checklist.
In the US both of the login servers that more and more government agencies require you to use for online access, ID.me and Login.gov, use email as user ID. Both allow you to change that email (add the new email as a secondary email on the account, then change the new email to be the default email). It would be really annoying to not remember to do so until after you have lost the old email, and so find yourself unable to login to your IRS account or your Social Security account.
DidYaWipe
"Another problem with email address as user ID is that much of the public (most I'd guess) does not have a permanent email address."
Exactly, which gave rise to the on-going multiple-Apple-IDs fiasco.
0xbadcafebee
> When I tried to unsubscribe using the one-click unsubscribe button in one of the emails, I was met with an error: “Something went wrong, please try again later.”
I want to start a blog which is just shaming every company whose most basic functions don't work and there's no recourse. It happens at least twice a day to me. Like a financial services management company whose website can't load my financial information. Or a jobs site that offers me premium subscription but its payments page is broken and I can't even notify them because there's no contact method. Or half the unsubscribes on the internet that never work, or require me to login to unsubscribe but it won't let me log in.
Does anyone work at Google? Why is it that, on my Samsung Android phone, when I pull up Google Search in the browser and click the search bar, if I don't wait at least 30 seconds, anything I type into the text bar not only is severely lagged, but then the letters appear in random jumbled order like the cursor is jumping? But if I wait it works fine?? Don't they make billions of dollars? Isn't this their whole product? What the hell is going on over there?!
The enshittification of technology is so extreme it feels like the whole web is constantly broken and literally nobody cares. If physical stores didn't exist and it was all online, I think riots would break out.
toast0
On this topic, I signed up for a new bank account online. They did not approve instantly, so I wasn't able to set up an account during the application. No big deal. A while later, they approved the application and invited me to sign up for an online account and do some setup with the account.
Of course, I can't do any of that without an account number which they haven't given me. I assume it'll arrive in the mail eventually.
ThePowerOfFuet
>Why is it that, on my Samsung Android phone, when I pull up Google Search in the browser
Define "the browser".
concerndc1tizen
Nobody cares because the world has been taken over by organized crime, and to them you're just someone to be exploited.
And why doesn't an independent company just create a better product? Because they don't like competition. It's a racket.
You'll find that your suppliers give you outrageous prices (but discounted rates for their friends), that potential customers refuse to buy from you (you're blacklisted), and so on.
inetknght
OkCupid is a terrible service. It disassociates real people who don't pay, and encourages fraudulent scams such as pig butchering. Bots are ridiculously easy to spot. You can end up in an endless loop of the same rejects unless you start blocking them.
dmd
On the other hand, I met my wife there and my two children wouldn’t exist if not for it. That said, the OkCupid of today and that of 2011 when I used it are probably quite different.
RandomBacon
It probably started when they sold to The Match Group a while back.
I used it a little back in 2014, and again in 2021. The second time around, it was very different.
I don't know of any dating companies that focus on matching people versus optimizing for revenue.
robocat
Unfortunately most consumers are unwilling to pay what something is worth to them. Businesses are often the same so it isn't just consumer behaviour.
Meeting the right person should be worth a lot, and we should be happy to pay thousands for that.
Of course the profit depends on the user statistics too: I'm not sure what the economic term for profit thresholds for power law masses versus targeting - where say lots of users with a low profits per user (say advertising) beats reasonable profits per user (say kagle).
Gualdrapo
Are you implying there are companies that don't focus on optimizing for revenue?
ChickeNES
Yeah from what I've heard it's nothing like it was in 2010-2014
xeromal
OKCupid in those days had some really cool technical blogs about their processes that's worth reading.
https://web.archive.org/web/20101016050944/http://blog.okcup...
bigstrat2003
Same, although for us it was 2015. But that is 10 years ago (noooo I hate getting old), and to your point I can imagine it changing a ton in that time.
timewizard
Your current children. It's highly possible that by now you would have had two other children. As you can tell, I do not myself, have children.
Teever
OKCupid has another security issue related to email. If you get your hands on a link that they send out to a person's email regarding a match then that link auto logs you into their account and you can do whatever you want with it.
I discovered that when a friend of mine forwarded me a match that they had made and I suddenly found myself able to read their messages.
I contacted OKC about it and they did reply saying that it was a WONTFIX.
comrade1234
Just mark the emails spam and forget about them. If everyone blogged about every spam email they got we’d get articles every day about spam emails everyone got.
RandomBacon
I do in Gmail, but half of them will never go in the spam folder such as from Credit Karma.
kxrm
Had the same problem with Peacock despite constantly attempting to unsubscribe and mark spam. In the end I just created a filter rule to throw it in spam.
nerdponx
If you're in the US, I've had success by contacting customer service and threatening action under CAN-SPAM. The FTC has never really provided an easy way to file complaints or request enforcement by the public, but it seems to get their attention all the same. Now is a good time to try to exercise your legal rights against corporations before they are all executive order'ed away.
saaspirant
I can't find an opinion in Gmail to create a filter to "Always send it to spam". There's only "Never send it to Spam"
yx827ha
Fastmail's masked emails are great! I honestly very rarely give out my "real" email. Usually when I sign up for something I create a masked email, or if I need an email on the spot I use a wildcard alias (xxxxxx@myalias.fastmail.com). Since most of my emails are random, it serves as an authentication additional factor.
climb_stealth
The problem is that it only takes one entity to leak the real email. All my spam comes on my real email despite using aliases for years.
I need to retire my real email address, but it'a bit tricky because I also used it for important things.
Haven't quite worked out how to solve that yet.
Timshel
Start now with a forward from the old address. Might take multiple years before you are confortable deleting the old address.
climb_stealth
You may be right there. Will have a think about it. Maybe a filter to flag things and update as needed.
everybodyknows
I've been using simple vendor-specific aliases e.g. $VENDOR.$MyInitials@fastmail.com, or a shared spam bucket alias.
Can you remind us how fastmail's subdomains, and "masked emails" are an improvement?
mdaniel
1. it allows associating a description with the address, which could contain any annotation information you'd like
2. it has a handy delete option, for severing the relationship
3. when they do arrive in the inbox, it shows the annotation instead of the address because no sane person could remember what battery.horse.staple@fastmail corresponds to
Moosdijk
Don’t de email domains get blacklisted or are they valid?
nerdponx
It's just fastmail.com, that would be insane to blacklist. Also you don't really use these for sending, it's more for signing up for things and online shopping.
shakna
It certainly still happens though. [0]
monksy
Most of the generalized aliasing domains get blacklsited. If you are going to do aliasing set it against your custom domains.
From what I can tell: Atlasian and Stackoverflow try to reject you based on your mx records on the domain (which makes that a problem)
There are a few other companies that try to restrict you to gmail or hotmail domains. (Which is even more frustrating)
ostensible
iCloud’s HideMyEmail service generates @icloud.com addresses. Very easy, single click.
Nevertheless, I still use my personal name at lastname dot com for everything for decades and amount of spam is quite tolerable. Rarely it leaks into inbox. It’s even published on my personal web site in plain text.
commandersaki
Spamazon did the same thing to me, someone signed up with my email and didn't verify and I couldn't recover the account because of the phone number associated with the account. Amazon was completely uncooperative.
Again, similar story with Commonwealth Bank of Australia which is even scarier since its a bank.
ChickeNES
Same story for me and one of the major credit reporting companies.
monksy
For those who are considering aliases to reduce spam in this.
DO THIS TODAY. One of my aliases at the vendor Thermpro got compromised by them. I got list bombed pretty badly. Because it was an alias, I was able to turn it off. I got over 2k messages (Most of it "sign up for our mailinglist") within the first 12 hours. Reaching out to the vendor got nowhere. (Pretty sure they don't care that they were compromised)
commandersaki
Problem is most email provider web interface and mail agents don’t handle dealing with aliases correctly. For me I’ve found only Fastmail & mutt to be able to handle my 500 email aliases.
kentonv
Problem is, if you implement strict email verification, you lose users. Because that step of "please open your email and verify" is actually a big drop-off point in the funnel. No amount of "shaming" people over lax email validation is going to convince them to implement a change that loses them money.
Don't get me wrong, I hate it too. Every single day I have to block about a dozen new sender addresses for services that someone has signed up for under my email. Because my email address just so happens to be temporal at gmail.com (it was my teenage gamer tag), and it just happens that "temporal" means "temporary" in Spanish, so about half a billion humans think it's a great throw-away address.
Luckily I can very easily identify the emails that aren't meant for me, because they are in Spanish, which I do not speak. Still, I thought that after years of blocking a dozen senders a day, I'd have blocked just about everything... but no, they just keep coming. I've given up on clicking "unsubscribe" or trying to hijack accounts to shut them down, I just go straight to "block" now...
But yeah. I've been demanding that people validate email addresses for decades, and can assure you than nobody cares and they're not going to start.
The best you can hope for really is that they put a link in the email to disavow the account with one click. I've only seen a few companies do that but I really appreciate it!
RandomBacon
> The best you can hope for really is that they put a link in the email to disavow the account with one click. I've only seen a few companies do that but I really appreciate it!
That's a great middle-ground, and I think I've only seen that once.
HappMacDonald
Such links might disavow in practice, or might alternately be used as "hey, this email address has a living person at the other end, update the alive status on your spam lists and sell the data point!"
RandomBacon
I would only use that wth legitimate companies. Your scenario is no different than spammers who already have "unsubscribe" links.
gmerc
That’s not a middle ground at all that offloads the cost of your growth to unrelated parties who are potentially being defrauded. Typical tech ploy.
toast0
Look, when option A is actually make sure your user gives you contact info that works, option B is include a link that stops sending garbage for a user that doesn't know their email address, and option C is signing up with an email address results in an unending stream of garbage...
I would prefer option A, but I'll accept option B, because it's better than option C.
AbstractH24
Problem with email in general is that very people people are incentivized to think of the long-term impact of spam.
Arch-TK
Someone with my identical full name has for the past few years kept providing my old and unused gmail email address to various entities.
This has included banks, shops, and a company which apparently offers training to help you acquire a gun license in Poland.
I now know where this person lives (from order confirmation emails). I know this person's date of birth. I also know this person's PESEL (Polish national identification number) because one of the banks "protected" a document intended for this person by using part of the PESEL as a password (I just brute-forced that part). The other part is just an encoding of the birth date.
So I now have enough information to impersonate someone just because a number of organisations screwed up by not verifying ownership of an email address.
garaetjjte
PESEL generally shouldn't be considered secret.
anotherevan
Ugh, I've got exactly the same thing with match.com at the moment. Some other Evan, presumably with the same last name, used my gmail address. Unsubscription link seems to have had no effect, I ended up just putting a filter in to send them straight to deleted.
Over the years I've been signed up for various porno sites, had wedding invitations, college applications, airplane tickets and an ongoing rental dispute all because either another Evan doesn't want to use their own email address for something dubious, or someone has assumed my gmail address must be the Evan they are after.
Companies that allowed others to create accounts with my email addresses:
PayPal, Apple, Credit Karma, Walmart (I just forwarded the email to legal@ and they took care of that instance very quickly, kudos to that at least). Edit: Forgot to add TD Bank - I actually opened a case with the Office of the Comptroller of the Currency that regulates this bank.
Companies that spammed me in the last 24 hours because they don't validate emails addresses they add to their mailing lists (maybe there are accounts too, IDK):
NerdWallet, Ace Hardware, Take 5 Oil Change, Boot Barn, Tommy Hilfiger, The University of Scanton, Tractor Supply Company, Kutztown University, and a few small businesses.