Not OK Cupid – A story of poor email address validation
87 comments
·March 21, 2025RandomBacon
red369
Someone signed up to Amazon with an email address of mine, and saved their credit card details.
I couldn’t get any attention from Amazon, and just got generic responses telling me I could reset my password, etc. In the end, I signed up to Amazon prime, I think to test some reassurance they had given me - I wasn’t expecting it to work.
The email saying I had just accidentally made a purchase with someone else’s credit card got Amazon’s attention. I think they also gave me a telling off, which I thought was ridiculous.
Not long after, someone else signed up to Spotify with my email address too. I think it was a child/shared account or something. I spent a while trying to improve their music taste, but I think we both were suffering from the clash of algorithms because they cancelled it soon after.
I haven’t had any people reverse-hacking themselves for a while now.
maxerickson
You are probably technically violating the CFAA when you do this. Having your email address accidentally associated with the account isn't authorization.
rendaw
Aren't they the ones violating CFAA? They made an account for GP then accessed it without authorization.
jayknight
I thought about doing something mildly nefarious with someone's PayPal account that they added my address to, but didn't want to chance legal problems. Instead I just logged into their account and removed my email address and logged out.
red369
PayPal is certainly trickier. I felt more comfortable testing with buying Amazon Prime through an Amazon account, because it would be easy for them to refund.
I assume I thought of trying to remove the email address! :) I sometimes forget they’re not necessarily the only identifiers, and some accounts let you use a mobile number instead. Probably there wasn’t a mobile on the profile.
It would be nice if all accounts used a username, and allowed you to not have an email or phone if you tick a box saying “I don’t care if I get locked out of this account forever if I forget the password”.
Semaphor
Accounts: Don’t remember all, but at least Instagram, TikTok, Ebay and some dating site (not OkC) had accounts created for my mail.
Newsletter: A German plushie store (Steiff) and some kind of wellness place. 2 democratic congressmen.
In all cases it’s the same, I mark them as spam and block them.
nyrikki
Ashley Madison is another, then they tried to change for delete.
Twitter is another back in the day, but that doesn't impact employment like Ashley Madison does due to the leaks.
LeifCarrotson
What email are you using that's so popular that dozens of people are (inadvertently?) entering it in all these businesses?
Are you "john.smith@gmail.com" or something like that?
I'm firstname@firstnamelastname.com, and I have had maybe a half dozen instances in the past decade.
Spooky23
I have first initial / last name at gmail for a common Irish name. My wife has first name last name.
There’s about a dozen people who routinely use my email address. The Washington post let someone subscribe for a year without any validation. One dude lost a job offer because they couldn’t contact him. One woman was the general manager of a factory and emailed “herself” with a VPN client and excel spreadsheet with passwords to access the factory’s IT and SCADA systems. A detective sent crime scene videos. The most recent is a guy in Scotland who isn’t paying his electric bill.
My wife had someone who has stolen her accounts via retail employee resets at CVS, Sephora and others. She’s an executive at a big wall st bank, and spends a lot on makeup - my wife got lots of points when she reset the Sephora account back.
freitasm
I have a common lastnameinitial @ email provider. It's the same username from my mainframe days. Some people with similar surname use that, probably because they either don't want to receive emails or because they are just... I don't know, clueless?
Usually I takeover an account and change the password. Then add a 2FA if possible and update the details to my name and address. This way people can't say it's their account anymore.
A couple of times there were credit card numbers. I just delete those if possible.
I have cancelled hair appointments and car services. I have received flight information multiple times. I have locked out an account on a French dating site, which had some interesting exchanges (the guy's missing out!).
I did not cancel a vet appointment. Pets need to see a vet and their owners being dumb is not an excuse. I won't interfere with that. But I did book a full grooming for a week after.
When I takeover I just use a random password from Bitwarden and don't even bother saving the account, as I don't plan to ever use these again.
rixed
Have done all that without suffering any sense of guilt ?
Foobar8568
Generally speaking, it seems people gets it wrong when things are created over phone etc. My firstname lastname is not common, but if one use firstname.middlenameinitial.lastname you can be sure that several people when noting their email will skip the initial, same if you have a suffix. I had banks, credit cards, social securities related stuff being registered to my email, generally it last a few weeks to be fixed.
toast0
I have lastname first initial @ gmail, and I wish I didn't. I have started using it for school related stuff for my kid, and other places where I want to present as normal, but mostly I get garbage from a set of about 4 people who share my last name and first initial, but don't know their email address (I don't know it either!).
Lots of car dealers and travel reservations. Ugh. I've got a couple job application responses, and usually get a nice email from the sender when I respond and let them know the email was misdirected.
I used to get a lot of mail directed to people whose organization's domain has an extra letter compared to mine, but I think they must have figured it out, or closed down, I used to add their mistaken addresses to be rejected if sent to and have to update when they got a new employee (their IT person sent me the new user stuff once sigh), but that stopped happening. I got some invoices for them that looked kind of shady, but they're in Brazil, and I can't navigate the system down there to have forwarded it to someone who would find it interesting.
RandomBacon
first.last@gmail.
Common-ish English names, uncommon combination, but apparently common enough (did a quick search and there are at least 20 in the U.S.)
The Apple one was a catchall @lastname.com (a different first name than mine, but same last name)
omoikane
See also:
https://xkcd.com/1279/ - Reverse identity theft
Having an email address that resembles a real name is a blessing and a curse.
bschmidt724
[flagged]
foresterre
Also Uber, I keep receiving mails from users who used my domain, on my catch all mail
flutas
Add AT&T to your first list.
DidYaWipe
Ugh. Then there's the general stupidity of forcing people to use E-mail addresses as user IDs. It's not just annoying, but also a security blunder. The general public can't be counted on to understand that when they're forced to use their E-mail address as an ID, they don't have to use their E-mail account's password for it.
That makes every one of these sites a gatekeeper to the user's E-mail account. All it takes is one shitty security regime or one disgruntled employee to expose these credentials.
Then there's the fact that everyone's E-mail addresses are on thousands of spammers' lists. When you combine those lists with lists of common passwords and start probing accounts, you have... once again... boatloads of compromised ones.
It's sad to see a company like Apple fall into this dumb behavior and then try to patch it up after some high-profile "hacks." Originally, Apple IDs did not have to be E-mail addresses; when they implemented this dumb policy, they wound up with scads of customers with multiple Apple IDs and purchases scattered across them willy-nilly. And when people rightfully complained, Apple huffily declared that it would NOT consolidate them for anyone. Nice attitude: Create a problem and then refuse to provide a solution.
But back to the perpetrator here: OKCupid took this to a new level when they started insisting that you provide a phone number. I got into some loop where I couldn't log in and I couldn't log out, because they kept hounding me about the phone number that I couldn't access my account settings to provide. Or something stupid like that. And you know what, OKC? You don't need my phone number, so piss off.
It's too bad. OKCupid was the best of the dating sites during its heyday.
Terr_
Related stupidity: "Security Questions" that enable someone to take over your account just by collecting not-so-secret information that is often shared because the site insists you pick from their own set of questions which other sites have already used.
torton
The best way to tackle "Security Questions" is to generate a passphrase, store in your password manager, and use that for the answer.
In the unlikely event you ever need to recover your account with the Security Answer, it's much easier to read out a few words than a 16+ character random password.
phanimahesh
That is an unattainable standard for the average joe though. Savvy people have their ways to keep things secure, even if it's inconvenient. It's the masses that fall prey to these avoidable traps.
mitthrowaway2
Definitely, but it's very hard to convince your whole family to adopt this practice...
gausswho
Unfortunately you're right. Your email is an identity that follows you everywhere. In the world we live in, we need to make an email per service.
inetknght
OkCupid is a terrible service. It disassociates real people who don't pay, and encourages fraudulent scams such as pig butchering. Bots are ridiculously easy to spot. You can end up in an endless loop of the same rejects unless you start blocking them.
dmd
On the other hand, I met my wife there and my two children wouldn’t exist if not for it. That said, the OkCupid of today and that of 2011 when I used it are probably quite different.
RandomBacon
It probably started when they sold to The Match Group a while back.
I used it a little back in 2014, and again in 2021. The second time around, it was very different.
I don't know of any dating companies that focus on matching people versus optimizing for revenue.
robocat
Unfortunately most consumers are unwilling to pay what something is worth to them. Businesses are often the same so it isn't just consumer behaviour.
Meeting the right person should be worth a lot, and we should be happy to pay thousands for that.
Of course the profit depends on the user statistics too: I'm not sure what the economic term for profit thresholds for power law masses versus targeting - where say lots of users with a low profits per user (say advertising) beats reasonable profits per user (say kagle).
Gualdrapo
Are you implying there are companies that don't focus on optimizing for revenue?
ChickeNES
Yeah from what I've heard it's nothing like it was in 2010-2014
xeromal
OKCupid in those days had some really cool technical blogs about their processes that's worth reading.
https://web.archive.org/web/20101016050944/http://blog.okcup...
bigstrat2003
Same, although for us it was 2015. But that is 10 years ago (noooo I hate getting old), and to your point I can imagine it changing a ton in that time.
timewizard
Your current children. It's highly possible that by now you would have had two other children. As you can tell, I do not myself, have children.
0xbadcafebee
> When I tried to unsubscribe using the one-click unsubscribe button in one of the emails, I was met with an error: “Something went wrong, please try again later.”
I want to start a blog which is just shaming every company whose most basic functions don't work and there's no recourse. It happens at least twice a day to me. Like a financial services management company whose website can't load my financial information. Or a jobs site that offers me premium subscription but its payments page is broken and I can't even notify them because there's no contact method. Or half the unsubscribes on the internet that never work, or require me to login to unsubscribe but it won't let me log in.
Does anyone work at Google? Why is it that, on my Samsung Android phone, when I pull up Google Search in the browser and click the search bar, if I don't wait at least 30 seconds, anything I type into the text bar not only is severely lagged, but then the letters appear in random jumbled order like the cursor is jumping? But if I wait it works fine?? Don't they make billions of dollars? Isn't this their whole product? What the hell is going on over there?!
The enshittification of technology is so extreme it feels like the whole web is constantly broken and literally nobody cares. If physical stores didn't exist and it was all online, I think riots would break out.
toast0
On this topic, I signed up for a new bank account online. They did not approve instantly, so I wasn't able to set up an account during the application. No big deal. A while later, they approved the application and invited me to sign up for an online account and do some setup with the account.
Of course, I can't do any of that without an account number which they haven't given me. I assume it'll arrive in the mail eventually.
comrade1234
Just mark the emails spam and forget about them. If everyone blogged about every spam email they got we’d get articles every day about spam emails everyone got.
RandomBacon
I do in Gmail, but half of them will never go in the spam folder such as from Credit Karma.
kxrm
Had the same problem with Peacock despite constantly attempting to unsubscribe and mark spam. In the end I just created a filter rule to throw it in spam.
nerdponx
If you're in the US, I've had success by contacting customer service and threatening action under CAN-SPAM. The FTC has never really provided an easy way to file complaints or request enforcement by the public, but it seems to get their attention all the same. Now is a good time to try to exercise your legal rights against corporations before they are all executive order'ed away.
saaspirant
I can't find an opinion in Gmail to create a filter to "Always send it to spam". There's only "Never send it to Spam"
yx827ha
Fastmail's masked emails are great! I honestly very rarely give out my "real" email. Usually when I sign up for something I create a masked email, or if I need an email on the spot I use a wildcard alias (xxxxxx@myalias.fastmail.com). Since most of my emails are random, it serves as an authentication additional factor.
climb_stealth
The problem is that it only takes one entity to leak the real email. All my spam comes on my real email despite using aliases for years.
I need to retire my real email address, but it'a bit tricky because I also used it for important things.
Haven't quite worked out how to solve that yet.
Moosdijk
Don’t de email domains get blacklisted or are they valid?
monksy
Most of the generalized aliasing domains get blacklsited. If you are going to do aliasing set it against your custom domains.
From what I can tell: Atlasian and Stackoverflow try to reject you based on your mx records on the domain (which makes that a problem)
There are a few other companies that try to restrict you to gmail or hotmail domains. (Which is even more frustrating)
ostensible
iCloud’s HideMyEmail service generates @icloud.com addresses. Very easy, single click.
Nevertheless, I still use my personal name at lastname dot com for everything for decades and amount of spam is quite tolerable. Rarely it leaks into inbox. It’s even published on my personal web site in plain text.
monksy
For those who are considering aliases to reduce spam in this.
DO THIS TODAY. One of my aliases at the vendor Thermpro got compromised by them. I got list bombed pretty badly. Because it was an alias, I was able to turn it off. I got over 2k messages (Most of it "sign up for our mailinglist") within the first 12 hours. Reaching out to the vendor got nowhere. (Pretty sure they don't care that they were compromised)
commandersaki
Spamazon did the same thing to me, someone signed up with my email and didn't verify and I couldn't recover the account because of the phone number associated with the account. Amazon was completely uncooperative.
Again, similar story with Commonwealth Bank of Australia which is even scarier since its a bank.
ChickeNES
Same story for me and one of the major credit reporting companies.
BrenBarn
OKCupid went steeply downhill over several years and as far as I can tell is now worthless and untrustworthy in every way.
RandomBacon
I wonder if they still (illegally?) discriminate based on sex. They used to give different payment plans to men versus women.
You used to be able to edit the plan number in the URL to get a better rate, then they "fixed" that, but then all you had to do was edit the plan number in the form action.
kentonv
Problem is, if you implement strict email verification, you lose users. Because that step of "please open your email and verify" is actually a big drop-off point in the funnel. No amount of "shaming" people over lax email validation is going to convince them to implement a change that loses them money.
Don't get me wrong, I hate it too. Every single day I have to block about a dozen new sender addresses for services that someone has signed up for under my email. Because my email address just so happens to be temporal at gmail.com (it was my teenage gamer tag), and it just happens that "temporal" means "temporary" in Spanish, so about half a billion humans think it's a great throw-away address.
Luckily I can very easily identify the emails that aren't meant for me, because they are in Spanish, which I do not speak. Still, I thought that after years of blocking a dozen senders a day, I'd have blocked just about everything... but no, they just keep coming. I've given up on clicking "unsubscribe" or trying to hijack accounts to shut them down, I just go straight to "block" now...
But yeah. I've been demanding that people validate email addresses for decades, and can assure you than nobody cares and they're not going to start.
The best you can hope for really is that they put a link in the email to disavow the account with one click. I've only seen a few companies do that but I really appreciate it!
RandomBacon
> The best you can hope for really is that they put a link in the email to disavow the account with one click. I've only seen a few companies do that but I really appreciate it!
That's a great middle-ground, and I think I've only seen that once.
HappMacDonald
Such links might disavow in practice, or might alternately be used as "hey, this email address has a living person at the other end, update the alive status on your spam lists and sell the data point!"
gmerc
That’s not a middle ground at all that offloads the cost of your growth to unrelated parties who are potentially being defrauded. Typical tech ploy.
toast0
Look, when option A is actually make sure your user gives you contact info that works, option B is include a link that stops sending garbage for a user that doesn't know their email address, and option C is signing up with an email address results in an unending stream of garbage...
I would prefer option A, but I'll accept option B, because it's better than option C.
gregjor
I sympathize, I have dealt with this a couple of times, most recently with Coinbase (resolved).
I agree that we would live in a better world if everyone on the internet followed standards and best practices, but we will never live in that world. We can expect the enshittification to get worse.
When this happens to me I make a filter to trash the emails. No amount of complaining or well-meaning (and in this case a bit self-promoting) articles will make the rest of the world change.
Teever
OKCupid has another security issue related to email. If you get your hands on a link that they send out to a person's email regarding a match then that link auto logs you into their account and you can do whatever you want with it.
I discovered that when a friend of mine forwarded me a match that they had made and I suddenly found myself able to read their messages.
I contacted OKC about it and they did reply saying that it was a WONTFIX.
Companies that allowed others to create accounts with my email addresses:
PayPal, Apple, Credit Karma, Walmart (I just forwarded the email to legal@ and they took care of that instance very quickly, kudos to that at least). Edit: Forgot to add TD Bank - I actually opened a case with the Office of the Comptroller of the Currency that regulates this bank.
Companies that spammed me in the last 24 hours because they don't validate emails addresses they add to their mailing lists (maybe there are accounts too, IDK):
NerdWallet, Ace Hardware, Take 5 Oil Change, Boot Barn, Tommy Hilfiger, The University of Scanton, Tractor Supply Company, Kutztown University, and a few small businesses.