Yeah, every single time I get a spurious password reset email (presumably from someone trying to hijack my account), I'm worried they've somehow managed to add an unauthorized recovery email address outside of my control. It hasn't yet happened to me, but as we can see from this story, it is absolutely possible unfortunately.
I can't remember getting something like that. Maybe because I use a different e-mail address for signing up to services than for regular communication.
I just had an idea, maybe using a + alias (yourname+some-alias-address@example.com, made famous by gmail) could help against attackers. Even if they find out your email they will never guess the part after the plus. If you forget it though then you can't reset your password anymore either.
> If you forget it though then you can't reset your password anymore either.
If you struggle with memorizing your username/email, there's a near zero chance you're using a password manager, which also means there's a near zero chance you're using decent passwords for your logins, in my experience.
It happened more than once that I didn't store a login to the password manager correctly. Either mixed up something while editing, or forgot to save it at all, or accidentally deleted an entry, and only noticed years later (long after old backups were overwritten).
Or it could open you up to other attacks when the service coalesces all those emails to one canonical example (to uniquely identify you or whatever -- note that almost no online service recognizes the importance of caps in the email address you use as a username for example, where the underlying email provider sometimes does) but does so differently than the actual email service, allowing anyone and their dog to create an email which will collide with yours.
Allowing anything else that a-z 0-9 and some characters like - _ . as the name part of an email address is pure madness. If the mail provider treats User@domain as a different address than user@domain, and delivers them to different customers this is simply asking for trouble. Even if it's standard compliant behavior.
As a less contrived example then, consider "andix.hacker@foo.com" vs "andix..hacker@foo.com". Some email service providers canonicalize those to the same thing, and some don't.
Your service using emails for logins or adspam or whatever now faces a choice. You probably have to accept periods, and you probably don't want to try to hard-code all the different ways a period might be used legitimately as opposed to a typo, so you have to deal with that problem somehow. You can canonicalize (opening yourself up to hijacks, some unintentional as legitimate users just have emails that clash in your system), or not (potentially locking out some users).
Actually, I find the gmail features the opposite of helpful, because websites aren’t aware of them, and will happily treat as unique addresses using them, that in fact aren’t. I have my username @ gmail (since very early days, when you needed an invite). At least once a week I get somebodies receipt of confirmation because they enter an email like tyler.e@
This could happen when the owner of a domain loses or drops it, and a bad actor picks it up.
All they have to do is set up a SMTP server and wait for junk mails, thereby learning about the e-mail addresses. Say Walmart sends some flyer. Poof, they have that user's e-mail, and the fact they are registered with Walmart.
