I’m sorry, but your email address is not as valuable as you think it is

In running Have I been pwned? (HIBP), I often get asked – “Can I trust you with my email address?” – which I find to be a very odd question. It’s odd because for the most part, we never really think about how trustworthy a website is before we enter the address. What I mean by this is that we all sign up for dozens if not hundreds of services ranging from shopping to social to professional and enter a whole heap of data, including our email address all the time.

We then send emails left right and centre with no cryptographic protection at all. Those emails – and your address as the sender or as the recipient – fly around the web in the clear. When you get to a hotel they ask you to write it down on a piece of paper and something then happens with it, I’m not quite sure what. Many people drop their business cards in bowls to be eligible for prizes at conferences or even a local store, business cards complete with contact details… such as email.

I’ve had this post in mind for a while now, but what finally prompted me to write it was this comment that HIBP might be a useful resource for some people. More specifically, it was one particular response that prompted me to finally get this post out the door:

@Paul Moore So just to clarify, we should just click away trustingly even though those who have are puzzled by the fact that no problems are reported even though they are apparently inundated with scam emails and you can guarantee that the link posted earlier is associated with this guy Troy who most of us will never have heard of and whom you trust and there is no possibility of it being a spoofed link and actually nothing to do with said great guy Troy and, oh, by the way we are supposed to trust you also? Fine advice from a so-called security expert on a site frequented by many who are still nervous about a recent cyber attack.

Now I normally like to give people the benefit of the doubt after a rant like this and assume they’ve possibly just had a bad day or are drunk or in some other temporary state of judgement-impaired psychosis. I couldn’t help but be amused though, not so much because of their paranoia level (and to be fair, a healthy amount of paranoia on the web is a good thing), but because of where the comment suggesting I was not to be trusted was posted: this is a TalkTalk forum!

As you may recall, TalkTalk recently suffered from what one former detective suggested was the work of “Islamic cyberterrorists” or as we later came to refer to it as, getting pwned by a 15 year old in his bedroom. That’s the level at which TalkTalk were playing at and the threat to which anyone who entrusted TalkTalk with their personal details exposed themselves to. Not a cyberjihadi, a bored kid.

But here’s the thing – I would have trusted TalkTalk with my email address. I also would have trusted (in fact I did trust) Adobe and Patreon, both of whom now make notable appearances in HIBP. I trust many others – you trust many others – who are yet to lose our data and we have absolutely no clue how or when. You simply cannot make a reliable judgement decision on how likely your data is to be abused or breached based on your confidence in the organisation standing up the site. Yet somehow, every now and then, I see a comment like the one above.

Getting back to HIBP for a moment, I’m tracking over a quarter of a billion email addresses there at present. That’s a lot, until you read about the likes of these guys with 1.2 billion of them. I suspect their motives are somewhat less honest than mine, but it demonstrates just how broadly account details are spread across the web these days. If I or anyone else wants email addresses, they’ll just go and get them. Here’s a tip – start with the Adobe breach which is broadly available and will get you started with 152M email addresses. Don’t bother mucking around trying to harvest them one by one and particularly in my case, risk your credibility in the process.

Now all that being said, I’m enormously cautious with how I handle email addresses. It’s personal data and it deserves the utmost respect which is why I describe how I handle data on the FAQs page and make sure I’m exceptionally transparent about who I am and why I’ve built the service. But it’s not your password or your home address or other classes of data that are genuinely sensitive; you don’t get your identity stolen and you’re usually looking at no more than junk mail at worst.

The whole point of an email address is that you share it with other people – that’s how you get emails sent to it! Email addresses are also readily discoverable via various online channels, both legitimate and a bit shadier. It’s usually a trivial affair to track down someone’s address because after all, that’s how you get in touch with them!

You should protect your personal info and only share it with services you trust and that includes not giving it to HIBP if you’re not confident doing so. If the site doesn’t seem trustworthy then get out of there and don’t give them anything; you know, sites like TalkTalk!

Security Have I Been Pwned
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals