m_km3d ago

Someone at BrowserStack Is Leaking Users' Email Address

https://shkspr.mobi/blog/2026/04/someone-at-browserstack-is-leaking-users-email-address/

Someone at BrowserStack is Leaking Users' Email Address

Like all good nerds, I generate a unique email address for every service I sign up to. This has several advantages - it allows me to see if a message is legitimately from a service, if a service is hacked the hackers can't go credential stuffing, and I instantly know who leaked my address. A few weeks ago I signed up for BrowserStack as I wanted to join their Open Source programme. I had a few…

Terence Eden’s Blog
Show threadpetcat

> Like all good nerds, I generate a unique email address for every service I sign up to. This has several advantages - it allows me to see if a message is legitimately from a service, if a service is hacked the hackers can't go credential stuffing, and I instantly know who leaked my address.

I think a lot of services will "de-alias" the email addresses from these tricks to prevent alts, account spam, and to still target the "real" account holder email. So the old tricks like "<name>+<website>@<host.com>" is not considered a unique email from "<name>@<host.com>". Unless your site-specific emails are completely new inbox aliases, then I don't think this is as effective as people think it is anymore.

Apr 5 at 2:17pmWeb
Show threadJaxan3d ago
I just do <website>@<myhost.tld>. It is sometimes confusing by when interacting with customer support ;-)
Show threadOptionOfT3d ago

Yes ma'am, my email address really is bofa.com@<optionoft's-lastname>.com

No I'm not trying to hack you.

Which in hindsight is also what a hacker would say. I can't win...

Show threadnoAnswer3d ago

There are some big brain companies who will block you if their name appears in the email address. Like Discord. You can create an account, with [email protected]. But a seconde later you will get an email that your account got band.

They know their way around IT security! /s

Show threadanonymousiam3d ago
What you say is often true, but in the case of Discord, at least in my case, you are wrong. My Discord email address is [email protected], and I am still receiving emails from them.
Show threadnoAnswer3d ago
It happend to me when i created my account in 2025. Within seconds of verifying the address I got a email that my account was band for TOS violation. I than created a seconds account (within minutes from the same IP) only writing "dc" instead of "discord" and that worked. ¯\_(ツ)_/¯
Show threadzephen3d ago
Where, of course, 'bofa' is merely short for 'bofetada.'
Show threadjnettome3d ago
On top of it my email address is .me so is very common to when I finish spelling my e-mail, people waiting for .com
Show threadphyzome3d ago
I often get asked whether I'm a fellow employee.
Show threadSemaphor3d ago
I had one website forward my mail to their legal department who asked me why I’m impersonating them :D Only required a short explanation though.
Show threadtheandrewbailey3d ago
I have an account just like that at Best Buy with my domain. The teenage cashier I gave it to thought it was cool.
Show threadoverlordalex3d ago
The way that this is done these days (and likely what the author did/does) is that you use a custom domain to receive mail; you provide an email like [email protected], and that way when service@ starts receiving spam you know exactly where it comes from
Show threadValentineC3d ago

^ I've been doing this with catchalls since before Google Apps for Domain was even a thing.

Sometimes customer support staff bring up "oh, do you work at <company> too"? I just tell them that I created an email address just for their company, in case they spam me.

Show threadanonymousiam3d ago

I've got a few dozen domains, and primarily use two of them for business interactions. One is a catchall, while the other requires me to create explicit email addresses (or aliases).

Aside from issues such as the business entity (sometimes silently) prohibiting their name in my email address, I have sometimes encountered cases where part of the email validation process checks to see if the email server is a catchall, and rejects the email address if it is. It takes a little extra effort on my part to make a new alias, but sometimes it's required.

Lots of organizations (such as PoS system providers) will associate an email I provided with credit card number, and when I use the card at a completely different place, they'll automatically populate my email with the (totally unrelated) one that they have. Same goes for telephone numbers.

I've had many incidents similar to the author. More often than not, it's a rouge employee or a compromised computer, but sometimes it is as nefarious as the author's story.

Show threadaaomidi3d ago
Take it a step further and do uuid@
Show threadfragmede3d ago
yes, but service is too guessable, so append a randomly generated nonce as well, eg [email protected]. It doesn't need to be cryptographically random, just non trivially guessable to prove the service is leaking email addresses.
Show threadQuantumNomad_3d ago

iCloud has a great feature that allows you to generate unique aliases on the fly quickly and easily. For example when signing up for new services via the web browser on iOS, you can generate a new address with the click of a button.

Many years ago, before I started using iCloud Mail, I was running my own email server and had it set up to forward everything sent to any address on my domain to my inbox. The advantage was that I could invent random aliases any time I wanted and didn’t even need to do anything on the server for those emails to get delivered to my main inbox. The very big drawback as I soon experienced was that spammers would email a lot of different email addresses on my domain that never existed but because I was going catch-all, would also get delivered to my main inbox. They’d be all kinds of email addresses like joe@ or sales@ or what have you. So apparently they were guessing common addresses and because I was accepting everything I’d also get tons of spam.

Show threadmjlee3d ago

I use Fastmail with my own domain and 1Password. Together they give me a “masked email” button for forms that generates a random enough email address (two common words and four digits) and records the domain it was for. You can also create them ad-hoc from Fastmail’s interface.

As well as simply attributing leaks, it’s most valuable as a phishing filter. Why would my bank ever email an address I only used to trial dog food delivery?

Show threadgarciansmith3d ago
Yeah, Fastmail's aliases are great. I used to do things described by some other commenters, like myemail+nameofservice@ and whatnot, but this way the email is automatically generated and you don't have to put any thought into it.