m_km3d ago

Someone at BrowserStack Is Leaking Users' Email Address

https://shkspr.mobi/blog/2026/04/someone-at-browserstack-is-leaking-users-email-address/

Someone at BrowserStack is Leaking Users' Email Address

Like all good nerds, I generate a unique email address for every service I sign up to. This has several advantages - it allows me to see if a message is legitimately from a service, if a service is hacked the hackers can't go credential stuffing, and I instantly know who leaked my address. A few weeks ago I signed up for BrowserStack as I wanted to join their Open Source programme. I had a few…

Terence Eden’s Blog
Show threadpetcat3d ago

> Like all good nerds, I generate a unique email address for every service I sign up to. This has several advantages - it allows me to see if a message is legitimately from a service, if a service is hacked the hackers can't go credential stuffing, and I instantly know who leaked my address.

I think a lot of services will "de-alias" the email addresses from these tricks to prevent alts, account spam, and to still target the "real" account holder email. So the old tricks like "<name>+<website>@<host.com>" is not considered a unique email from "<name>@<host.com>". Unless your site-specific emails are completely new inbox aliases, then I don't think this is as effective as people think it is anymore.

Show threadoverlordalex3d ago
The way that this is done these days (and likely what the author did/does) is that you use a custom domain to receive mail; you provide an email like [email protected], and that way when service@ starts receiving spam you know exactly where it comes from
Show threadValentineC3d ago

^ I've been doing this with catchalls since before Google Apps for Domain was even a thing.

Sometimes customer support staff bring up "oh, do you work at <company> too"? I just tell them that I created an email address just for their company, in case they spam me.

Show threadanonymousiam

I've got a few dozen domains, and primarily use two of them for business interactions. One is a catchall, while the other requires me to create explicit email addresses (or aliases).

Aside from issues such as the business entity (sometimes silently) prohibiting their name in my email address, I have sometimes encountered cases where part of the email validation process checks to see if the email server is a catchall, and rejects the email address if it is. It takes a little extra effort on my part to make a new alias, but sometimes it's required.

Lots of organizations (such as PoS system providers) will associate an email I provided with credit card number, and when I use the card at a completely different place, they'll automatically populate my email with the (totally unrelated) one that they have. Same goes for telephone numbers.

I've had many incidents similar to the author. More often than not, it's a rouge employee or a compromised computer, but sometimes it is as nefarious as the author's story.

Apr 5 at 3:27pmWeb