i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with [email protected] or similar.
The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.
And yes, all of those emails contain the actual PII of the person who has been 'deleted' :-D
Up to about 24 different orgs now, overnight had some emails containing PII of 'deleted' users from a:
UAE based Gym Chain
South African HR Platform
EU based Hotel Reservations Platform
India based Delivery Service
and best of all
US based Antivirus Manufacturer and Cybersecurity Provider
I wrote up this cursed discovery with more details:
https://mike-sheward.medium.com/deleteduser-com-a-15-pii-magnet-c4396eb21061
Couple of new additions today to the internet dumpster:
- Some internal system at one of the worlds largest and most recognizable consumer electronics manufacturer is telling deleteduser.com all about approved purchase orders, including direct links to the orders, and the names of all the people who are involved.
- More gyms, very common.
- Some platform used to offer temporary shifts to healthcare workers asked a nurse at deleteduser.com if they were available to urgently cover a shift at a South African healthcare facility.
I added 5 variations on this domain (not going to say what they are just yet to not interfere with the results) and in the first 20 minutes I have 3 more orgs all sending PII to these addresses for now deleted users.
Includes a managed IT services provider in Malaysia's ticketing system which includes the full content of the ticket - system names, IP's etc.
Mike Sheward
andymalo