i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with [email protected] or similar.
The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.
And yes, all of those emails contain the actual PII of the person who has been 'deleted' :-D
Up to about 24 different orgs now, overnight had some emails containing PII of 'deleted' users from a:
UAE based Gym Chain
South African HR Platform
EU based Hotel Reservations Platform
India based Delivery Service
and best of all
US based Antivirus Manufacturer and Cybersecurity Provider
I wrote up this cursed discovery with more details:
https://mike-sheward.medium.com/deleteduser-com-a-15-pii-magnet-c4396eb21061
Couple of new additions today to the internet dumpster:
- Some internal system at one of the worlds largest and most recognizable consumer electronics manufacturer is telling deleteduser.com all about approved purchase orders, including direct links to the orders, and the names of all the people who are involved.
- More gyms, very common.
- Some platform used to offer temporary shifts to healthcare workers asked a nurse at deleteduser.com if they were available to urgently cover a shift at a South African healthcare facility.
I added 5 variations on this domain (not going to say what they are just yet to not interfere with the results) and in the first 20 minutes I have 3 more orgs all sending PII to these addresses for now deleted users.
Includes a managed IT services provider in Malaysia's ticketing system which includes the full content of the ticket - system names, IP's etc.
Haven’t done this because I’m an ethical sausage, but I do wonder - how many of these sites would happily send a password reset link to [email protected], and after resetting the password, how much order history/other PII and the like would be there?
I’d guess between 98-100% of them.
ok, curiosity won and I tried it on a couple
yes, they all willingly sent the password reset link to the domain
yes, they let me reset the password
no, they didn’t have mfa
yes, they let me log in to the “deleted” accounts
yes, i saw order histories, names, dob’s, last four of credit cards
yes, i disclosed to the security contacts i could find at the companies
yes, one of them was the viagra place
one org got back to me and said, 'yeah we effed up - and are fixing'
I was thinking of that scene in the bart falls down the well episode of the simpsons where at the end they say, 'and now to make sure nobody ever falls down this well again', followed by them putting up a small sign that says 'caution: well'.
I bet they'll run something like:
UPDATE users
SET email = REPLACE(email, '@deleteduser.com', '@deleteduser2.com')
WHERE email LIKE '%@deleteduser.com';
So no one ever falls down the well again.
Another good one - a European country's licensing authority for construction workers sends an email to deleteduser.com each time an employee is added to, presumably, the "deleted" users former company.
That email includes the name, trade and license info of the person being added, alongside the PII of the "deleted" user.
Mike Sheward
Skyglobe