Not OK Cupid – A story of poor email address validation

Companies that allowed others to create accounts with my email addresses:<p>PayPal, Apple, Credit Karma, Walmart (I just forwarded the email to legal@ and they took care of that instance very quickly, kudos to that at least). Edit: Forgot to add TD Bank - I actually opened a case with the Office of the Comptroller of the Currency that regulates this bank.<p>Companies that spammed me in the last 24 hours because they don&#x27;t validate emails addresses they add to their mailing lists (maybe there are accounts too, IDK):<p>NerdWallet, Ace Hardware, Take 5 Oil Change, Boot Barn, Tommy Hilfiger, The University of Scanton, Tractor Supply Company, Kutztown University, and a few small businesses.

Ugh. Then there&#x27;s the general stupidity of forcing people to use E-mail addresses as user IDs. It&#x27;s not just annoying, but also a security blunder. The general public can&#x27;t be counted on to understand that when they&#x27;re forced to use their E-mail address as an ID, they don&#x27;t have to use their E-mail account&#x27;s password for it.<p>That makes every one of these sites a gatekeeper to the user&#x27;s E-mail account. All it takes is one shitty security regime or one disgruntled employee to expose these credentials.<p>Then there&#x27;s the fact that everyone&#x27;s E-mail addresses are on thousands of spammers&#x27; lists. When you combine those lists with lists of common passwords and start probing accounts, you have... once again... boatloads of compromised ones.<p>It&#x27;s sad to see a company like Apple fall into this dumb behavior and then try to patch it up after some high-profile &quot;hacks.&quot; Originally, Apple IDs did not have to be E-mail addresses; when they implemented this dumb policy, they wound up with scads of customers with multiple Apple IDs and purchases scattered across them willy-nilly. And when people rightfully complained, Apple huffily declared that it would NOT consolidate them for anyone. Nice attitude: Create a problem and then refuse to provide a solution.<p>But back to the perpetrator here: OKCupid took this to a new level when they started insisting that you provide a phone number. I got into some loop where I couldn&#x27;t log in and I couldn&#x27;t log out, because they kept hounding me about the phone number that I couldn&#x27;t access my account settings to provide. Or something stupid like that. And you know what, OKC? You don&#x27;t need my phone number, so piss off.<p>It&#x27;s too bad. OKCupid was the best of the dating sites during its heyday.

&gt; When I tried to unsubscribe using the one-click unsubscribe button in one of the emails, I was met with an error: “Something went wrong, please try again later.”<p>I want to start a blog which is just shaming every company whose most basic functions don&#x27;t work and there&#x27;s no recourse. It happens at least twice a day to me. Like a financial services management company whose website can&#x27;t load my financial information. Or a jobs site that offers me premium subscription but its payments page is broken and I can&#x27;t even notify them because there&#x27;s no contact method. Or half the unsubscribes on the internet that never work, or require me to login to unsubscribe but it won&#x27;t let me log in.<p>Does anyone work at Google? Why is it that, on my Samsung Android phone, when I pull up Google Search in the browser and click the search bar, if I don&#x27;t wait at least 30 seconds, anything I type into the text bar not only is severely lagged, but then the letters appear in random jumbled order like the cursor is jumping? But if I wait it works fine?? Don&#x27;t they make billions of dollars? Isn&#x27;t this their whole product? What the hell is going on over there?!<p>The enshittification of technology is so extreme it feels like the whole web is constantly broken and literally nobody cares. If physical stores didn&#x27;t exist and it was all online, I think riots would break out.

OkCupid is a terrible service. It disassociates real people who don&#x27;t pay, and encourages fraudulent scams such as pig butchering. Bots are ridiculously easy to spot. You can end up in an endless loop of the same rejects unless you start blocking them.

OKCupid has another security issue related to email. If you get your hands on a link that they send out to a person&#x27;s email regarding a match then that link auto logs you into their account and you can do whatever you want with it.<p>I discovered that when a friend of mine forwarded me a match that they had made and I suddenly found myself able to read their messages.<p>I contacted OKC about it and they did reply saying that it was a WONTFIX.

Just mark the emails spam and forget about them. If everyone blogged about every spam email they got we’d get articles every day about spam emails everyone got.

Fastmail&#x27;s masked emails are great! I honestly very rarely give out my &quot;real&quot; email. Usually when I sign up for something I create a masked email, or if I need an email on the spot I use a wildcard alias (xxxxxx@myalias.fastmail.com). Since most of my emails are random, it serves as an authentication additional factor.

Spamazon did the same thing to me, someone signed up with my email and didn&#x27;t verify and I couldn&#x27;t recover the account because of the phone number associated with the account. Amazon was completely uncooperative.<p>Again, similar story with Commonwealth Bank of Australia which is even scarier since its a bank.

For those who are considering aliases to reduce spam in this.<p>DO THIS TODAY. One of my aliases at the vendor Thermpro got compromised by them. I got list bombed pretty badly. Because it was an alias, I was able to turn it off. I got over 2k messages (Most of it &quot;sign up for our mailinglist&quot;) within the first 12 hours. Reaching out to the vendor got nowhere. (Pretty sure they don&#x27;t care that they were compromised)

Problem is, if you implement strict email verification, you lose users. Because that step of &quot;please open your email and verify&quot; is actually a big drop-off point in the funnel. No amount of &quot;shaming&quot; people over lax email validation is going to convince them to implement a change that <i>loses them money</i>.<p>Don&#x27;t get me wrong, I hate it too. Every single day I have to block about a dozen new sender addresses for services that someone has signed up for under my email. Because my email address just so happens to be temporal at gmail.com (it was my teenage gamer tag), and it just happens that &quot;temporal&quot; means &quot;temporary&quot; in Spanish, so about half a billion humans think it&#x27;s a great throw-away address.<p>Luckily I can very easily identify the emails that aren&#x27;t meant for me, because they are in Spanish, which I do not speak. Still, I thought that after years of blocking a dozen senders a day, I&#x27;d have blocked just about everything... but no, they just keep coming. I&#x27;ve given up on clicking &quot;unsubscribe&quot; or trying to hijack accounts to shut them down, I just go straight to &quot;block&quot; now...<p>But yeah. I&#x27;ve been demanding that people validate email addresses for decades, and can assure you than nobody cares and they&#x27;re not going to start.<p>The best you can hope for really is that they put a link in the email to disavow the account with one click. I&#x27;ve only seen a few companies do that but I really appreciate it!

Someone with my identical full name has for the past few years kept providing my old and unused gmail email address to various entities.<p>This has included banks, shops, and a company which apparently offers training to help you acquire a gun license in Poland.<p>I now know where this person lives (from order confirmation emails). I know this person&#x27;s date of birth. I also know this person&#x27;s PESEL (Polish national identification number) because one of the banks &quot;protected&quot; a document intended for this person by using part of the PESEL as a password (I just brute-forced that part). The other part is just an encoding of the birth date.<p>So I now have enough information to impersonate someone just because a number of organisations screwed up by not verifying ownership of an email address.

Ugh, I&#x27;ve got exactly the same thing with match.com at the moment. Some other Evan, presumably with the same last name, used my gmail address. Unsubscription link seems to have had no effect, I ended up just putting a filter in to send them straight to deleted.<p>Over the years I&#x27;ve been signed up for various porno sites, had wedding invitations, college applications, airplane tickets and an ongoing rental dispute all because either another Evan doesn&#x27;t want to use their own email address for something dubious, or someone has assumed my gmail address must be the Evan they are after.

OKCupid went steeply downhill over several years and as far as I can tell is now worthless and untrustworthy in every way.

This was interesting until the end when it became an advert for fastmail.

What&#x27;s OKCupid&#x27;s incentive?

I sympathize, I have dealt with this a couple of times, most recently with Coinbase (resolved).<p>I agree that we would live in a better world if everyone on the internet followed standards and best practices, but we will never live in that world. We can expect the enshittification to get worse.<p>When this happens to me I make a filter to trash the emails. No amount of complaining or well-meaning (and in this case a bit self-promoting) articles will make the rest of the world change.

I know that in the US has CAN-SPAM Act, GDPR in the EU, and CASL in Canada. I do not believe this would be part of it.<p>Are there any other legal recourse that could be done in small claims court&#x2F;ESCP?