What can people find about me from just my email address?

I listened to a podcast today which gave me pause… the guy was talking about “social engineering”, how it’s possible to get information on people just based on their email and some other scant pieces of information.

Apparently that’s how Scarlet Johanson’s pictures were leaked–she’d left a bunch of information online like the name of her pet, what high school she went to, etc, and a hacker could use that to get into her email.

Disturbing, but what disturbed me more was his statement that “I can use your email to see what online forums you’re a member of”. First of all, I presume that’s only the forums where you make your email public? Are there programs or search engines that allow people to put in your email and discover what forums you’ve logged into with that email, even if the email is kept private?

I’ve posted on a few forums here and there, and though I never wrote anything too horrible, I wouldn’t want a prospective employer or snoopy ex-girlfriend getting to see that.

Any input’s much appreciated.

Yes, I’ve seem many. Many others delete some letters, and/or change “@” to “AT”, but not all.

Try Googling your own email address. You might be surprised!

Just do a google search of your email address and see what shows up. Just remember that Google is just one search engine and there are others places to search.

I googled my emails, thankfully only minor things came up, like comments I’d made on some blog–though I could swear I didn’t offer up my email publicly… e.g. things like

blahblah@gmail.com says:” and my comment

On some websites, they could probably try to log in as tanhauser_gate@email.com and depending on the error they get back (invalid email or invalid password) know whether you’re registered there.

And almost always, trying to register with an existing email account will result in an error saying such. So if they went to Pervs-R-Us.com and tried to sign up as you but your email was already in the system, that’s a likely sign that you’re already a member there. This is even more the case when the website requires an activation link in your email, because that’s de facto proof that somebody with access to your email account signed up (or they wouldn’t have gotten the activation email).

Interesting, I just googled 2 of my email addresses and got zero hits. Tried the same in Dogpile and same result.

I knew I’d get busted for pervs-r-us.com eventually

I had the same results as stui magpie - no hits on my personal e-mail account; some for my work account, but nothing surprising.

Leaving stuff on the internet such as favourite pet, your mother’s last name, etc. can be used to answer your “secret” question and so reset your password. Most sites this isn’t possible any more. But I believe you could swap the receiving email address where the new password link was sent to for your own.

As a web developer, I want to ensure everybody that that is considered bad practice in the field.

The error for a invalid username or password should always be vague enough so you can’t tell whether the username or password was in error. (Not just the message displayed to the user, but the message from the authentication server as well.)

It’s rare you find a website that makes this mistake, but there are millions of websites.

Bad practice, sure, but quite common in my experience. Try logging in with “test@test.com” (which is usually taken) versus something random and unused, like “asdfwaefw234w2r2@asdff.com”. The SDMB is guilty, for one. Facebook does it (and even tells you the name associated with the email account). Reddit does it if you try to register with an existing email. Slashdot does it. From Wikipedia’s list of internet forums, the top three (Gaia, Bodybuilding, XDA Devs) all do it. Hell, even the official vBulletin forum does it, which likely means that any forum using their software has the same issue.

(ETA: My contradictory opinion is that the internet is a very insecure place and vulnerabilities are discovered daily and fixed monthly if you’re lucky. Many web developers, me included, have a very poor grasp of security principles. And even the big boys routinely fuck up. Your information, once online, is never truly safe.)

But what if someone tries to register as a new user with your email address? They would either succeed, or get an error message saying that email address is already registered (which tells them you are a registered user of that site).

Wow, this is really interesting. Facebook DOES give different messages for wrong password and nonexistent accounts, but it only displayed account name and profile picture for my account, so I think it only does that if you’ve logged in on this computer recently.

They could just say “Thanks for registering. The email you used was blah@blah.com Please check your inbox for an activation message. You will not be able to log in until you activate your account.”

And then to the actual email address, assuming it was already registered: "Somebody tried to register an account with your email address at our website, but you already have an account! Click here to reset your password.

If it WASN’T you, just ignore this email. You won’t get this message again for another month. You can also log in to your account to disable these notices for good."

I googled mine and just get a handful of Firefox bugs I’ve reported. (Make sure you use quotes, or it may search for just your username.) Bugzilla seems to be the odd site out in actually displaying your email address.

I’m sure that they could get more information from stuff that’s been hacked, though. And, yes, there’s almost always a way to see if you’ve used a particular email to register on a website. The vague error messages only stop the stupidest of scammers and cause a bit of inconvenience to legitimate users.

A very few sites may warn you if someone tries to sign up with your email (ala Reply) but they’re so few I don’t even remember which one(s) it was.

Of course, if your password is your pet’s name (“Fido123”) or your spouse’s, or your kid’s, then you are begging to be hacked.

Did they mean they can do this after breaking into your email or just by knowing your email address? Just knowing the address would be hit and miss but if they break into it, you may have various emails from forums that they could see.

If you have any sense, you create an account with gmail specifically to join pervs_are_us and then never use it again unless you have a problem with that specific site.

As an aside. It is better to have complicated passwords and to write them down, than to have simple ones you can remember

Ah, maybe that was it, I could have misinterpreted.

That said I imagine it must be accessible somehow, so I’d definitely second what bob said above.