Hackers need personal data to exploit for identify theft and other fraud, but sometimes a simple typing mistake can expose your private information to someone who has no reason to see it. If that happens you have to hope that the person getting access to your accounts lacks criminal tendencies.
I wanted to change the email address associated with my Amazon account from one I rarely use to what has been my primary email for nine years, but when I tried to make the change Amazon warned that there was already another account using that email. Because I wasn’t sure if the other account was something I had set up and forgotten I requested a password reset and logged in. The account I found myself in was not mine. The account belonged to someone with a similar name and, I must assume, a similar email address.
Once in this other Kim’s account I could see her past orders: two cell phone cases (one blue with a credit card slot, one leopard print) and a sterling silver heart link bracelet. I could also see her full name, her home address, her phone number, and some credit card information. Sure, it only showed the last four digits of the credit card number and the expiration date, but that limited data was enough to enable a hacker to take over Mat Honan’s Apple account. Apple has since changed their procedures, but there are other ways this data could be exploited, and it was all made easily available to me because some other Kim mistyped her email address.
This woman’s name seemed familiar, so I searched my email archives. I had in fact received the shipping notices for her Amazon orders, but I ignored them as mistakes. I could have accessed this woman’s account a long time ago.
I have an email address that this happens with all the time. There is another Kim whose low bank balance warnings and overdraft alerts got sent to my email. Since those are kind of important I tried to notify the bank that the wrong email was on the account. Chase, however, requires additional information to authorize any changes. They asked me if I knew the account number or the account holder’s social security number. I tried to explain that I know nothing about the account holder other than her name and most recent balance alert. After flummoxing several customer service reps I just sent those messages to my spam folder.
I also used to get notifications for someone’s profile on an Indian dating site. That site actually confirmed “my” new account by sending me an email with the username and password in plain text. I logged in thinking I could change the email to be anything but mine. Unfortunately, the woman creating the account had only filled out her profile halfway, and the site was prompting me to complete the profile before I could change the email address. Those notifications got sent to spam as well.
I looked at these breaches of privacy as annoyances for putting junk in my inbox and making extra steps when I wanted to use my email for my own account. Someone else could have been malicious. Even if the information in these accounts was not enough to be useful it would be a good base for some Google searches or social engineering to find out more. The information could be used for identity theft, to target the person in a scam, or for other crimes and mischief. These people were lucky that I am a generally honest person. Would you be so lucky?
Update: I posted some tips for managing online account data beyond the obvious: Don’t use someone else’s email address for your accounts. Read those tips here. You may also enjoy my posts on information security basics, Twitter and Facebook security and Facebook privacy.