I’m very careful with privacy and security so I was surprised I got an obvious phishing email from “American Express”. I reported the email and moved on only to get another one today. I checked haveibeenpwned and it came back clear. I have never gotten a phishing email before the other day. As for the senders, they all came from generic IT sounding email addresses. They obviously weren’t American Express.
When I sign up somewhere, I often use
my.emailaddress+service@gmail.com
And then occasionally spam comes into my mailbox “hi person, you singed up for spam service” send to my.emailaddress+spotify@gmail.com
and well, now I know who sold it
also also, type your email into haveibeenpwnd.com to find if it’s leaked somewhere
A few months ago was the largest data breach possibly ever. Something like 300GB of personal information. Basically everyone in the US. They have everything on everyone and it’s being passed all around on the dark web like skittles. The mainstream media didn’t cover this for whatever reason.
Look up “National Private Data Breach”. You’ll find a bunch of articles on it. Although someone else posted a newer one that I haven’t heard about so maybe that one’s worse. I would highly suggest that everyone put a freeze on your credit until you need to apply for something. Lots of identify theft happening since this occured.
Gotta love the compilation releases. By their very nature, they will always have the next largest with even the smallest breach being added.
Someone who you’ve corresponded with over email had their address book compromised and it was used in a mass phishing email campaign. It’s not necessarily targeted at you. I actually have experience of this happening. I had an email address that I used only to correspond to a single person. I never gave the email to anyone else and never signed up for anything. Well that person’s email was compromised and I started getting spam/phishing emails shortly after that.
Doesn’t matter how careful you are if the people close yo you with that information aren’t.
‘Why yes ofcourse you can access my address book in order for me to play candy crush.’
One possibility is that you have a fairly common username part and a similarly common domain like, say, gmail.
There’s nothing stopping a spammer from taking existing addresses and word lists, then taking them apart and putting them together in different ways to make up completely new addresses to send spam to. It doesn’t matter if 99% of the addresses they make up don’t exist because they’re only interested in the 1% of the 1% of successes who will fall for their scam. They don’t even get the rejections because the From address is usually bogus too.
e.g. I bet whoever owns john dot smith at gmail gets a huge amount of spam whether he’s in any databases or not.