[arjvik]

This is a cute "hack" for bot detection, but it's too unpredictable for the real world. Far too many users with good security hygiene are penalized by this system

Plus, this might incentivize hackers to defeat the system by logging into and using email accounts pwned in these breaches.

[nibbleshifter]

> Plus, this might incentivize hackers to defeat the system by logging into and using email accounts pwned in these breaches.

This already happens at a large scale anyway.

There's hundreds, if not thousands of "account shops" and sellers online selling hacked accounts for all sorts of services. Everything from Spotify to Twitter to news sites.

They ingest new breaches (or use automated tools to go hack sites and dump databases), and automatically test the leaked credentials against loads of shit using tools like OpenBullet or SentryMBA.

Those tools even integrate rotating proxies, captcha solvers, etc.

There's a few good talks on this, credential spraying and account shops.

[nerdponx]

I actually thought this was going to be the topic based on the title: distinguishing between entirely fake accounts, and pwned real accounts.

[rippercushions]

The only security hygiene that can stop your email from leaking is using a different address for literally every service you ever log into. This is of course possible with your own domain, but in practice totally infeasible for the vast majority of people.

[actualwitch]

Apart from icloud, this is also available for fastmail users as well so no it's not "totally infeasible for the vast majority of people".

[robga]

I now do this with iCloud Hide My Email. It’s very easy to do.

I’ve started converting all my heritage details for already registered accounts.

[idonotknowwhy]

I've been doing this for 6 years now. Every service, bank and even person gets a separate address.

Takes less than 2 minutes to create one with my paid mail provider.

On 2 occasions, I knew a system was compromised before an announcement because suddenly I was getting spam to the specific email address.

[NazakiAid]

Totally agree with this. It's cool to have this data but people using shared VPNs and unique emails will be penalized.