[red369]

Someone signed up to Amazon with an email address of mine, and saved their credit card details.

I couldn’t get any attention from Amazon, and just got generic responses telling me I could reset my password, etc. In the end, I signed up to Amazon prime, I think to test some reassurance they had given me - I wasn’t expecting it to work.

The email saying I had just accidentally made a purchase with someone else’s credit card got Amazon’s attention. I think they also gave me a telling off, which I thought was ridiculous.

Not long after, someone else signed up to Spotify with my email address too. I think it was a child/shared account or something. I spent a while trying to improve their music taste, but I think we both were suffering from the clash of algorithms because they cancelled it soon after.

I haven’t had any people reverse-hacking themselves for a while now.

[jayknight]

I thought about doing something mildly nefarious with someone's PayPal account that they added my address to, but didn't want to chance legal problems. Instead I just logged into their account and removed my email address and logged out.

[red369]

PayPal is certainly trickier. I felt more comfortable testing with buying Amazon Prime through an Amazon account, because it would be easy for them to refund.

I assume I thought of trying to remove the email address! :) I sometimes forget they’re not necessarily the only identifiers, and some accounts let you use a mobile number instead. Probably there wasn’t a mobile on the profile.

It would be nice if all accounts used a username, and allowed you to not have an email or phone if you tick a box saying “I don’t care if I get locked out of this account forever if I forget the password”.

[GreenWatermelon]

Email is probably important as a spam-prevention measure. Without the necessity of validating an email or a phone number, one can create am unlimited number of accounts.

One can of course create any number of emails from server/domain they own, but that requires more skill.

[maxerickson]

You are probably technically violating the CFAA when you do this. Having your email address accidentally associated with the account isn't authorization.

[rendaw]

Aren't they the ones violating CFAA? They made an account for GP then accessed it without authorization.

[bluGill]

People make mistakes.Just because someone made a mistake isn't permission to commit a crime against them.

[asciimov]

Accidentally signing up once is a mistake. One person signing up for products, credit cards, unemployment, medical bills, television services, payday loans, mortgages, jobs with my email address over a 6 year period isn’t a mistake. This is some middle age dude in middle America.

[ffsm8]

What gives you the confidence to say that it was a single individual and not just a common email name which lots of people accidentally used?

[alwa]

I get regular emails intended for my doppelgänger, and have for many, many years. I know her entire family by proxy—we’ve effectively moved through the same stages of life together, in parallel, across the globe. For a while I used to respond to the more important-seeming messages, but it’s more mailing lists now. She and I are very far away physically—and it’s hard to say whether she knows about me at all, as I don’t mess up the email address in our collective name…

Oddly enough I’m still not sure of her correct address, only those of her correspondents. And in some cases family members.

[selcuka]

> What gives you the confidence to say that it was a single individual

Because you can see their first name and last name on the emails you receive.

[maxerickson]

It's not particularly likely to be tested for most types of online accounts, but if you told a judge that you thought the person had created an account for you to use, the judge would tell you to stop lying, they would not congratulate you on your clever argument.