[drdexebtjl]

WHOIS isn't a factor here. If an attacker knows or deduces that you're the only individual receiving mail at *@yourdomain.example [1], they can track you across different databases by just looking for your domain name.

The privacy preserving aspect of hide-my-email services is the fact that they have thousands of users using the same domain name.

[1]: This is trivial if you have a service's email database leak. You just find all domains that have exactly one user. If the service targets individuals (who would sign up with personal emails, not work emails) and is reasonably popular, you'll get a pretty good list of single-user domains.

[drnick1]

> If an attacker knows or deduces that you're the only individual receiving mail at *@yourdomain.example [1], they can track you across different databases by just looking for your domain name.

How would that attacker gain access to such databases? Let's say HN is compromised and my email here, say hn@mydomain.com, is leaked. How does that help you track me elsewhere? If I start receiving spam at hn@mydomain.com because of the leak, I will simply revoke the alias and the spam will bounce.

[KomoD]

> How would that attacker gain access to such databases?

Data breaches happen all the time.

Some services also expose emails, intentionally or unintentionally. Github is one example where your email might be exposed publicly.

> How does that help you track me elsewhere? If I start receiving spam at hn@mydomain.com because of the leak, I will simply revoke the alias, and the spam will bounce.

Because, as parent said, if someone deduces that you are the only user of mydomain.com, they can just search leaked or exposed records for @mydomain.com and infer that the accounts most likely belong to the same person.

That's the difference, with hide my email millions of unrelated people share the same domain, so you can't reliably link one email to another just based on the domain.