[pllbnk]

I have been wondering who leaked my address after I started getting the "E.N.L.A.R.G.E...Y.O.U.R....." spam exactly about a month ago.

Initially I thought that it might have been my fault for entering the email address where I shouldn't have. I am disappointed that such processes are even architecturally possible at Mozilla where internal data is exposed externally.

Also, this has raised a question. Almost everybody knows that passwords must be hashed and salted. But I haven't see anywhere encrypted email addresses. Are there any strongly negative consequences to encrypting sensitive personal data in databases?

[conradk]

I don't think encrypting an email address would create any issues. In fact, if I was to provide a service, I'd save the hash email address for easy authentication (ie hash the email given during a login and compare with the hash you have) and one encrypted version of the email address so I can use it if needed (to inform the user or whatever).

I started getting a lot of spam about one month ago too and even emailed LastPass a bit angry. But this Mozilla incident could well be the cause of the spam...

[nitrogen]

The encrypted e-mail address has to be read somehow, so it's just as likely that an attacker gets the decryption key as the database itself (unless you use e.g. a hardware security module). That's probably good enough for e-mail addresses, but as you likely know, not acceptable for passwords.