Everyone in this thread suggesting a “data leak” or “compromise” is totally missing the fact that this is how Apollo works. This is often times overlooked by Apollo customers themselves. You have to opt out of customer data sharing (and in doing so lose out on the value of the product): https://knowledge.apollo.io/hc/en-us/articles/20727684184589...
Not commenting on whether this is good or ethical (or even totally legal), but this is what is happening behind the scenes.
For a little more color for people unfamiliar with modern sales/marketing:
1. A user signs up to BrowserStack
2. BrowserStack (automatically) upload the submitted user’s information to Apollo
3. Apollo “enrich” the user’s details using information they already have about the person, e.g: company revenue, LinkedIn profile
4. Sales reps at BrowserStack use the enriched information to identify leads, bucket for marketing etc.
Apollo’s customer data sharing adds any information BrowserStack send to Apollo to the person’s profile with Apollo, accessible to all Apollo customers.
For example, any other Apollo customer can search something like “email addresses for decision makers at Example, Inc.” and get back a list including your email address (if you told BrowserStack you are a decision maker at Example, Inc.)
Every single marketing team is doing all of this, the only reason it was obvious in this case is that the OP used a unique email address for BrowserStack. If you sign up for any business product online, you surely have a profile in Apollo filled with details about you gathered from around the web (and details you submitted).
Maybe you'd have insight into something that happened to me recently:
I did a search (DDG, Chromium) for an Anker product line that I've been following. Clicked the link to Anker, skimmed, nothing new.
Then shortly I get an email from "Checkmate" with a promo offer.
I don't have an Anker account or whatever, don't recall signing in. I figure it's fingerprinting or cookies, but so far it's never been so overt.
I feel like this is an indicator of something, some sea change. Of needing to squeeze more water from the stone. My phone's been blowing up with spam calls since. I've been mysteriously added to email lists. I'm getting short-code text spam in addition to the regular spam, which when I report to 7726, AT&T basically tells me it's fine, it's paid for.
This may be a ploy to get me to turn the AI features back on in Gmail, but it feels like somewhere, lines have been crossed.
So I'm not disputing this, but I set up a similar scheme to the author almost 8 years ago and conduct 90+% of my online business through the custom emails. Everything from Amazon to small local business.
In that time I have had 'leaks' twice: my State's Fish and Wildlife licensing organ, and GitHub. In both cases I assume it's more that the email ends up being public, not because of something like Apollo.
I guess it's possible that spam is getting filtered before it ever hits my inbox.
Edit: I was responding to the idea of it leading to spam, not that Apollo wasn't collecting information on me.
For those curious: I signed up with Apollo and looked at what they had on me (via the link in the flagged/dead post by fontain). The email address they have is technically correct, but it's a non-current work email. It's still active and I do get a lot of senseless/bizarre business sales inquiries on that address. The phone number they have is wrong and I don't recognize it. They have my LinkedIn byline; it's likely how I was 'found' so quickly, as my username is the same there. I'm listed as cold.
I used to do the same until I got tired of it. The only two leaks I found were United Airlines and Gary Johnson, the Libertarian presidential candidate, who sold my email to the Scott Walker campaign (strongly confirming my suspicions that Republicans use libertarianism as a gateway drug).
I had never heard of Apollo, but I was interested so I followed your link to opt out.
I have had the same work email address for 13 years. I have done lots of hardware and software purchasing in that time, and I am never shy of using my work email to sign up for things and give to account managers etc. It is used on my microsoft SSO, my Dell business account, my slack account etc etc.
After I jumped through all their hoops to opt out, I got this email from them:
"We searched our records with your email: xxx@xxxxxx but could not find any information associated to it in our databases. We will keep your email: xxx@xxxxxx in our suppression list in order not to create any data associated with your email. "
So I guess they might not be as ubiquitous in their data capture as you may have thought? Or they are straight up lying.
Another way these companies get data is they have credits. It costs a credit for a salesperson to enrich the data of someone they're trying to contact. There are 2 ways to gain credits: 1 - cash; 2 - the salesperson installs a plugin in their inbox and it scrapes all contact info in the inbox.
ZoomInfo is the most aggressive about this.
re apollo: inbox scraping is what they're describing here [1]
> Apollo does leverage its large network of over 2 million contributors to improve the scope and accuracy of its database of business contact information and run verification checks that result in a better user experience for its entire customer base. Most of the data we collect from our Apollo users simply forms part of our verification system to check and confirm existing information in the Apollo database.
>After a brief discussion, the emailer told me they got my details from Apollo.io
The landing page for Apollo.io says it's a "AI sales platform". In other words, a CRM. My guess is that someone on the sales team uploaded the entire customer list for sales purposes, not realizing the privacy implications.
Linkedin got users to unwittingly to share their entire contact list by signing into gmail. What makes you think something similar wouldn't happen to some non-technical person on the sales team?
And my point is that it's pretty easy for people to accidentally do it, and this is corroborated by the available evidence, so we should apply hanlon's razor rather than assuming someone at browserstack was laughing maniacally while uploading the email list.
> Only that businesses do things in the business's interest
That's not mutually exclusive with "someone on the sales team uploaded the entire customer list for sales purposes, not realizing the privacy implications".
>more frequently than databreaches.
You're fighting against both hanlon's razor and occam's razor here. The OP states the leak came from Apollo, and as other commenters have noted, Apollo specifically has a "Contributor Network" that shares email lists with other companies, and isn't well documented. It's not hard to imagine how this was done unintentionally. On the other hand there's no evidence to suggest this was done intentionally, other generic cynicism of "businesses do things in the business's interest" or whatever.
On the other hand it is always convenient to hide behind the "We big, careless, silly org, we no knows how to handle data.". If we apply too many razors, then they are just gonna cut our freedom away. At some size of organizations negligence becomes malicious, since they ought to have people knowing how stuff should be handled and they most likely ignore it.
What is more likely? Everyone at an organization's IT, sales and data protection department is incapable of doing their job, or someone doesn't give a damn, calculating, that preventing such things from happening costs too much?
You say this like it’s unusual. In my experience, sales is incentivized to only really care about closing deals. Everything else is often just a speed bump to them.
> Like all good nerds, I generate a unique email address for every service I sign up to. This has several advantages - it allows me to see if a message is legitimately from a service, if a service is hacked the hackers can't go credential stuffing, and I instantly know who leaked my address.
I think a lot of services will "de-alias" the email addresses from these tricks to prevent alts, account spam, and to still target the "real" account holder email. So the old tricks like "<name>+<website>@<host.com>" is not considered a unique email from "<name>@<host.com>". Unless your site-specific emails are completely new inbox aliases, then I don't think this is as effective as people think it is anymore.
The way that this is done these days (and likely what the author did/does) is that you use a custom domain to receive mail; you provide an email like service@custom.com, and that way when service@ starts receiving spam you know exactly where it comes from
^ I've been doing this with catchalls since before Google Apps for Domain was even a thing.
Sometimes customer support staff bring up "oh, do you work at <company> too"? I just tell them that I created an email address just for their company, in case they spam me.
I've got a few dozen domains, and primarily use two of them for business interactions. One is a catchall, while the other requires me to create explicit email addresses (or aliases).
Aside from issues such as the business entity (sometimes silently) prohibiting their name in my email address, I have sometimes encountered cases where part of the email validation process checks to see if the email server is a catchall, and rejects the email address if it is. It takes a little extra effort on my part to make a new alias, but sometimes it's required.
Lots of organizations (such as PoS system providers) will associate an email I provided with credit card number, and when I use the card at a completely different place, they'll automatically populate my email with the (totally unrelated) one that they have. Same goes for telephone numbers.
I've had many incidents similar to the author. More often than not, it's a rouge employee or a compromised computer, but sometimes it is as nefarious as the author's story.
Wildcard email addresses will subject you to a torrent of spam when spammers try dictionary attacks against your domain. It's better to explicitly create aliases, I built a web UI for Postfix to do this for myself and family (https://GitHub.com/fazalmajid/postmapweb)
Oh boy, I had many of these conversations and especially non technical people never grasp the concept, I had some cases where they demanded to change it and use a “real email like gmail!!”, one time I bought shoes and the store guy asked me the email to signup for whatever, so I read the shoe’s name and added the custom domain, gave me the the look as if I am bullshitting him. Another at a government connected agency and she thought “I work there because I have the agency email” despite it is the alias not the domain.
But similar to OP, few times I found the service is leaking my email, or they got compromised who knew.
yes, but service is too guessable, so append a randomly generated nonce as well, eg service_rjfh34@example.com. It doesn't need to be cryptographically random, just non trivially guessable to prove the service is leaking email addresses.
I use Fastmail with my own domain and 1Password. Together they give me a “masked email” button for forms that generates a random enough email address (two common words and four digits) and records the domain it was for. You can also create them ad-hoc from Fastmail’s interface.
As well as simply attributing leaks, it’s most valuable as a phishing filter. Why would my bank ever email an address I only used to trial dog food delivery?
Yeah, Fastmail's aliases are great. I used to do things described by some other commenters, like myemail+nameofservice@ and whatnot, but this way the email is automatically generated and you don't have to put any thought into it.
iCloud has a great feature that allows you to generate unique aliases on the fly quickly and easily. For example when signing up for new services via the web browser on iOS, you can generate a new address with the click of a button.
Many years ago, before I started using iCloud Mail, I was running my own email server and had it set up to forward everything sent to any address on my domain to my inbox. The advantage was that I could invent random aliases any time I wanted and didn’t even need to do anything on the server for those emails to get delivered to my main inbox. The very big drawback as I soon experienced was that spammers would email a lot of different email addresses on my domain that never existed but because I was going catch-all, would also get delivered to my main inbox. They’d be all kinds of email addresses like joe@ or sales@ or what have you. So apparently they were guessing common addresses and because I was accepting everything I’d also get tons of spam.
True, and there has been a time or two where that has been inconvenient for me as well.
Initial account creation confirmation email, and maybe even some newsletters, were sent from noreply@ some domain. Responding to such an email address directly will likely either bounce or be silently dropped on their side, as indicated by them using noreply as the sender address.
The website might say to email support@ their domain. But because like you point out iCloud alias addresses cannot be used as sender when composing a new message, and I don’t have any past received emails from that address, I can’t email them using the same alias email address that I used to create an account.
And of course if the account belongs to jumping.carrot-1j@icloud.com and I instead send an email to them from a different sender address, then they will be sceptical about whether it really is the account owner trying to get in touch or some impostor. Assuming they don’t completely ignore the email on that grounds, you might eventually get support if you are able to either answer questions from them about past invoice amounts and dates or similar, or if they are willing to email the original account owner address from their support address. But it’s extra hassle, if they even bother to respond at all.
Fortunately most websites have a contact form or similar to get in touch with their support, but there are a few sites that have an email address as the only way to contact their support.
There are some big brain companies who will block you if their name appears in the email address. Like Discord. You can create an account, with discrod@example.com. But a seconde later you will get an email that your account got band.
What you say is often true, but in the case of Discord, at least in my case, you are wrong. My Discord email address is discord@xxx.com, and I am still receiving emails from them.
It happend to me when i created my account in 2025. Within seconds of verifying the address I got a email that my account was band for TOS violation. I than created a seconds account (within minutes from the same IP) only writing "dc" instead of "discord" and that worked. ¯\_(ツ)_/¯
> So unless your site-specific emails are completely new inbox aliases, then I don't think this is as effective as people think it is anymore.
Even if it's a "new" alias, I often see people[1] using simple schemes to derive the address, eg. facebook@mydomain.example. With cheap LLMs it's not hard to automatically guess what the underlying pattern is.
I use DuckDuckGo Email and it generates unique addresses that I can both receive emails (obviously) and reply to from that email. There's also an option to shutdown that address and never receive spam again.
It’s not. I give a unique email address to every service I register with, which means I can see who is leaking my email address. Very few of them leak my email address at all, and those that do tend to do so involuntarily through data breaches.
The other main factors in spam are the sleazeballs at Apollo, ZoomInfo, et al., services that use my email address internally for more than I consented (if I use my email address to register for a service, this does not permit that service to add me to their product mailing list), and the spammers who guess email addresses based on LinkedIn info (e.g. name + company domain).
The number of services who appear to take an email address I have given them and sell it appear to be extremely rare.
>but plenty will just sell everything to data brokers.
Again, "sell" implies that there's some company where they'll accept data from anyone and pay them for it, which so far as I can tell doesn't exist. That's not to say there's no selling going on. The fact that data brokers exist means they do, but that doesn't mean every business is in a position to "sell" data.
It's worth nothing. This is an online myth that marks out the user the way the sentence "Expert in JAVA, AWS, GCP, Oracle, and GIT" on a resume marks out the candidate.
I had the same thing happen with Compare The Market in the UK. I used two unique email addresses with them on two different domains and the same day both started receiving spam. I reported it to them and they don't care, because how do you prove it?
BrightData is another company offering hosted browsers who has also recently leaked private data, although they did email customers to warn them.
I wonder if both of these companies were compromised by a shared vulnerability in headless Chrome? Or else just a coincidence that 2 headless browser companies got hacked at the same time?
I run a headless browser fingerprinting project and have found that URLs that I only fetched via BrightData have subsequently had fetches by Anthropic's Claudebot.
I think most likely an attacker who has the customer data is using Claude to analyse it.
Brightdata? Isn't that the israeli firm formerly called luminati that sells you shady "high quality residential IPs" that you can rotate to scrape the web?
There was a research paper several years ago showing that the "residential IP" stuff is powered by botnets and compromised devices. Luminati is specifically called out.
> Consent must be "freely given, specific, informed, and unambiguous."
and
> Apollo notifies them when their data is added to Apollo's database of business contact information and provides them with instructions on how to opt out.
Now, their claim appears to be that they're processing business contact data under the legal basis of "Legitimate Interests". But as much as I am a big fan of not doing things that require a legal basis of "Consent", I'm unconvinced that they ensure their customers are sticking as tightly to their basis as they ought to be if they wish to claim it.
In other words: yes, if you have a CRM in then you might derive legitimate interests in sharing with Apollo. But you need to make sure you actually have the right legal basis for putting customer details into your CRM, and your support database almost certainly does not hold appropriate data!
So ultimately I think this is on both Browserstack (for connecting and sharing data other than in accordance with a legal basis) and Apollo (for making it too easy for their customers to send them data without a sound legal basis and then for sharing that data without suitably validating they had the legal basis to).
Apollo's privacy centre makes all the right claims about how they comply with GDPR, but the OP's story demonstrates that they're not as scrupulous in their verification as they claim to be. And strictly, both should be reporting the breach and taking steps to ensure it doesn't recur.
Sounds about right. Yes, I've been doing it for decades now and besides telling you who's selling email lists, it makes filtering much easier. Filtering by To: is pretty low effort compared to Bayesian spam filters etc. They get tossed in a Sieve filter as soon as they become a problem, and I'll send a bitch letter to the leaker with another random email address to see how dedicated they are to screwing me.
> For all their faults, Amazon don't seem to have leaked anything of mine.
Selling email lists is business. Not selling email lists is, in some cases, much smarter, much more hard-nosed business, and is exactly what you would expect from Amazon.
When your only product is email addresses, you will sell them to anybody trying to sell other shit.
When you sell all the possible kinds of shit in the world, why on earth would you enable your competitors by giving them any form of access to your customer list?
Guys at seamless io do the same thing. I found a very personal email address on the system. I figured someone at work was leaking their address book to seamless.
Hey.com works that way. You have to approve new senders before they can reach your inbox. And you can always revoke their permission to message you.
I'd like to see that concept replicated to other email services. I don't particularly like all the other opinionated choices of Hey.com (especially the fact that you can't use IMAP).
Everyone in this thread suggesting a “data leak” or “compromise” is totally missing the fact that this is how Apollo works. This is often times overlooked by Apollo customers themselves. You have to opt out of customer data sharing (and in doing so lose out on the value of the product): https://knowledge.apollo.io/hc/en-us/articles/20727684184589...
Not commenting on whether this is good or ethical (or even totally legal), but this is what is happening behind the scenes.
For a little more color for people unfamiliar with modern sales/marketing:
1. A user signs up to BrowserStack
2. BrowserStack (automatically) upload the submitted user’s information to Apollo
3. Apollo “enrich” the user’s details using information they already have about the person, e.g: company revenue, LinkedIn profile
4. Sales reps at BrowserStack use the enriched information to identify leads, bucket for marketing etc.
Apollo’s customer data sharing adds any information BrowserStack send to Apollo to the person’s profile with Apollo, accessible to all Apollo customers.
For example, any other Apollo customer can search something like “email addresses for decision makers at Example, Inc.” and get back a list including your email address (if you told BrowserStack you are a decision maker at Example, Inc.)
Every single marketing team is doing all of this, the only reason it was obvious in this case is that the OP used a unique email address for BrowserStack. If you sign up for any business product online, you surely have a profile in Apollo filled with details about you gathered from around the web (and details you submitted).
edit: https://www.apollo.io/privacy-policy/remove opt out link but Apollo are just one of many companies offering this service
Maybe you'd have insight into something that happened to me recently:
I did a search (DDG, Chromium) for an Anker product line that I've been following. Clicked the link to Anker, skimmed, nothing new.
Then shortly I get an email from "Checkmate" with a promo offer.
I don't have an Anker account or whatever, don't recall signing in. I figure it's fingerprinting or cookies, but so far it's never been so overt.
I feel like this is an indicator of something, some sea change. Of needing to squeeze more water from the stone. My phone's been blowing up with spam calls since. I've been mysteriously added to email lists. I'm getting short-code text spam in addition to the regular spam, which when I report to 7726, AT&T basically tells me it's fine, it's paid for.
This may be a ploy to get me to turn the AI features back on in Gmail, but it feels like somewhere, lines have been crossed.
So I'm not disputing this, but I set up a similar scheme to the author almost 8 years ago and conduct 90+% of my online business through the custom emails. Everything from Amazon to small local business.
In that time I have had 'leaks' twice: my State's Fish and Wildlife licensing organ, and GitHub. In both cases I assume it's more that the email ends up being public, not because of something like Apollo.
I guess it's possible that spam is getting filtered before it ever hits my inbox.
Edit: I was responding to the idea of it leading to spam, not that Apollo wasn't collecting information on me.
For those curious: I signed up with Apollo and looked at what they had on me (via the link in the flagged/dead post by fontain). The email address they have is technically correct, but it's a non-current work email. It's still active and I do get a lot of senseless/bizarre business sales inquiries on that address. The phone number they have is wrong and I don't recognize it. They have my LinkedIn byline; it's likely how I was 'found' so quickly, as my username is the same there. I'm listed as cold.
I used to do the same until I got tired of it. The only two leaks I found were United Airlines and Gary Johnson, the Libertarian presidential candidate, who sold my email to the Scott Walker campaign (strongly confirming my suspicions that Republicans use libertarianism as a gateway drug).
As far as you know
I had never heard of Apollo, but I was interested so I followed your link to opt out.
I have had the same work email address for 13 years. I have done lots of hardware and software purchasing in that time, and I am never shy of using my work email to sign up for things and give to account managers etc. It is used on my microsoft SSO, my Dell business account, my slack account etc etc.
After I jumped through all their hoops to opt out, I got this email from them:
"We searched our records with your email: xxx@xxxxxx but could not find any information associated to it in our databases. We will keep your email: xxx@xxxxxx in our suppression list in order not to create any data associated with your email. "
So I guess they might not be as ubiquitous in their data capture as you may have thought? Or they are straight up lying.
Hopefully in the soon future:
5. BrowserStack gets hit by a massive GDPR fine.
6. BrowserStack contests the fine for a couple of years, not paying a euro cent
7. People just remember 'BrowserStack got hit by a massive fine'
8. Everyone carries on with business as usual
And the sad thing is, I can guarantee this thread alone will be great marketing for Apollo and they will gain a pile of new enquiries Monday morning.
Another way these companies get data is they have credits. It costs a credit for a salesperson to enrich the data of someone they're trying to contact. There are 2 ways to gain credits: 1 - cash; 2 - the salesperson installs a plugin in their inbox and it scrapes all contact info in the inbox.
ZoomInfo is the most aggressive about this.
re apollo: inbox scraping is what they're describing here [1]
> Apollo does leverage its large network of over 2 million contributors to improve the scope and accuracy of its database of business contact information and run verification checks that result in a better user experience for its entire customer base. Most of the data we collect from our Apollo users simply forms part of our verification system to check and confirm existing information in the Apollo database.
[1] https://knowledge.apollo.io/hc/en-us/articles/20727684184589...
>After a brief discussion, the emailer told me they got my details from Apollo.io
The landing page for Apollo.io says it's a "AI sales platform". In other words, a CRM. My guess is that someone on the sales team uploaded the entire customer list for sales purposes, not realizing the privacy implications.
> not realizing the privacy implications.
If only.
Linkedin got users to unwittingly to share their entire contact list by signing into gmail. What makes you think something similar wouldn't happen to some non-technical person on the sales team?
My point is I don't think one bit of this is accidental.
And my point is that it's pretty easy for people to accidentally do it, and this is corroborated by the available evidence, so we should apply hanlon's razor rather than assuming someone at browserstack was laughing maniacally while uploading the email list.
I made no such assertion. Only that businesses do things in the business's interest more frequently than databreaches.
> Only that businesses do things in the business's interest
That's not mutually exclusive with "someone on the sales team uploaded the entire customer list for sales purposes, not realizing the privacy implications".
>more frequently than databreaches.
You're fighting against both hanlon's razor and occam's razor here. The OP states the leak came from Apollo, and as other commenters have noted, Apollo specifically has a "Contributor Network" that shares email lists with other companies, and isn't well documented. It's not hard to imagine how this was done unintentionally. On the other hand there's no evidence to suggest this was done intentionally, other generic cynicism of "businesses do things in the business's interest" or whatever.
On the other hand it is always convenient to hide behind the "We big, careless, silly org, we no knows how to handle data.". If we apply too many razors, then they are just gonna cut our freedom away. At some size of organizations negligence becomes malicious, since they ought to have people knowing how stuff should be handled and they most likely ignore it.
What is more likely? Everyone at an organization's IT, sales and data protection department is incapable of doing their job, or someone doesn't give a damn, calculating, that preventing such things from happening costs too much?
Working in sales but not being able to handle customer data responsibly (for whatever reason). Not a good look.
You say this like it’s unusual. In my experience, sales is incentivized to only really care about closing deals. Everything else is often just a speed bump to them.
> Like all good nerds, I generate a unique email address for every service I sign up to. This has several advantages - it allows me to see if a message is legitimately from a service, if a service is hacked the hackers can't go credential stuffing, and I instantly know who leaked my address.
I think a lot of services will "de-alias" the email addresses from these tricks to prevent alts, account spam, and to still target the "real" account holder email. So the old tricks like "<name>+<website>@<host.com>" is not considered a unique email from "<name>@<host.com>". Unless your site-specific emails are completely new inbox aliases, then I don't think this is as effective as people think it is anymore.
The way that this is done these days (and likely what the author did/does) is that you use a custom domain to receive mail; you provide an email like service@custom.com, and that way when service@ starts receiving spam you know exactly where it comes from
^ I've been doing this with catchalls since before Google Apps for Domain was even a thing.
Sometimes customer support staff bring up "oh, do you work at <company> too"? I just tell them that I created an email address just for their company, in case they spam me.
I've got a few dozen domains, and primarily use two of them for business interactions. One is a catchall, while the other requires me to create explicit email addresses (or aliases).
Aside from issues such as the business entity (sometimes silently) prohibiting their name in my email address, I have sometimes encountered cases where part of the email validation process checks to see if the email server is a catchall, and rejects the email address if it is. It takes a little extra effort on my part to make a new alias, but sometimes it's required.
Lots of organizations (such as PoS system providers) will associate an email I provided with credit card number, and when I use the card at a completely different place, they'll automatically populate my email with the (totally unrelated) one that they have. Same goes for telephone numbers.
I've had many incidents similar to the author. More often than not, it's a rouge employee or a compromised computer, but sometimes it is as nefarious as the author's story.
Wildcard email addresses will subject you to a torrent of spam when spammers try dictionary attacks against your domain. It's better to explicitly create aliases, I built a web UI for Postfix to do this for myself and family (https://GitHub.com/fazalmajid/postmapweb)
> up "oh, do you work at <company> too"?
Oh boy, I had many of these conversations and especially non technical people never grasp the concept, I had some cases where they demanded to change it and use a “real email like gmail!!”, one time I bought shoes and the store guy asked me the email to signup for whatever, so I read the shoe’s name and added the custom domain, gave me the the look as if I am bullshitting him. Another at a government connected agency and she thought “I work there because I have the agency email” despite it is the alias not the domain.
But similar to OP, few times I found the service is leaking my email, or they got compromised who knew.
I am more specific: if I start receiving pornographic spam like I did to the address I gave Dell, I will know they have been hacked.
I will also not hold my breath waiting for the legally required breach notification they are supposed to send.
Take it a step further and do uuid@
yes, but service is too guessable, so append a randomly generated nonce as well, eg service_rjfh34@example.com. It doesn't need to be cryptographically random, just non trivially guessable to prove the service is leaking email addresses.
I use Fastmail with my own domain and 1Password. Together they give me a “masked email” button for forms that generates a random enough email address (two common words and four digits) and records the domain it was for. You can also create them ad-hoc from Fastmail’s interface.
As well as simply attributing leaks, it’s most valuable as a phishing filter. Why would my bank ever email an address I only used to trial dog food delivery?
Yeah, Fastmail's aliases are great. I used to do things described by some other commenters, like myemail+nameofservice@ and whatnot, but this way the email is automatically generated and you don't have to put any thought into it.
Of course. I use Firefox Relay to generate a unique email address for every site where I have to use an email. That method hasn't failed me so far.
iCloud has a great feature that allows you to generate unique aliases on the fly quickly and easily. For example when signing up for new services via the web browser on iOS, you can generate a new address with the click of a button.
Many years ago, before I started using iCloud Mail, I was running my own email server and had it set up to forward everything sent to any address on my domain to my inbox. The advantage was that I could invent random aliases any time I wanted and didn’t even need to do anything on the server for those emails to get delivered to my main inbox. The very big drawback as I soon experienced was that spammers would email a lot of different email addresses on my domain that never existed but because I was going catch-all, would also get delivered to my main inbox. They’d be all kinds of email addresses like joe@ or sales@ or what have you. So apparently they were guessing common addresses and because I was accepting everything I’d also get tons of spam.
The downside of such iCloud aliases is that you cannot send emails from there (you can only reply to emails, and ofc receive emails)
True, and there has been a time or two where that has been inconvenient for me as well.
Initial account creation confirmation email, and maybe even some newsletters, were sent from noreply@ some domain. Responding to such an email address directly will likely either bounce or be silently dropped on their side, as indicated by them using noreply as the sender address.
The website might say to email support@ their domain. But because like you point out iCloud alias addresses cannot be used as sender when composing a new message, and I don’t have any past received emails from that address, I can’t email them using the same alias email address that I used to create an account.
And of course if the account belongs to jumping.carrot-1j@icloud.com and I instead send an email to them from a different sender address, then they will be sceptical about whether it really is the account owner trying to get in touch or some impostor. Assuming they don’t completely ignore the email on that grounds, you might eventually get support if you are able to either answer questions from them about past invoice amounts and dates or similar, or if they are willing to email the original account owner address from their support address. But it’s extra hassle, if they even bother to respond at all.
Fortunately most websites have a contact form or similar to get in touch with their support, but there are a few sites that have an email address as the only way to contact their support.
I just do <website>@<myhost.tld>. It is sometimes confusing by when interacting with customer support ;-)
Yes ma'am, my email address really is bofa.com@<optionoft's-lastname>.com
No I'm not trying to hack you.
Which in hindsight is also what a hacker would say. I can't win...
On top of it my email address is .me so is very common to when I finish spelling my e-mail, people waiting for .com
Where, of course, 'bofa' is merely short for 'bofetada.'
There are some big brain companies who will block you if their name appears in the email address. Like Discord. You can create an account, with discrod@example.com. But a seconde later you will get an email that your account got band.
They know their way around IT security! /s
What you say is often true, but in the case of Discord, at least in my case, you are wrong. My Discord email address is discord@xxx.com, and I am still receiving emails from them.
It happend to me when i created my account in 2025. Within seconds of verifying the address I got a email that my account was band for TOS violation. I than created a seconds account (within minutes from the same IP) only writing "dc" instead of "discord" and that worked. ¯\_(ツ)_/¯
Apparently they (unlike other entities I've dealt with) did not go back and review all of the existing, valid email addresses in their user database.
It's always an unpleasant surprise when some company terminates a years-old, active and valid account because of a stupid policy change on their part.
I had one website forward my mail to their legal department who asked me why I’m impersonating them :D Only required a short explanation though.
I often get asked whether I'm a fellow employee.
I have an account just like that at Best Buy with my domain. The teenage cashier I gave it to thought it was cool.
> So unless your site-specific emails are completely new inbox aliases, then I don't think this is as effective as people think it is anymore.
Even if it's a "new" alias, I often see people[1] using simple schemes to derive the address, eg. facebook@mydomain.example. With cheap LLMs it's not hard to automatically guess what the underlying pattern is.
edit:
[1] ie. in this very thread
I use DuckDuckGo Email and it generates unique addresses that I can both receive emails (obviously) and reply to from that email. There's also an option to shutdown that address and never receive spam again.
I personally do x@mydomain.com. It makes it very obvious when you start getting spam (I’m looking at you dji).
> BrowserStack routinely sell or give away their users' data.
> A third-party service used by BrowserStack siphons off information to send to others.
> An employee or contractor at BrowserStack is exfiltrating user data and transferring it elsewhere.
Or the simpler answer, their db/email list has been compromised.
> > BrowserStack routinely sell or give away their users' data.
> Or the simpler answer, their db/email list has been compromised.
I find the first option far simpler.
The simplest answer is they are voluntarily being scum and selling user data to make a quick buck. It’s almost universally true.
> It’s almost universally true.
It’s not. I give a unique email address to every service I register with, which means I can see who is leaking my email address. Very few of them leak my email address at all, and those that do tend to do so involuntarily through data breaches.
The other main factors in spam are the sleazeballs at Apollo, ZoomInfo, et al., services that use my email address internally for more than I consented (if I use my email address to register for a service, this does not permit that service to add me to their product mailing list), and the spammers who guess email addresses based on LinkedIn info (e.g. name + company domain).
The number of services who appear to take an email address I have given them and sell it appear to be extremely rare.
If you dont mind, What kind of unique email address do you use and how do you manage all the aliases?
I do the same, and seem to have a much higher hit rate (or a much lower acceptable baseline!)
>and selling user data to make a quick buck
Are there actually companies that will pay you $$$ for a list of emails?
Not exactly, but plenty will just sell everything to data brokers.
>but plenty will just sell everything to data brokers.
Again, "sell" implies that there's some company where they'll accept data from anyone and pay them for it, which so far as I can tell doesn't exist. That's not to say there's no selling going on. The fact that data brokers exist means they do, but that doesn't mean every business is in a position to "sell" data.
It's worth nothing. This is an online myth that marks out the user the way the sentence "Expert in JAVA, AWS, GCP, Oracle, and GIT" on a resume marks out the candidate.
My boss has paid many people for lists of email addresses in the past.
Im pretty sure he is not a mythical being!
I had the same thing happen with Compare The Market in the UK. I used two unique email addresses with them on two different domains and the same day both started receiving spam. I reported it to them and they don't care, because how do you prove it?
BrightData is another company offering hosted browsers who has also recently leaked private data, although they did email customers to warn them.
I wonder if both of these companies were compromised by a shared vulnerability in headless Chrome? Or else just a coincidence that 2 headless browser companies got hacked at the same time?
I run a headless browser fingerprinting project and have found that URLs that I only fetched via BrightData have subsequently had fetches by Anthropic's Claudebot.
I think most likely an attacker who has the customer data is using Claude to analyse it.
Brightdata? Isn't that the israeli firm formerly called luminati that sells you shady "high quality residential IPs" that you can rotate to scrape the web?
Yes, that's the one. Their residential IPs service is one of the best ones, but their "ethically sourced proxies" claim seems dubious at best.
There was a research paper several years ago showing that the "residential IP" stuff is powered by botnets and compromised devices. Luminati is specifically called out.
Paper: https://xianghang.me/files/resi_paper.pdf Medium Article: https://medium.com/@xianghangmi/resident-evil-understanding-...
Historically, their residential proxies came from backdoored proxies of HolaVPN users.
Yes. Their hosted browser service is one of the best ones out there.
Now I remember these scumbags. Hijacked HolaVPN I think.
Thank you for naming and shaming the company.
Selected quotes from Apollo's GDPR page:
> Consent must be "freely given, specific, informed, and unambiguous."
and
> Apollo notifies them when their data is added to Apollo's database of business contact information and provides them with instructions on how to opt out.
https://knowledge.apollo.io/hc/en-us/articles/4409141087757-...
Now, their claim appears to be that they're processing business contact data under the legal basis of "Legitimate Interests". But as much as I am a big fan of not doing things that require a legal basis of "Consent", I'm unconvinced that they ensure their customers are sticking as tightly to their basis as they ought to be if they wish to claim it.
In other words: yes, if you have a CRM in then you might derive legitimate interests in sharing with Apollo. But you need to make sure you actually have the right legal basis for putting customer details into your CRM, and your support database almost certainly does not hold appropriate data!
So ultimately I think this is on both Browserstack (for connecting and sharing data other than in accordance with a legal basis) and Apollo (for making it too easy for their customers to send them data without a sound legal basis and then for sharing that data without suitably validating they had the legal basis to).
Apollo's privacy centre makes all the right claims about how they comply with GDPR, but the OP's story demonstrates that they're not as scrupulous in their verification as they claim to be. And strictly, both should be reporting the breach and taking steps to ensure it doesn't recur.
Having your own domain and giving a unique email address to everyone... Is it correct to call this canary trapping email addresses?
https://en.wikipedia.org/wiki/Canary_trap
Sounds about right. Yes, I've been doing it for decades now and besides telling you who's selling email lists, it makes filtering much easier. Filtering by To: is pretty low effort compared to Bayesian spam filters etc. They get tossed in a Sieve filter as soon as they become a problem, and I'll send a bitch letter to the leaker with another random email address to see how dedicated they are to screwing me.
How is this possible for any normal person with a work provided 365 account?
You can use the +label method on M365 work accounts, like first.last+label@workdomain.com
Outlook rules match on them too, for rules.
Is the _very big_ company Amazon, I wonder.
(OP here) Nope! For all their faults, Amazon don't seem to have leaked anything of mine. Yet.
> For all their faults, Amazon don't seem to have leaked anything of mine.
Selling email lists is business. Not selling email lists is, in some cases, much smarter, much more hard-nosed business, and is exactly what you would expect from Amazon.
When your only product is email addresses, you will sell them to anybody trying to sell other shit.
When you sell all the possible kinds of shit in the world, why on earth would you enable your competitors by giving them any form of access to your customer list?
This is beyond outrageous. And the data leak angle they’re pushing doesn’t make sense either.
Guys at seamless io do the same thing. I found a very personal email address on the system. I figured someone at work was leaking their address book to seamless.
I don’t know how to stop it
Meta comment on the blog itself: Those theme options are really neat. Such a great touch for a personal blog!
Cheers mate, I appreciate it.
Or the company data has been compromised. That’s a really common way for emails to ‘leak’.
And BrowserStack either doesn't know this or knows this and isn't telling. Still bad, in my opinion.
Accuracy matters. Pizzas and tires are both round, but you do different things with them.
We need anonymous phone numbers
Thanks to iCloud I haven't used my actual email addresses anywhere in a decade (even without Hide My Email their aliases were very handy)
Caught quite a few leakers that way, by using specific addresses for specific sites or categories of sites
(Last time I tried, Gmail's aliases were useless; they included your real address in the alias!)
Thanks to iCloud I haven't used my actual email addresses anywhere in a decade (even without Hide My Email their aliases were very handy)
Email needs a consent revocation system effectively like how Blackberry had PINs for BBM
Hey.com works that way. You have to approve new senders before they can reach your inbox. And you can always revoke their permission to message you.
I'd like to see that concept replicated to other email services. I don't particularly like all the other opinionated choices of Hey.com (especially the fact that you can't use IMAP).
This sounds to me like a normal black/white list, but everything is on the blacklist by default.
I imagine this can be achieved with most mailboxes with a simple deny all rule and then cherry picking email addresses to whitelist.
Just wait till OP learns about Accurint!
Browserstack is Indian I believe. They will do anything for money, so ofcourse they will sell it to email spam lists.