Forgot your password?
typodupeerror
Privacy Security Your Rights Online

Gaining Info On Tech Execs With Just Their Email 75

Posted by Unknown Lamer
from the mark-zuckerburg-revealed-as-closet-myspace-fan dept.
jfruh writes "Did you know that Craigslist founder Craig Newmark has a loyalty points account with the Starwood hotel chain? Did you know that both Tim Cook and Steve Ballmer have Dropbox accounts? All this information — and much more — can be found out because so many prominent executives use their corporate email address for their account logins, and most sites make it possible to see if an email address is associated with an account even if you don't have the account password. Just knowing that such an account exists can lead to technical and social engineering attempts to crack it, as happened in the case of Wired's Mat Honan."
This discussion has been archived. No new comments can be posted.

Gaining Info On Tech Execs With Just Their Email

Comments Filter:
  • by jeffmeden (135043) on Wednesday August 15, 2012 @11:10AM (#40997065) Homepage Journal

    Is there any alternative to throwing out a "this email address is already in use" error if a user attempts to register with someone else's email?

    Sure, flag the account for extra auditing in the following x number of hours. Or, start any registration with an email call-back and let anyone "start" the registration even if it exists, and in the email just put "you're already registered, your work here is done. That or, someone is trying to hack you, please ratchet paranoia accordingly". Since you shouldn't be registering with an email that isn't yours and the web page will just be a "please check your email for registration info" this will not tell the illegitimate user anything useful.

  • by omnichad (1198475) on Wednesday August 15, 2012 @11:10AM (#40997075) Homepage

    Sending the verification email at this step before letting them pick a password or complete their profile. The web site acts like it's a new account registration. The contents of the email sent will tell you whether it's already been registered or if it's a new account - and the link would either be to reset the password or to continue creating the account.

    That seems to do it. It's not terribly convenient for some, but it shouldn't be that much worse than the already existing email verification you see every day - just at an earlier step.

  • by KhabaLox (1906148) on Wednesday August 15, 2012 @01:33PM (#40998975)

    You don't have to create extra email address with Gmail. You can use periods or '+' to create custom email address [blogspot.com] that still get delivered to your inbox. Then you can set up filters or rules to treat them accordingly. For example, you could sign up with a site with "yourname+sitename@gmail.com" and the email will go to "yourname@gmail.com". So you can track address leaks/sales, or auto-delete/auto-star/auto-file emails from certain sites.

I'd rather be led to hell than managed to heavan.

Working...