this post was submitted on 15 Nov 2025
30 points (61.7% liked)

Privacy

4076 readers
301 users here now

Icon base by Lorc under CC BY 3.0 with modifications to add a gradient

founded 2 years ago
MODERATORS
Ategon@programming.dev
danielintempesta@programming.dev
30
Proton might recycle abandoned email addresses and the privacy risks are terrifying (nerds.xyz)
submitted 3 months ago by Blaze@piefed.zip to c/privacy@programming.dev
30 comments fedilink hide all child comments
 

Proton is considering recycling old email addresses that still receive misdirected mail and appear in breach data, raising serious privacy concerns.

you are viewing a single comment's thread
view the rest of the comments
[–] example@reddthat.com 10 points 3 months ago* (last edited 3 months ago) (1 children)

I'm sure proton would clear the inboxes before making the addresses available, so there's no risk of seeing legitimate mail meant for someone else.

this is just completely wrong. obviously Proton wouldn't grant access to existing mails, but the new owner of the address will still receive new emails intended for the previous owner. this is where the main risk lies.

there are most likely accounts with various services attached to these email addresses. you can discover some via data breaches, some via emails they send to you, and some you might discover via trial and error. it might even just be a service telling you that am account already exists when you try to sign up.

combine that with most services allowing account recovery by just using email, even for the services without publicly leaked passwords, you will be able to easily recover access to the accounts and in many cases get access to sensitive information.

[–] scholar@lemmy.world 4 points 3 months ago* (last edited 3 months ago) (1 children)

The previous owners were bots and the accounts were deactivated shortly after registry

[–] example@reddthat.com 2 points 3 months ago

granted, that reduces the risk of real sensitive information being attached to linked accounts, but i'd still not be surprised if there are some accounts attached to them elsewhere if they didn't get banned prior to receiving their first email.

i gotta admit i didn't read the source earlier though, and i agree with your points in general for bot accounts if they have been banned before being used.