this post was submitted on 15 Nov 2025
30 points (61.7% liked)

Privacy

2919 readers
71 users here now

Icon base by Lorc under CC BY 3.0 with modifications to add a gradient

founded 2 years ago
MODERATORS
Ategon@programming.dev
danielintempesta@programming.dev
30
Proton might recycle abandoned email addresses and the privacy risks are terrifying (nerds.xyz)
submitted 6 days ago by Blaze@piefed.zip to c/privacy@programming.dev
31 comments fedilink hide all child comments
 

Proton is considering recycling old email addresses that still receive misdirected mail and appear in breach data, raising serious privacy concerns.

top 31 comments
sorted by: hot top controversial new old
[–] popcar2@programming.dev 52 points 6 days ago* (last edited 6 days ago) (1 children)

What a stupid, nothingburger article.

The company is considering releasing millions of old email addresses that were originally created by bots in its early years. These accounts were disabled almost immediately, but the addresses lived on. [...] The problem is that many of these addresses are extremely common.

So what? The author rambles about the horrors of getting emails from people who have accidentally written in a generic email handle. It's not a huge deal. Tons of people using other email services like Outlook and Gmail also have generic usernames, it's a user's choice on whether to get one or not. These are old bot accounts that have been disabled for almost a decade, so it's not like somebody would send emails assuming it was the old person using the handle.

Proton says it wants community feedback, which is good, but the fact that it is even considering such a reckless idea makes me question the company’s judgment.

"I'm mad that the company is surveying their community", great argument.

[–] Jason2357@lemmy.ca 11 points 6 days ago (2 children)

I have never heard of an email provider that will hold your address for you forever, paid or free. This post makes no sense.

[–] Dionysus@leminal.space 13 points 6 days ago (1 children)

That's how Gmail worked. Things never got released, once a username is taken I'm it's gone.

[–] Jason2357@lemmy.ca 1 points 5 days ago

Til. Thanks.

[–] shalafi@lemmy.world 2 points 5 days ago* (last edited 5 days ago)

My Hotmail and Yahoo! accounts from the late 90s are still good and I don't touch them but maybe once every year or two.

[–] BroBot9000@lemmy.world 27 points 6 days ago

Ai Slop and FUD 🤮

[–] notreallyhere@lemmy.world 18 points 6 days ago (1 children)

looks like an ai image

[–] LodeMike@lemmy.today 4 points 5 days ago

Yeah...

No one is going to take your article seriously if you don't.

[–] truthfultemporarily@feddit.org 9 points 6 days ago (1 children)

Get your own domain, its really cheap.

[–] MigratingApe@lemmy.dbzer0.com 16 points 6 days ago (2 children)

One slip-up and the same will happen to your custom domain - someone will snatch it and get all your email addresses. This is what I am terrified about, sometimes life gets busy, you will miss the domain renewal and bye bye.

[–] Egonallanon@feddit.uk 16 points 6 days ago (1 children)

You can set up automatic renewals for domains.

[–] cRazi_man@europe.pub 9 points 6 days ago (1 children)

Or pay for very many years in one go and not have to worry about renewals. Just make sure you put it on your calendar to renew again in before 10years.

[–] truthfultemporarily@feddit.org 4 points 6 days ago

You get many warnings and the domain will be on hold after expiry so you can get it back.

[–] bitcrafter@programming.dev 6 points 5 days ago

I am confused about how this differs significantly from someone mistyping their e-mail address so that they end up instead typing in someone else's active e-mail address, because in both cases e-mails get sent to the wrong person.

[–] phoenixz@lemmy.ca 5 points 5 days ago

nerds.xyz

A great source of information if i ever saw one!

[–] atopi@piefed.blahaj.zone 3 points 5 days ago

I usually dont like to criticize art since there was real effort put by real people in it, but that doesnt apply to AI generated images

This may be the most confusing, uninformative, boring image for an article i have ever seen

[–] scholar@lemmy.world 1 points 6 days ago* (last edited 6 days ago) (2 children)

I'm sure proton would clear the inboxes before making the addresses available, so there's no risk of seeing legitimate mail meant for someone else.

In terms of misdirected mail there are two types:

  1. Mistyped email addresses
    where a user has made a typo when entering their email somewhere
  2. Randomly typed email addresses
    where a user entered a random email when signing up for a service they didn't care about

Both of these can affect any existing email address (so proton's plans make no difference), and only type 1 could be a privacy risk.

Email addresses aren't secret, nor are they personally identifiable (unless they contain your name or are linked with other personal information) so I don't see a problem here.

[–] Cris_Color@lemmy.world 19 points 6 days ago (2 children)

Wouldn't the security risk be that if someone thinks the old user is still using that email address, or forgets, they may mistakenly send sensitive into to the person who now has the address...?

Am I missing something?

[–] scholar@lemmy.world 10 points 6 days ago (1 children)

The previous owners were bots and the accounts were deactivated by proton shortly after registry

[–] Cris_Color@lemmy.world 2 points 5 days ago

Thank you for correcting me :)

[–] popcar2@programming.dev 8 points 6 days ago (1 children)

Have you read the article? These are old bot accounts that have been disabled for almost a decade. It's in the very first line.

[–] Cris_Color@lemmy.world 3 points 5 days ago* (last edited 5 days ago)

Nope, I didn't, thank you for correcting me :)

I'm a lot better about reading the article than I used to be but sometimes I still don't and just wanna chat about stuff with folks, and in this case that's my bad

[–] example@reddthat.com 10 points 6 days ago* (last edited 6 days ago) (1 children)

I'm sure proton would clear the inboxes before making the addresses available, so there's no risk of seeing legitimate mail meant for someone else.

this is just completely wrong. obviously Proton wouldn't grant access to existing mails, but the new owner of the address will still receive new emails intended for the previous owner. this is where the main risk lies.

there are most likely accounts with various services attached to these email addresses. you can discover some via data breaches, some via emails they send to you, and some you might discover via trial and error. it might even just be a service telling you that am account already exists when you try to sign up.

combine that with most services allowing account recovery by just using email, even for the services without publicly leaked passwords, you will be able to easily recover access to the accounts and in many cases get access to sensitive information.

[–] scholar@lemmy.world 4 points 6 days ago* (last edited 6 days ago) (1 children)

The previous owners were bots and the accounts were deactivated shortly after registry

[–] example@reddthat.com 2 points 5 days ago

granted, that reduces the risk of real sensitive information being attached to linked accounts, but i'd still not be surprised if there are some accounts attached to them elsewhere if they didn't get banned prior to receiving their first email.

i gotta admit i didn't read the source earlier though, and i agree with your points in general for bot accounts if they have been banned before being used.