This time, my email identity thief created an account using my email address at support.mozilla.com. I received email from the site in French asking me to confirm my email address.
I’ve reset the password on the account to prevent him from using it, but I can’t log into the account to see what profile information he specified or what he did on the site, because the site provides no way to recover a lost username. I’ve contacted firstname.lastname@example.org and asked them to provide me with the username as well as information from their logs about who created this account.
They’re a bit more likely to be willing to help then Skype, given that (a) they’re a collaborative, open-source organization and (b) I have an ongoing relationship with Mozilla, having submitted several core and Thunderbird patches and been nominated as a “Friend of the Tree”.
I’ve asked them at the very least, if they’re unwilling or unable to provide me with the username, to delete the account, since I don’t want accounts created by other people using my email address on sites all over the internet.
Pingback: My email identity thief is at it again « Something better to do
Hey, I’ve been enjoying your blog greatly.
My best guess on this guy:
Legitimate Senegali with sporadic access to someone else’s or community computer. Poor computer literacy. Basically just hacking stuff into the internet as a game.
I don’t think he thinks he has anything to gain, I think he thinks he’s already winning because he figured out your email gets him past the first step at certain websites. The places he’s hit would be the websites you’d hear about even with little exposure to computers: google and skype.
Probably not a threat, but there’s probably not much you can do about the nuisance either.
Thanks for your comment.
I suppose that’s possible, but the Starwood incident describe in my first posting on this topic seems just too bizarre to fit your explanation.
Furthermore, that posting also describes how the identity thief used my email address as the recovery address when creating a gmail account, but the recovery address is optional. He didn’t have to specify any recovery address at all when creating the account, and the fact that he did so allowed me to take it over.
I suppose you’re right that both of these could in fact be explained as nothing more than extreme cluelessness, but somehow that explanation just doesn’t seem convincing to me. Not that I’ve got a better one, mind you.
Thanks again for commenting!
If you’d have trashed the confirmation email his account wouldn’t have been confirmed and he couldn’t use it? Isn’t that the way it normally works? You could have put the email into a separate folder, “id thefts” or so, for keeping. Is it possible it is just a typo from someone with a similar email, but let’s say a different domain suffix, mindlessly typing the wrong suffix? Main point being, by actually acting on the email you might have enabled the very account you don’t want to exist.
If you’d have trashed the confirmation email his account wouldn’t have been confirmed and he couldn’t use it?
Immediately after I clicked the confirm link, I clicked the “reset password” link and changed the password on the account, so no, he can’t use it.
Is it possible it is just a typo from someone with a similar email, but let’s say a different domain suffix, mindlessly typing the wrong suffix?
Do you think that “email@example.com” is an easy address to confuse with another one?