Case study: anonymizing email addresses for online accounts

Introduction

In this article I recount my journey to making my online life more private and secure by anonymizing my email addresses at hundreds of websites and how I made the problem more doable. Before that I explain why this is something you might want to do and what general approaches exist. If you already know all that and just want to read the nuts and bolts of what I did, you can skip ahead. I discuss there not only my specific approach, but also some interesting statistics, and some stories of sites that are particularly bad at letting users solve this problem.

The problem

One of the most nefarious problems privacy- and information-security-conscious people deal with on the internet is that most sites you log into want your email address. Sharing your address with many websites has many negative impacts, including:

• Each site you share your address with can use it to query data brokers with dossiers about you, giving the site more information about you than you would prefer they have.
• In the other direction, sites can sell your information to data brokers, who incorporate it into their dossier about you, using your email address as an identifier.
• Sites often sell or lease their user lists to other sites for marketing purposes, i.e., the more sites you share your address with, the more spam you get. And, of course, there’s no way of knowing which site gave your address to each spammer.
• Once your email address has been compromised by the bad kind of spammers, i.e., the ones who don’t offer a working unsubscribe, there’s no way to stop them from spamming you.
• Hackers can use your email address as a unique key when matching up data from different data breaches, enabling them to build an extensive profile about you from all the information you’ve shared with all of those sites.
• Since your email address is often your username for logging into a site, once your email address is compromised, hackers can try using it to log into other sites as you. This is especially dangerous if, like so many people, you ignore good security hygiene and use the same password for multiple sites.
• Since we use our email addresses all over the place, they’re virtually impossible to change because they’ve become awash in too much garbage or just because you want to move to a different email provider.

A partial solution: tagged addresses

Many email service providers allow you to add some amount of arbitrary text after your username, most commonly separated from your username by “+” but sometimes by other characters. This technique is called “plus addressing” or “sub-addressing”. You can use this capability to make the addresses you give to different websites unique while still receiving the emails they send you.

For example, if your email address is john@example.com and you’re creating an account at widgets.com, you might give that site the email address “john+widgets@example.com”. Or, if you use a password manager, you might just use random strings after the “+” and store them in the password manager so you know which randomly generated email addresses you gave to which sites.

This has a number of benefits, including:

• If you receive emails sent to a sub-address from anyone other than the site you gave it to, then you know either they sold your info or they’re the victim of a security breach, and you can raise the issue with them (or your friendly neighborhood infosec reporter) and see what they have to say for themselves.
• If your email provider supports filters, then if a sub-address for a site is compromised you can change your address on the site to a new sub-address and then create a filter to mark all messages sent to the old sub-address as spam.
• Dumb hackers and data brokers won’t associate different sites with you based on email address, though to be honest, by now most hackers and data brokers have probably figured out to strip off everything after the “+” when using email addresses to match up people’s profiles from different sites. You may be able to make this more robust by using a different separator character if your email provider supports that.

However, this approach has some problems and drawbacks:

• Some sites refuse to accept email addresses with “+” in them (rude!).
• As noted above, the bad guys have mostly figured out how to work around the “+” trick.
• This doesn’t make it any easier to change your real address or change email providers.
• This technique and the one below break Gravatar, because you’re obviously not going to add your many unique site addresses to your Gravatar account.
• This technique and the one below don’t play nicely with Shopify. If you enter your Shopify email address into a Shopify-enabled storefront, then a pop-up immediately appears for you to log in via Shopify rather than via a site username and password, and then you can check out using the credit-card information saved in Shopify. This doesn’t work if you have a different email address at every site.

An important note about password managers

This technique (and the one below) really isn’t sustainable unless you’re using a password manager, because you need to be able to track all the email addresses you’ve used as usernames at different sites in an easily accessible way. If you’re not using a password manager (why not?), you need to get set up with one and start using it reliably before you can move forward with different email addresses for different websites. Personally, I recommend Bitwarden or 1Password, but YMMV.

A better solution: truly anonymous email addresses

If you could find a way to give every site a completely different, unique address that isn’t linked back to you in any way they can tell, that would alleviate most of the deficiencies of the solution above. And guess what? You can! In fact, there are two different ways to do this.

First, your email provider may support associating multiple anonymous addresses with your mailbox. For example:

• Fastmail “Masked Email“
• Proton Mail “hide-my email aliases”

Remember, though, that if you do things this way then you will lock yourself in pretty tightly to a single email provider!

Second, you can use a third-party service which allows you to create multiple email addresses there that forward to your real mailbox. Although this locks you in to that service, you can easily change your actual email provider by creating a new account and then reconfiguring the anonymous forwarding service to send your messages there instead of your old address.

There are numerous services that provide this functionality, including:

• addy.io
• DuckDuckGo Email Protection
• Firefox Relay (if you’re willing to pay $48 per year they’ll let you mask your phone number too!)
• Forward Email
• SimpleLogin

These services generally provide browser extensions to make it easier to create new addresses on the fly when you need them, and some password managers have some of these services integrated into them. For example, Bitwarden integrates with all of the services listed above except Proton Mail, and 1Password integrates with Fastmail. Remember that once you start creating anonymous forwarding addresses you’re making a commitment to the service that’s providing the forwarding, so evaluate a service carefully before moving forward with it.

Playing catch-up

If you’ve read this far and you’re thinking about starting to use anonymous forwarding addresses, then you’re probably wondering what to do about all the sites you already have accounts on under your real address. If you’re a young sapling in the forest of the internet, perhaps you have so few online accounts that you can easily go back and switch the email addresses associated with them, but if you’ve been around for a while you could have hundreds of accounts.

If so, then read on! The rest of this article is a detailed description of how I solved this problem for myself. While it’s unlikely that everything below will be directly applicable to you, I hope you will find inspiration from it for how to tackle this problem in your own online life.

My personal journey to anonymized addresses

I’ve been using password managers for my personal online presence for decades—Bitwarden for many years, and before that LastPass—so when I decided it was time to up my privacy game and anonymize my site email addresses, I knew right away that just going through my password manager by hand was not going to be a viable strategy. And indeed, when I checked it turned out that my password manager had 1,262 items in it, far too many for a fully manual approach.

Picking a forwarding service

I have to admit that I didn’t proactively examine all of the available email forwarding services and make a well-informed decision about which one to use. Actually, I looked at the list of services that the Bitwarden browser extension integrates with, I went and looked at the first one on the list, addy.io, I said to myself, “Hmm, this one looks fine,” and I went ahead and used it. And Addy.io really is fine; in fact, it’s very good! With one caveat: it’s basically run by one person, and although he absolutely knows very well what he’s doing and has made provisions to ensure that it will stay up and running even if/when he’s out of the picture, there’s arguably a slightly higher chance that Addy.io could go away than some of the other services run by established companies.

I suppose I got lucky… I could have discovered that Addy.io is unstable or hard to use only after I had already created a bunch of addresses there and changed a bunch of site logins, but honestly, I find it to be extremely usable and performant. I’ve been using it for over a month and haven’t run into a single stability or performance issue. There are a few minor UX nits I’d change, and I’m disappointed it doesn’t (yet) integrate with Have I Been Pwned, but other than that it’s everything I want and need for this purpose.

Oh, yeah, about Have I Been Pwned

At least one of the email forwarding services, SimpleLogin, has a Have I Been Pwned integration, so if any of your anonymous addresses on that service are compromised in a breach it will notify you. As I mention above, Addy.io does not (yet) support such an integration, though they’re thinking about it. If this is something you care about, check whether the forwarding service you’re thinking about using supports it before committing.

The three legs of my achievability stool: integration, automation, and tagging

I combined three strategies to make the task of checking 1,262 password manager entries for anonymizable addresses and changing the ones that could be anonymized:

1. integration — There was no way this was going to work unless the forwarding service I was using was fully integrated into my password manager. Because it was, I could easily generate and save new forwarding addresses right in my password manager’s browser extension. I wouldn’t have attempted this otherwise.
2. automation — I leveraged the Bitwarden CLI, running bw sync and bw list items frequently and feeding the output into a Python script I wrote which told me which vault entries still needed to be reviewed and possibly anonymized. I also wrote a trivial little script that used the pyaddy Addy.io CLI to find entries created by Bitwarden and change their descriptions because I didn’t like the wording of the default description inserted by Bitwarden.
3. tagging — As I worked my way through my Bitwarden vault guided by the script, I added hashtags into vault entries to give guidance to the script. This meant most state was captured in Bitwarden where it could be edited easily in real-time in my browser.

The automation scripts

This script is intended to have the output of bw list items fed into it, or saved into a file and then the file path passed in on the command line

See the comment near the top of the script for an explanation of how password manager entries can be tagged in their notes to tell the script what to do about them.

The script assumes that if a site has been anonymized, then its Addy.io email address will be in either the username or the notes field of its vault entry. The latter is for sites that don’t have email addresses as usernames but still have email addresses configured into accounts.

#!/usr/bin/env python3

# XXX Search for XXX to find the things that need to be customized.

# Entry tags:
#
# #deferaddy -- in a holding pattern, postpone for the moment
# #noaddy -- no email address to change, or can't or shouldn't be changed for
#   legitimate reasons (URIs in my domains are implicitly assigned this tag)
# #otheraddy -- not me or not my personal email domain (excluded usernames
#   below are implicitly assigned this tag)
# #badaddy -- couldn't change email address

import argparse
import json
import re
import sys

anon_domains = (
    'addymail.com',
    'anonaddy.com',
    'anonaddy.me',
    # XXX Add here any other Addy.io domains you use.
)
anon_re = r'@(?i:' + '|'.join(map(re.escape, anon_domains)) + r')\b'
old_total = 1262


def parse_args():
    parser = argparse.ArgumentParser(description="Filter `bw list items` "
                                     "output for AnonAddy conversion")
    parser.add_argument("--noaddy", action="store_true", default=False,
                        help="Include #noaddy-tagged entries in output")
    parser.add_argument("--deferaddy", action="store_true", default=False,
                        help="Include #deferaddy-tagged entries in output")
    parser.add_argument("--stats", action="store_true", default=False,
                        help="Print stats, implies --no-items unless --items "
                        "is specified")
    parser.add_argument("--items", action=argparse.BooleanOptionalAction,
                        help="Print items (the default unless --stats is "
                        "specified)")
    parser.add_argument("infile", nargs="?", type=argparse.FileType("r"),
                        default=sys.stdin)
    args = parser.parse_args()

    if args.items is None:
        args.items = not args.stats

    return args


def main():
    args = parse_args()

    items = json.load(args.infile)

    skipped = 0
    addy_username = 0
    addy_contact_email = 0
    badaddy = 0
    noaddy = 0
    deferaddy = 0
    otheraddy = 0
    pending = 0

    for item in items:
        if item['type'] != 1:
            skipped += 1
            continue

        name = item['name']
        try:
            username = item['login']['username'] or ''
        except KeyError:
            username = '[no username]'
        try:
            uri = item['login']['uris'][0]['uri']
        except IndexError:
            skipped += 1
            continue

        notes = item['notes'] or '[no notes]'

        prefix = ""

        if re.search(anon_re, username):
            addy_username += 1
            continue
        elif '#noaddy' in notes:
            noaddy += 1
            if args.noaddy:
                prefix = "#noaddy"
            else:
                continue
        elif '#deferaddy' in notes:
            deferaddy += 1
            if args.deferaddy:
                prefix = "#deferaddy"
            else:
                continue
        elif '#badaddy' in notes:
            badaddy += 1
            continue
        elif '#otheraddy' in notes:
            otheraddy += 1
            continue
        elif re.search(anon_re, notes):
            addy_contact_email += 1
            continue
        # XXX Add a list of usernames for accounts you know you don't want to
        # anonymize. For example, I have entries in my vault that were shared
        # with me by other family members but belong to them. Or you can delete
        # this entire `elif` block if you don't care about this.
        elif username.lower() in ():
            otheraddy += 1
            continue
        # XXX Change this regexp to one that will match your personal domain(s)
        # that have servers in them under your control that you don't want to
        # anonymize, or just delete the entire `elif` block if you don't care
        # about that.
        elif re.search(r'\.example\.com\b', uri):
            noaddy += 1
            continue
        else:
            pending += 1

        if args.items:
            print(f"{prefix}{': ' if prefix else ''}{name} {username} {uri}")

    if args.stats:
        if args.items:
            print("")
        print(f"Old total: {old_total}")

        total = len(items)

        print(f"Skipped (e.g., not login, no URI): {skipped}/{old_total} "
              f"({skipped/old_total:.0%})")
        total -= skipped

        deleted = old_total - total
        print(f"Deleted: {deleted}/{old_total} ({deleted/old_total:.0%})")

        print(f"Not yet checked: {pending}/{old_total} "
              f"({pending/old_total:.0%})")
        total -= pending

        print(f"Eligible and checked: {total}/{old_total} "
              f"({total/old_total:.0%})")

        print(f"Other user or email domain: {otheraddy}/{total} "
              f"({otheraddy/total:.0%})")
        print(f"Non-anonymous on purpose: {noaddy}/{total} "
              f"({noaddy/total:.0%})")
        eligible = total - otheraddy - noaddy
        print(f"Want to anonymize: {eligible}/{total} "
              f"({eligible/total:.0%})")
        total = eligible

        print(f"Changed to AnonAddy username: {addy_username}/{total} "
              f"({addy_username/total:.0%})")
        print(f"Changed to AnonAddy contact email: "
              f"{addy_contact_email}/{total} "
              f"({addy_contact_email/total:.0%})")

        changed = addy_username + addy_contact_email
        print(f"Total changed to AnonAddy: {changed}/{total} "
              f"({changed/eligible:.0%})")

        print(f"Problem prevented anonymizing: {badaddy}/{total} "
              f"({badaddy/total:.0%})")
        print(f"Deferred until later: {deferaddy}/{total} "
              f"({deferaddy/total:.0%})")


if __name__ == '__main__':
    main()

Here’s the trivial script I wrote to use the Python Addy.io CLI to rewrite the descriptions of entries created by Bitwarden:

#!/usr/bin/env bash

set -e

addy alias get-all |
    tail -n +2 |
    jq -r '.data | map(.id + " " + .email + " " + .description)| join("\n")' |
    sed -n -e 's/\(.*\) \(.*\) Website: \(.*\)\. Generated by Bitwarden\.$/\1 \2 \3/p' |
    while read uuid address site; do
        addy alias update $uuid --description "$site" >/dev/null
        echo Updated description of $address to $site
    done

Let’s do the numbers

As I noted above, I started with 1,262 password manager vault entries. I ended up deleting 465 (37%) of them while going through the vault during this project! I had entries for sites that no longer exist, entries so old and unused that their associated accounts had been deleted by the site owners, and entries whose accounts I no longer needed so I submitted requests to their site owners to delete them.

Of the remaining items, I skipped 120 that were of the wrong type, e.g., secure notes or notes that didn’t have a login URI associated with them, and skipped 292 more which I had good reasons not to anonymize.

That leaves 505 entries that I tried to anonymize. Of those, I successfully anonymized 386 (76%) and failed to anonymize 118 (23%) for various reasons (more on that below). Those two numbers don’t add up to the total because there’s one item I’m still trying to figure out, an IRS site that I haven’t been able to log into but I think it’s probably a transient issue.

All this probably took me around 20 to 25 hours of effort spaced over the course of a month or so.

The good, the bad, and the ugly

As I was going through my vault reviewing and anomizing stuff, I posted a running commentary in a long thread on Mastodon. Instead of repeating here everything I wrote there—you’re welcome to go read it if you’re curious—I’m just going to post some highlights.

I think it’s important to start by observing that, as implied by the 76% success rate documented above, the majority of sites handle email address changes with little to no trouble. A couple specific shout-outs:

• After I changed the email address on my Mozilla Account (accounts.firefox.com), Firefox Sync automatically switched over to the new address without any disruption in all my signed in browsers on all devices. The transition on addons.thunderbird.net where I was already logged in was automatic and seamless as well. There were a lot of edge cases that could have gone wrong here and I was impressed that none of them did.
• The email address change workflow on crowdin.com was absolutely flawless.

Now lets talk about about what went wrong. A lot of the problem sites had similar problems. For example:

• Some sites specifically refuse to accept Addy.io addresses. Not to put too fine a point on it, but fuck that noise. For these sites I either shrugged and left them unanonymized, or switched them over to a plus address so at least I will notice if they sell my data or someone steals theirs.
• Some sites don’t let you change your address at all on an existing account.
• Some sites let you change your address, but your username is separate and can’t be changed, so if you used your address as your username when you created your account (you may not have even been offered a choice!) you’re stuck with your old, non-anonymized address as your username.
• I encountered several sites which claimed that they were sending a verification email that I needed to click to confirm the address change, but then either the email never came or it came only after an exceedingly long delay (the ones that were delayed aren’t counted in the 23% that failed because they eventually succeeded).
• I encountered a lot of sites where the workflow surrounding changing an account email address was clearly not adequately tested. In some cases this meant that it was glitchy but still navigable; in others it meant that it simply didn’t work.
• I encountered some sites where my account is in a semi-deactivated state, e.g., logins at old health insurance companies, such that I can log in but I’m not allowed to edit my profile. These sites still have an address for me in their database that I don’t want to be there anymore, but I can’t do anything about it.
• The only correct way, from an information security point of view, to validate an address change on an account is to send a notification email about the change to the old address and a separate email to the new address with a link the user has to click to finalize the change. Some sites get this right; most do not.

Here are stories about some specific sites which you may find amusing or infuriating (I put this list at the bottom of the article so you can just stop reading when you get bored 😉):

• Aarp.org said they were sending email to confirm the change. I clicked the link in the email, and it loaded the web site but didn’t display any sort of message confirming the change. I viewed my profile and it said the new address was still unconfirmed. I tried clicking the link in the email again, and it said it wasn’t valid and I should call customer service during business hours. Nevertheless after logging out I was able to log back in using the new address.
• There was no way I could find to change the email address associated with my account on lenovo.com. I had to Google “how to do I change my lenovo id email address,” which brought me to a these successful instructions on support.lenovo.com.
• An interstitial page popped up upon login to microcenter.com demanding that I provide my mobile phone number. Skipping this step was not an option. I don’t give my phone number to sites that demand it, so I contacted their customer service via chat and asked them to delete my account. They asked for the email address associated with the account and then deleted the account without first sending me email to confirm I was the legitimate owner of the address.
• It’s impossible to change your email address in the Bill.com AP/AR app. Their help page about this literally says that you have to create a new account with the new address, deactivate the old account, and notify every single entity sending you payments or invoices to switch to the new address. This is some serious 🤡 stuff.
• PatientWallet.com got three significant things wrong:
  • After I entered my new address and saved the change, it popped up a dialog asking me to enter my password to confirm, and the password field was already filled in. I do not have any sort of autofill enabled in my password manager. I have no idea how or why this happened, but however it happened, it’s really broken.
  • After I changed my address, the site sent a single confirmation email to both my old and new addresses; the new address was in the To line and the old address was BCC’d. This is a bad idea for several reasons, the biggest one being that not including the recipient address in the To header increases the spam score of the message significantly, so it’s more likely to end up in the user’s spam folder.
  • When I clicked the link in the “Please verify your email address” email, the site loaded, and there was a banner at the top telling me that I needed to confirm my address, which I had just confirmed by clicking on the link which brought me to that page. This is amateur hour stuff, seriously.
• At app.cobalt.io—an infosec company no less!—there’s no visible way for me to change the email address on my account and I couldn’t find any instructions on the web for how to do it. Also, allow me to take this opportunity to decry, not for the first time, how shitty infosec companies are at infosec:
  • Cobalt’s app does not support WebAuthn.
  • When I go to edit my 2FA settings, for some inexplicable reason the app pops up a new window and makes me log in in that window, including username, password, and TOTP code, rather than just prompting me for my password or 2FA code in the main window to confirm my identity. This is security theater, not real security.
  • They’ve added recovery code functionality since I set up my account, but rather than just letting me generate a recovery code they’re telling me I have to turn 2FA off and turn it back on to generate one. This is just an incredibly lazy, user-hostile implementation.
• Speaking of infosec companies that should know better, you can’t change your email address on the Center for Internet Security’s CSAT tool, csat.cisecurity.org.
• My health insurance company, GEHA, doesn’t allow the email address used for login to be changed without contacting customer service on the phone. 😠 🤡
• Changing my email address at apc.com (a.k.a. Schneider Electric, the uninterrupted power supply manufacturer) was a complete clusterf*ck and in the end proved impossible. I’ve done many of these address changes, and truly, this is one of the worst.
  • Their site was “down for maintenance” at a perfectly reasonable hour on a weeknight, which is just like wtf man?
  • I tried again later when they were up. After clicking the button to change my address and submitting the new address, the following problems occurred.
  • The site displayed a page telling me to enter the code they sent to the new address.
  • I received an email with the Subject line “Log in with your new Salesforce username” (!!) listing weirdly constructed old and new usernames for me. There was nothing useful I could do with this email.
  • I received a notification to my old address which started “Resend – Update of your email address.” followed by “Hello Test,” (!!).
  • I received a notification to my new address with the same formatting problems. It had a link in it to activate the new address but the link was invalid.
  • I did not receive the code they claimed to be sending me for me to enter to change my address.
• My account at change.org was created so long ago that my username was my old “jik@kamens.brookline.ma.us” address instead of my new “jik@kamens.us” address. When I tried to log in to change my address, it said, “Please use a valid personal email address,” and wouldn’t let me log in. This is absolutely a “valid personal email address,” and not only that, but it was my damn email address on the site when my account was created. Developers should stop trying to be smart about email addresses and accept what the user gives them.
• I had to change my email address in like three different places at eversource.com. Honestly, I’m not even sure I found all the places the old one was stashed. The Eversource web site is a maze of twisty little passages, with instructions on page A sending you to page B to make changes, and sometimes those links to page B don’t work or go to the wrong place. It’s gross.
• To change your email address at hightail.com, they ask you to enter your new email address and current password. When I do that it says “Incorrect password” even though I know for a fact that I am entering the correct password. Resetting my password did not solve the problem. 🤡
• I decided it was easier to just delete my flixfling.com instead of changing the email address, so I sent email to info@flixfling.com asking them to delete my account. I thought they would email me back to confirm that the email they received was really from me before deleting the account, but nope! They just deleted it. *sigh*
• At jetblue.com, it wouldn’t let me log in with the password stored in my password manager. I was able to do a password reset and set my password to the one I already had stored, despite the fact that the password reset screen claimed I wasn’t allowed to use my previous three passwords. 🤔
  On their profile screen they said to “Use an email address you’ll always have access to,” but then didn’t make me very my address after changing it. 🤔🤔
• LinkedIn is, as usual, a dumpster fire. It accepts the AnonAddy email address when I add it, and sends the necessary verification email to the new address, but when I click the link in the email I get a bizarre error page with a 2020 copyright at the bottom of it. Despite the fact that I got an error when I clicked the verification link, the address now shows up as verified on my addresses list. However, when I click the “Make primary” link on that address, I get a weird, messed-up page, and my primary address is not changed to the new address. I eventually gave up.
• I ran into several different bugs when trying to change my address at Ko-Fi, and several more bugs trying to access Ko-Fi support for help with the problems, and the support representative who ended up handling my support ticket lied to me several times; seriously, they just made shit up about why I was having the problems I was having. I ended up deleting my old Ko-Fi account and creating a new account with my Addy.io address; this worked fine. This is not the first trouble of this sort I’ve had with Ko-Fi. My overall impression is that they are a 🤡 show and it’s only a matter of time before news breaks of a serious security breach there.
• Salary.com said on login that my password was expired and had to be changed, but then it wouldn’t allow me to change my password because the password change form enforced their current password validation rules (must have a special character) on my old password even though it was created so long ago that those rules were not in effect. I had to do “Forgot password?” to change it. Why are software developers so bad at their jobs?
• TransAmerica wins the prize for the worst pointless security theater I’ve encountered while anonymizing my online account addresses. I had to:
  • enter an emailed code and answer a security question to log in;
  • agree to new terms, then enter another emailed code;
  • answer another security question to get to my profile page; and
  • type my new email address instead of pasting it (the “Don’t Fuck With Paste” extension fixed that!).
  • After all that, they didn’t require me to click a link sent to my new email address to confirm the change and prove that I had access to that mailbox. All the garbage they put me through, and they didn’t do the one real, substantive security thing that should be done as part of an email address change. Unbelievable.
• Starbucks.com said the password in my password manager was invalid, so I did a password reset. When prompted to choose a new password I entered my current one, which it accepted and said my password had been changed. Once again, however, it wouldn’t let me log in. So I went through the password reset process again, and this time specified a new password. Again, it said it worked. Again, it wouldn’t let me log in with the newly changed password. 🤷
• Ticketmaster.com let me enter a new email address, sent a code to my old email that I needed to enter to confirm the address change, then after all that popped up a message saying “We have temporarily disabled email address changes, if it’s an emergency contact customer service” and reverted the address change. 🤦
• In the hour and 6 minutes after I changed my email address at uber.com, they sent me 10 identical “Jonathan, your Uber account email was updated” email messages, spaced apart by 4–11 minutes, all to my old email address rather than the new one.
• Caremark.com is a doozy. My password manager said to log in using my email address as my username, which worked fine. When I went to update my email address in my profile, I saw that there was a separate username field with a random number as my username. I changed the username to something else, and it logged me out and told me to log back in with my new username. Which… didn’t work. I still had to log in with my email address.
  So I changed my email address, and then logged out and tried to log back in again, and I still need to log in with my old email address, even though it is no longer displayed anywhere in my account settings. How do you even break things this badly?
• At tripplite.eaton.com, there’s no way to edit the username / email address on your account. They’ve buried the “Delete account” button on the “Password” tab of the account settings pop-up for some inexplicable reason. And if you click the “Delete account” button, the message telling you that your request was submitted successfully is inserted onto a different tab of the pop-up so you don’t see it unless you switch to that tab. 🤦

The MailGun saga

So much went wrong when I tried to change my address at MailGun that it wouldn’t fit nicely into the list of issues above, so it gets its own section!

When I logged in, the site informed me that it was going to convert my MailGun login to a “Sinch ID” (MailGun was acquired by Sinch a few years ago). I was not given a choice about skipping this conversion. It seemed to go fine.

The next step would be to change my address, right? Nope! Maybe I could do that when logging into MailGun directly, but now that my login has been converted to a Sinch ID, instead of an “Edit” button next to my address, there’s an “Info” button. When I click on it, it says, “Unfortunately, editing your email address is no longer supported. You will need to invite a new user with the desired email address.”

“No problem,” I think, “I’ll add my new address, transfer account ownership to it, and then remove the old address.” I was able to invite my new address to my MailGun account as a new user, but oddly, it created the new user as a native MailGun account, not a Sinch ID. I have no idea why a site would begin migrating existing users to a new ID system before changing their new-user workflow to use the new system!

There’s an interesting workflow for adding 2FA on MailGun (not Sinch ID): (1) scan QR code; (2) click button to download recovery key; (3) click Next button; (4) enter 2FA code to enable 2FA. There’s no way to download or regenerate the recovery key after 2FA is enabled. This is atypical. Usually the recovery key download doesn’t happen until after 2FA is enabled and there’s a way to regenerate and download it again later.

I’ve now got the new address added to the account and activated, so I need to transfer account ownership to it. I go to the “Account users” page and see both addresses, with a “Delete” link next to one of them and a “Deactivate” link in the same column next to the other. this. I think, “‘Delete’ clearly means to delete a user from the account, so ‘Deactivate’ must mean to deactivate a user. I guess if I deactivate the account owner then ownership will transfer to the other user?” Nope! It actually deactivates 2FA. How confusing!

OK, so, I’ve just deactivated 2FA by accident, so I need to fix that. I reactivate 2FA, then, to make sure everything is OK, I log out and back in. The new 2FA I just added doesn’t work. Apparently I just reactivated 2FA for my native MailGun account which I can no longer use to log in. The 2FA which was migrated over to my Sinch ID with my account was never deactivated, so that’s the one I have to use to log in. smdh

Overall this was a terrible user experience. I ended up needing to submit a support ticket to MailGun to ask them to promote the account with the anonymized address to be the account owner and then delete the Sinch ID associated with my non-anonymized address; I could not do either of those things myself.