Home / Security / How Thousands of Misplaced Emails Took Over This Engineer’s Inbox

How Thousands of Misplaced Emails Took Over This Engineer’s Inbox

Two weeks ago, longtime software engineer Kenton Varda got an email that wasn’t meant for him. It was from AT&T Mexico to a customer named Jorge, whose most recent phone bill was attached. You’ve probably gotten an email intended for someone else at least once. But then Varda got another AT&T Mexico bill for Gloria. And then a third for Humberto, who is overdue on paying more than 6,200 pesos, about $275.

To Varda, the incident wasn’t a surprise. As the owner of the email account temporal@gmail.com, he gets dozens of messages a day from Spanish-speakers around the world, all sent by people who thought they could use his address as a dummy input: “Temporal” translates to “temporary.” Varda says he frequently receives private documents, even medical bills and collection notices. Many of the most sensitive emails contain legal notices that the messages are confidential and should not be disclosed to other parties aside from the intended recipient. Varda doesn’t speak Spanish, but he uses Google Translate when possible to understand what’s going on and reply to senders saying they have the wrong address.

“Recently I had a few people send me what appeared to be photographs of handwritten notes. Maybe notes from a class?” Varda says. “Also, I received several job evaluations of one Jose Gomez, who appears to be a janitor. And a pretty good one!”

Like many Weird Internet Things, the saga of temporal@gmail.com began during a simpler time. As a teenager in the 1990s, Varda was an avid player of the tabletop role-playing game Rifts. The game had a character class Varda particularly liked called Temporal Wizard that, naturally, used magic to manipulate time. So Varda adopted “Temporal” as his gamer tag. In 2004, shortly after Gmail launched, Varda graduated college and registered temporal@gmail.com.

“In retrospect, I wish I had registered ‘kenton@’ instead,” he says. “I was probably early enough to get it. Too late now.”

But temporal@gmail served Varda well for many years. It was only around 2010, when Gmail started to see heavy adoption in Spanish-speaking countries, that Varda ran into problems. “When people are registering a temporary, throwaway account and don’t want to give their real email address or need a placeholder, they tend to plug in ‘temporal'” he says. “It doesn’t occur to them that this address might actually belong to someone.”

The bulk of misplaced emails that head Varda’s way are confirmations for various account sign-ups. He ignores those as much as possible. He says it can be difficult not to instinctively click confirm, but he doesn’t want to let other people set up accounts tied to his address. He’s also run into incidents where a platform doesn’t require email address validation, and his suddenly becomes attached to someone else’s account. Numerous times, it has appeared that an IT staffer at a large organization has used “temporal” as a throwaway for a batch of accounts, perhaps to close out support tickets or categorize miscellaneous user information in a database. Varda says the account also receives a huge number of sign-ups at schools around the world, though he’s not sure why this category crops up so often.

In all of these situations, Varda can end up with large amounts of private data that was never meant for him to see. In the case of the AT&T Mexico emails, for example, Varda received Jorge’s, Gloria’s, and Humberto’s full names, addresses, account numbers, and full call histories for the billing period ending June 11.

Varda always tries to reply to emails when possible and warn that his address is not the right one. He receives lots of résumés, for instance, from people who think the email address is linked to a temp staffing firm, so he set up a filter for “hoja de vida,” or résumé, and an auto reply that warns they’ve got the wrong guy. Occasionally he gets one or two word replies to his messages, like “OK, sorry.” But in general he never hears back, and often the emails keep coming.


Source link

Check Also

Encryption-Busting EARN IT Act Advances in Senate

It’s not often that you see a new strain of Mac-targeted ransomware, but this week ...

Leave a Comment:

Your email address will not be published. Required fields are marked *