On Fri, May 31, 2019 at 01:17:19PM +0000, Richard wrote:
When I have looked into this type of issue for my unique addressing some did trace back to back-end db hacks (e.g., adobe), but I found that the most likely culprit was the 3rd-party bulk mailer that handled the organization's marketing mail. It could be a non-zeroed disk thrown into the trash or an inside job, but it almost always traced back to one or two bulk mailing companies.
FYI, I've been running numerous experiments in this area for many years using unique non-guessable non-typo'able addresses. Explaining the results in full would take many pages, so let me summarize: 3rd party bulk mailers leak like sieves. "How?" remains an open question: could be that they're selling, could be that they have security issues, could be that insiders are selling on their own, could be any number of things: it's really not possible to say. But they are unquestionably leaking. This is hardly surprising: many of them are spammers-for-hire, many of them use invasive tracking/spyware, and none of them actually care in the slightest about privacy or security -- after all, it's not *their* data, why should they? Which are some of the many reasons that outsourcing your mailing lists is a terrible idea, doubly so when it's quite easy to run your own with Mailman (or equivalent). ---rsk