i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser.com or similar.
The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.
And yes, all of those emails contain the actual PII of the person who has been 'deleted' 
reshared this
jwz
in reply to Mike Sheward • • •bar.com
web.archive.orgMike Sheward
in reply to Mike Sheward • • •Up to about 24 different orgs now, overnight had some emails containing PII of 'deleted' users from a:
UAE based Gym Chain
South African HR Platform
EU based Hotel Reservations Platform
India based Delivery Service
and best of all
US based Antivirus Manufacturer and Cybersecurity Provider
Mike Sheward
in reply to Mike Sheward • • •Mike Sheward
in reply to Mike Sheward • • •I wrote up this cursed discovery with more details:
mike-sheward.medium.com/delete…
#infosec
Aral Balkan reshared this.
Mike Sheward
in reply to Mike Sheward • • •Mike Sheward
in reply to Mike Sheward • • •Couple of new additions today to the internet dumpster:
- Some internal system at one of the worlds largest and most recognizable consumer electronics manufacturer is telling deleteduser.com all about approved purchase orders, including direct links to the orders, and the names of all the people who are involved.
- More gyms, very common.
- Some platform used to offer temporary shifts to healthcare workers asked a nurse at deleteduser.com if they were available to urgently cover a shift at a South African healthcare facility.
craignicol reshared this.
Mike Sheward
in reply to Mike Sheward • • •Aral Balkan reshared this.
Mike Sheward
in reply to Mike Sheward • • •I added 5 variations on this domain (not going to say what they are just yet to not interfere with the results) and in the first 20 minutes I have 3 more orgs all sending PII to these addresses for now deleted users.
Includes a managed IT services provider in Malaysia's ticketing system which includes the full content of the ticket - system names, IP's etc.
Mike Sheward
in reply to Mike Sheward • • •Mike Sheward
in reply to Mike Sheward • • •Mike Sheward
in reply to Mike Sheward • • •Mike Sheward
in reply to Mike Sheward • • •Haven’t done this because I’m an ethical sausage, but I do wonder - how many of these sites would happily send a password reset link to whatever@deleteduser.com, and after resetting the password, how much order history/other PII and the like would be there?
I’d guess between 98-100% of them.
Mike Sheward
in reply to Mike Sheward • • •ok, curiosity won and I tried it on a couple
yes, they all willingly sent the password reset link to the domain
yes, they let me reset the password
no, they didn’t have mfa
yes, they let me log in to the “deleted” accounts
yes, i saw order histories, names, dob’s, last four of credit cards
yes, i disclosed to the security contacts i could find at the companies
yes, one of them was the viagra place
Aral Balkan reshared this.
Mike Sheward
in reply to Mike Sheward • • •Mike Sheward
in reply to Mike Sheward • • •one org got back to me and said, 'yeah we effed up - and are fixing'
I was thinking of that scene in the bart falls down the well episode of the simpsons where at the end they say, 'and now to make sure nobody ever falls down this well again', followed by them putting up a small sign that says 'caution: well'.
I bet they'll run something like:
UPDATE users
SET email = REPLACE(email, '@deleteduser.com', '@deleteduser2.com')
WHERE email LIKE '%@deleteduser.com';
So no one ever falls down the well again.
Jens Finkhäuser
in reply to Mike Sheward • • •If you want to do this, which you shouldn't, you could just use an invalid DNS label in there.
Commonly used are labels with leading underscores.
So renaming foo@bar.org to foo@_deleted.bar.org would already be a huge improvement.
Not really what "deleted" means, mind you.
Jens Finkhäuser
in reply to Jens Finkhäuser • • •Mike Sheward
in reply to Mike Sheward • • •Another good one - a European country's licensing authority for construction workers sends an email to deleteduser.com each time an employee is added to, presumably, the "deleted" users former company.
That email includes the name, trade and license info of the person being added, alongside the PII of the "deleted" user.
Mike Sheward
in reply to Mike Sheward • • •Adding an EU based dating app, using deleteduser.com for their deleted user - but not appearing to delete/overwrite any of the other fields.
I guess this from their Google Play listing is technically accurate. "You may request, but what what happen is we'll update your email address."
Mike Sheward
in reply to Mike Sheward • • •Australia, if you thought you were immune, I have bad news:
Just got emails from some construction management app based down under.
Special shout out to their footer:
"This email has been sent to Paul of Deleted Company."
Mike Sheward
in reply to Mike Sheward • • •oh and yes it turns out owning internaluser.com and service-account.com is a truly incredible way to get access to notifications and logs from various corporate systems. they just email them right to ya.
sadly, serviceaccount.com is taken.
Mike Sheward
in reply to Mike Sheward • • •Wow Australia, one of your banks with around A$95B of assets under management sends out an internal notification email from one of their banking core systems to around 1,000 engineers (not on BCC, so all their emails are in the body of the notification) and also internaluser@internaluser.com.
That's a good one.
Mike Sheward
in reply to Mike Sheward • • •Mike Sheward
in reply to Mike Sheward • • •Happy Monday, got this gem from a UK org. The subject line was "GDPR request".
I think it sums up this particular shitshow perfectly tbh.
"we have processed your GDPR request and are now sending your deleted information to someone you do not know as confirmation we have deleted you"
#gdpr #privacy
reshared this
craignicol reshared this.