Note: This is part 2 of a series on email and internet security. See part one on using a password manager here.
Have you ever gotten your email leaked in something, only to start receiving dozens, or maybe hundreds of spam emails? Well, things like this happen all the time, so don’t worry, you’re not alone. Think your email has never been leaked? Try putting it to the test: go visit https://haveibeenpwned.com/ and type in your email addresses to see how many times your email address has been leaked. If you’ve had your email address for more than a few years, the likelihood of it being on there is pretty substantial.
I just tried one of mine, the one that I thought for sure nobody had ever hacked because it was my “personal” email that I rarely used. But lo and behold, it was indeed involved in two hacks.
Not only was my information leaked, or “pwned” as this site calls it, but it was by a company I had never heard of. I know I was a member of Cafe Press, but I have no idea what Apollo is.
In fact, this is a very common theme. When I search the site using my other, much older, gmail address, it shows 39 different data breaches, many of which I had never heard of. Another tidbit – I got a letter the other day that I have been granted a one year subscription to a credit monitoring service because the servicing center my mortgage company uses was hacked. I didn’t know this other company existed. So the point I’m trying to make is that your information gets shared with companies, regardless of whether you remember signing up for them or not.
I now have 208 email addresses, and counting
Yes, you read that right. It’s actually more than that because I still have a few old email accounts laying around. The 208 number is the amount of email aliases I have sending email to just one specific email address, and that email address is never going to be shared with anyone.
What does this all mean? It’s actually pretty simple. Let me explain. When I sign up for a website, I create a new email alias for that site. I randomize a portion of it and make the other portion memorable. For example, I might sign up for a new Cafe Press account with the email alias cafepress.morriston@aleeas.com (this is not my real address for Cafe Press, nor is it a real email address, it’s an example only so there’s no need to spam it). Then, when it’s time to create something, let’s say there’s a deal on Daily Steals that I might want, I will create a new alias under a similar type of pattern.
Why even use random portion instead of just cafepress@aleeas.com? Glad you asked! There are two main reasons, and a few others that I won’t get into. First and foremost, a lot of companies won’t let you actually sign up with that OR your email provider will detect it as spam. I tried changing my Epic Games email to epic@ and it kept getting rejected. Finally I changed to something in that format and it worked right away. Secondly, I have a flipboard@ email alias I used for a company called Flipboard, and it constantly got put into spam, but once I changed to adding something at the end, presto!
Is there an easy way to manage this? It sounds complicated.
Absolutely. I use SimpleLogin, and it’s super easy. The most difficult part is changing your email address on all of the sites. Yes, I’ve logged in and changed my email address on 208 accounts. You don’t have to go this extreme, but I certainly do recommend it. There are other ways to do this as well. Here are a few of the services that I’ve read about that do something similar:
Apple’s built in Hide My Email: This is free if you already have an iCloud+ account. It works great if you’ve got an iPhone or iPad it’s built right in, and on your Mac, you can use Safari browser to sign up, and it’s right there in any field.
AnonAddy: Very similar to SimpleLogin.
33Mail: Again, very similar, but it’s not open source and requires the use of their domains.
Firefox Relay: Again, very similar but you have to use their domain.
You can make these temporary if you’d like!
Let’s say there’s a site that offers a deal just to new customers. You want that sweet 40% discount, but you find out that you ordered something 5 years ago, so you don’t get to partake. Well, now you can create a new email address, sign up for a new account, and then just delete that email after your order goes through.
Or maybe, you want to get that awesome free PDF about weight loss but in order to get it, you have to give them your email. We’ve all done those, right? Well now, you create a new email address, get the PDF, and delete that email. It’s like it never existed.
So how’s it all actually, you know, work?
It’s actually way easier than it sounds. I’ll lay it out as easy as possible.
- Sign up for an account at one of the services, or use the built in service on your Apple products. Keep in mind, some of these services are free and others are paid. I use SimpleLogin, and it’s a paid service. Remember, if it’s free, you are the product.
- You’ll have to set up your real email address with that service. This way, the service can forward your emails to you. By “set up” I just mean give it to them and you confirm the email that’s sent.
- Download their extension or app. I have SimpleLogin’s Firefox extension on both of my computers, and I have the app on my phone.
- When you sign up for a new service, instead of giving your real email, click the generated email that comes with the extension (see screenshots below)
- That’s it. Really. You’ll get the emails into your inbox, but with added security.
So as you can see above, when I went to sign up for a new account on AllRecipes, I used SimpleLogin’s browser extension to generate a brand new email address for me. After that, I’ll generate a super secure password (hint: use the guide I made last week on password security) and I’ll be incredibly secure.
Why should I do this, anyway?
Let’s use the example above. I create a new email account at AllRecipes and everything is going great. A few months later, they get hacked and my email address is exposed, and someone malicious puts me on 10,000 mailing lists.
I just go into the SimpleLogin dashboard and remove that email address. I now no longer receive emails to it.
I’ll use a different scenario. You sign up to a credit monitoring website with a unique email address. A few months later all of a sudden you’re getting emails from some random company about home loans. You can determine that your credit monitoring service sold your details to this other company, because they were the only ones that knew your email address, and now you can take whatever kind of action you’d need. Pretty handy, right?
The last reason I’ll give you is that this technique makes it really easy to organize your inbox so you’re only bothered by the important emails. I’ll go into this in a separate guide on how I maintain inbox zero daily just by using a simple method (that’s mostly outlined in this guide you’re reading) by using different email addresses.
Can’t I just use my email provider’s built in aliases?
You could, yes. But I think it’s better not to. For the savvy, Gmail, along with most other email services, allow you to add a plus sign to your email to do whatever you’d like. The scenarios above, where you’re signing up for a new account, might just work this way too. So as an example, you might use myrealemail+allrecipes@gmail.com as your email address. There are two problems with this.
- It’s really easy to remove that plus sign from a huge list of accounts to just get your real email address.
- Many websites block the plus character for the reason of creating many accounts.
Should I use my own domain or one of the built in ones?
So, you’re taking the leap and you’ve noticed that you’ve got a few options. Option one is to use one of their domains. Many of the alias providers give a few free ones you can use, with the option of getting your own domain. I chose to get my own domain, and I’ll tell you why. I use SimpleLogin, and it’s slightly possible that at some point, their service could shut down. Sites shut down all the time. If I own the domain, it’s easy for me to just import that list of 208 domains to another provider and I’m back up and running in just a few minutes.
If I had used the free ones, I’m basically “stuck” on the service until I manually change email by email. Additionally, perhaps next year AnonAddy releases a feature that is a must-have and SimpleLogin doesn’t have it. Since I own my own domain for my email, it makes it really simple for me to just start using AnonAddy instead, by exporting my list and importing it to the new service. So the tl;dr on that is portability. I can take my email addresses to any service this way. This only adds $10-15 per year, so why not?
Next Steps
Hopefully, you’ll understand why you would want to hide your email from websites. I personally went this route: purchase two domains. Domain 1 is the “alias” domain and domain 2 is my “real email” domain. From here, I connected them using the steps mentioned in this guide, and I have given absolutely nobody my “real” email address. I have created a handful of “real looking” emails, such as personal@aliasdomain.com and hello@aliasdomain.com and if someone needs my email, I give those. Otherwise, when I sign up, I use a generated one.
The most painful part about all of this is to go in to your existing accounts and change your email. Since you’re using a password manager like I told you to (right?) it shouldn’t be too difficult to login to your account, click on your profile, and update your email address. If you don’t have a secure password, now’s your time to do that as well. Do this for every site, and continue doing it while signing up for new ones, and in no time at all, you’ll be