One of the biggest security issues we encounter while browsing the Internet is that our data is expose by a website. These are security breaches that can become serious because your data is shared.
The way, as long as no other way is discovered, to en altae on a site is by using our email address. Therefore, the email identifies you, or at least identifies you on a website. It’s literally how you communicate with the page in question.
We usually discharge ourselves in one place, but we don’t usually unsubscribe. The problem comes that sometimes these pages that we trust that they won’t filter our data sometimes they do. The way to filter that data is very diverse:
- Criminals are able to access the database of the website and back up that data in which there is a field that is email.
- The page, directly or indirectly, sells the information it has to third parties. It’s not the norm, but it can happen, although if it is, obviously the page isn’t going to make it public.
In this article I’m going to talk about how to take advantage of these security breaches to investigate how you can work with emails to access accounts on various pages that filtered your data.
Fake email account to fight spam
We may use a fake email account, so we do not see our own data leaked. The web mailinator.com provides public mailboxes in which you can see messages that come from many websites where people like you or me are en-registered and don’t want to see their own email address compromised.
We will use the account of a very common name in English, john, therefore the address will be firstname.lastname@example.org. In the url https://www.mailinator.com/v4/public/inboxes.jsp?to=john can change the final part and put any name to enter directly into this public mailbox. If we put peter we’ll see peter’s mailbox, and so on.
This is the direction we will use for our investigation. That account has a lot of movement. A lot of people give that address on countless pages, so you’re going to find a lot of spam in this public mailbox that you can see in Fig. 1. Not only can spam also see many viruses, so you always have to walk carefully and don’t click on links. Would you click on the links in the emails in the spam folder?.
Looking for security breaches
According to the haveibeenpwnd page this email address has been compromised 98 times as can be seen in Fig 2. Is it some kind of record? That is, 98 web pages, have seen their database copied and there was that address and it has been filtered online.
In this case, being an account associated with a public mail account doesn’t matter much. It’s not your data, it’s from a John account in a public mailbox. If that address reaches the hands of a spammer, it will send spam to that public mailbox and die in it.
Regaining access to a website
Well, since we know that that address has been filtered 98 times and we have access to the public mailbox of that same address we can recover the account of one of those pages since there is a wonderful button that says HAVE YOU FORGET YOUR PASSWORD? and the mail with the reset link is going to reach the public mailbox that we’re monitoring.
We choose for example the Canva page. In May 2019 the Graphic Design website Canva suffered a security breach that affected 137 million subscribers. The data exposed was email, geographic location, name, password (hasheadas, i.e. a password fingerprint) and username.
We know there’s a email@example.com. However, we don’t know the password for that account. If we go to the login page we have the button to recover the password.
Click on it and put the direction of firstname.lastname@example.org.
Now let’s go to the mailinator’s public mailbox to see the password reset message. And the numeric code is entered on the canve page to recover the account.
We set a new password and already have access to the canva profile associated with the email account that canva filtered email@example.com.
Accesing your “no” canva account
Since we already have access to the canva account we can see what other people have done. You can check it out https://www.canva.com/folder/all-designs. It is interesting to see the work of other people that you can see in Fig. 7.
You can see what others have done before you who used that firstname.lastname@example.org. Someone, who isn’t you, has created designs on the canva page that you can view and edit.
Anyone can reset an exposed account
Being a public mailbox anyone can reset the password for that same account. I changed the canva password but if someone in the future follows my same steps they will be able to change the password and put the one they want.
The reason for using these public mailboxes is that your data won’t be exposed. And if they are, it’s the data in a public mailbox, and the spam would be sent to just that same public mailbox. It’s not going to affect you and your data is safe.
You can reset any account that before your someone has created on any other website. You have access, like other people, to that public mailbox. And all this we have achieved because the email address was filtered online, and the canva account still exists and can be reset as many times as we want.
Therefore, security breaches are a serious internet security issue today. Your data is yours. It’s not a good idea to share them cheerfully. We are registered on a website with our email address. We practically never unsubscribe from that page.
It’s interesting to study using public mailboxes how spam works and how information is filtered. We delegate our data to other websites and think they won’t be filtered. However, the internet is not a fairy tale. Email addresses are filtered every day and it is therefore extremely important that we use temporary or disposable emails. Using public mailboxes is also a way to protect our data. If you protect your data, it’s unlikely that someone can attack you using your same data.