>4) Always create a separate email (or an alias) while signing up for cloud services, so you can eliminate guess work during a crisis. So, instead of signing up with example@gmail.com for Adobe or someone else, use example+adobe@gmail.com (this will redirect to example@gmail.com) or rather create adobe.example@gmail.com or something (gmail is just an example). This way, you can always trace out the right service responsible for the leakage of your details whenever something goes wrong.
Doesn't stop someone just removing the + tag on the email address.
A better way is to set up a catch all on a domain... but then you're likely to get a lot more spam... (to things like mail@, contact@ and a whole bunch of firstnamelastname@ guesses)
> Doesn't stop someone just removing the + tag on the email address.
It won't stop spam but the biggest risk with these leaks is from automated testing of a password found from a leak on one service you use with the same email address on another. As long as you use a separate + address for both you'll be safe as they are unlikely to automate testing of different + addresses since most users don't do that.
> A better way is to set up a catch all on a domain... but then you're likely to get a lot more spam
I forward my catch all domain emails to gmail. I hardly get any spam now except to leaked addresses which I've filtered to add bright red labels so I can ignore them.
Is it too much of a reach to assume that any half-talented identity thief or exposed-user-list-scammer might be smart enough to know about rfc5233, and would write hs scripts/bots to automatically try the obvious variations of an email address of the form localpart+tag@example.com?
If I were attempting to exploit the Adobe list, every email address I saw like name+adobe@example.com, I'd try the exposed password using not just name+adobe@example.com and name@example.com, but also name+othertarget@example.com, where "othertarget" might be something like twitter, facebook, paypal - depending on where I'm attempting to misuse the exposed credential.
Not sure that's a workable solution here - you wouldn't use a trashmail address to sign up for a many hundred dollar a year subscription like Creative Cloud. It works fine for stuff you only care about for the next few hours (like maybe the vpn service you register for so you can bittorrent cs6).
>4) Always create a separate email (or an alias) while signing up for cloud services, so you can eliminate guess work during a crisis. So, instead of signing up with example@gmail.com for Adobe or someone else, use example+adobe@gmail.com (this will redirect to example@gmail.com) or rather create adobe.example@gmail.com or something (gmail is just an example). This way, you can always trace out the right service responsible for the leakage of your details whenever something goes wrong.
Doesn't stop someone just removing the + tag on the email address.
A better way is to set up a catch all on a domain... but then you're likely to get a lot more spam... (to things like mail@, contact@ and a whole bunch of firstnamelastname@ guesses)