
Ask HN: Recourse Against Websites That Fail to Validate Sign-Up Emails? - AdmiralAsshat
My e-mail address has been used half a dozen times now to sign up for services that I did not authorize. As best I can figure, my e-mail itself has not been compromised (I review the access logs every time this happens)--more likely someone with a similar e-mail address is typing mine by mistake[0]. What seems to be happening instead is that the website sends the sign-up verification email (which I DON&#x27;T click), but then site allows the fraudulent account to login anyway.<p>This has happened even with AWS. When I called Amazon to complain, demonstrating my ownership of the email account and asked why the account was allowed to proceed even though the sign-up was never validated, the Amazon rep said that the validation email was bypassed because the owner validated a phone number instead.<p>I have brought the fraudulent sign-ups to the attention of several of these websites. Some of them are refusing to delete the accounts, even after I have told them that I did not authorize their creation (probably because the account owner is performing financial transactions with the sites). One in particular simply removed my e-mail from the mailing lists so that I wouldn&#x27;t get any notifications about the account&#x27;s activity, but revealed upon being pressed that the account still exists and is accessible.<p>I would like to know what, if anything, I can do in recourse. I am sick of having my e-mail used fraudulently by sites that are happy to do so as long as the account owner is throwing money at them.<p>I am aware that I could simply use the &quot;Forgot My Password&quot; option to change the password on these accounts and close them, since I own the e-mail address. However, I am loathe to do this, as doing so would be implicitly acknowledging that it is my account.
======
AdmiralAsshat
[0] On at least one occasion, the verification e-mail echoed back the login
name, and I see that it was registered as foo _._ bar@gmail.com, while my
email is foobar@gmail.com. I am aware that gmail drops all dots in the names,
so foo.bar and foobar should ultimately go to the same inbox. But I refuse to
believe that, knowing that, gmail would have allowed foo.bar@gmail.com to have
been created in the first place as a distinct email address, so I am forced to
conclude that there must still be a typo somewhere and that the user's real
email is fooo.bar or foo.barr.

