There’s a good chance you haven’t been hacked at all.
How can I say that? Simple: it happens to me all the time.
All. The. Time.
Become a Patron of Ask Leo! and go ad-free!
With only an email address
Anyone with a public-facing email address — like, say, email@example.com — has this problem. Anyone with an email address that is easily mis-typed does, too.
People use it to sign up for things. It could be as simple as newsletters or as complex as online games and services, and I suppose it could be as jarring as an online store.
This is why email opt-in confirmation is so important: to confirm you actually want what you’ve been signed up for.
The majority of the notifications I receive are exactly that: requests that I confirm a subscription or confirm the validity of my email address. They ask me to click a link to do so. Needless to say, I don’t click the link.
Occasionally, I’ll start getting an unwanted newsletter or periodic notification. These are from sites and services that don’t do those opt-in confirmations. I mark those as spam, because that’s exactly what they are. That an otherwise reputable newsletter allowed someone to sign me up for something I didn’t want remains their fault. I don’t know that they’re reputable (lack of email confirmation is one indication they may not be), so I’m certainly not going to click on an unsubscribe link; that could make things worse if they are a spammer.
On at least a couple of occasions, I’ve received messages requesting that I authorize my child to access some game or website. I have no children. Some child probably used my email address in place of the email address of their parent in the hopes that I’d say “OK”. I don’t. I ignore those emails.
And on rare occasions, I get notification of an order being completed or shipped that I never placed. Without email confirmation, that looks very much like spam, and I mark it as such.
An email address is all they have
That last one might make some people nervous. Some kind of online order had been placed using my email address.
But that’s all they had. They don’t have my credit card number, for example.1 In fact, they don’t have anything that really matters. At worst, they have my name and email address. As do you:
Leo A. Notenboom <firstname.lastname@example.org>
It’s public information. It’s how people reach me.2
That I get spam on it is no surprise at all.
What to do about it
The short answer is: expect it, ignore it, and move on with your life.
As long as there’s no financial or other commitment incurred (if there is, talk to your credit card company about fraud), there’s really nothing worth doing. It’s not likely you’ve been as exposed as you seem to feel you have been.
Particularly if it’s just limited to email notifications, ignore, or mark spam as spam, and carry on.
If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,
Footnotes & References
1: If it was a spammer, they would not alert me to its use by causing email to get sent to me; they’d hide their use as long as possible.
2: Since that email address is posted publicly, it gets a higher-than-average amount of spam and other “stuff”. As a result, it’s processed by my assistant as well as spam filters. I have personal email address(es) that don’t get the same visibility, but still experience a lower level of the various things discussed in this article.