Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Will a Hacked Website Leak My Email Address?

Question: If a website is hacked (e.g. Walmart), can the hackers get my email address even if they cannot crack my password, which is 12 alpha-numeric characters?

It really, and I do mean really, depends on the specific nature of the hack.

But the short answer is yes, it’s very likely your email address will be leaked as part of any significant hack or breach.

And that has nothing to do with the strength of your password.

But what happens next absolutely does.

Become a Patron of Ask Leo! and go ad-free!

Types of hacks

There are as many different types of hacks as there are people hacking, I suppose. What’s relevant is that not all hacks cause the same kind of damage, or leak the same kind of data — if data is even leaked at all.

I’ll use Ask Leo! (askleo.com) as my example, but the concepts apply to just about any website on which you can make purchases or have an account in order to access services. That includes retail sites (like Walmart), online services (like your email provider), government sites, or others.

Hacking DetectedOne type of hack attempts to use my server to send spam to make it look like it came from me long enough to deliver to recipients who trust me. Another might be to hack my website so each time you visit the site, malware downloads onto your machine. A third might try to place software on my webpages so your computer would mine cryptocurrency for the hackers when you view an Ask Leo! page.

In each of those cases, the hackers have no interest in the data I keep. They’re not stealing anything. They’re hacking for other reasons.

So, no, they won’t get your email address, because that’s not what they’re after.

Breaches

So-called data “breaches” are the hacks that make the news. These happen when a hacker successfully penetrates a website’s security to steal its database of users. For Ask Leo!, that might mean snagging the database of registered users or individuals who’ve made purchases here.1

And, yes, absolutely, that would include email addresses. Indeed, they would likely be the primary goal to enable further mischief ranging from spam to targeted phishing attacks to hacking other services that might use them as your identifier.

Whenever you hear about a breach, email addresses are almost always one of the items on the list.

Breaches and passwords

The fact that your password is strong is a good thing, but it’s not going to protect your email address from being exposed, because that’s not what a password is used for. While there are ways of securing user account databases so the passwords are, themselves, encrypted, that would be done using a password or technique known only to the service.2

Your password simply confirms that you are you when you use the service.

That’s why having strong passwords is critical. After a breach, the hackers know your email address and that you use this service. Your secure password prevents them from impersonating you or hacking into your specific account.

But it won’t keep knowledge of your email address any more or less secure.

When breaches happen

I’ve mentioned it before: you might consider signing up for Have I Been Pwned?, a free service that will alert you if your email address appears in one of the large-scale data breaches we hear about from time to time.

When (sadly, not if) that happens, you’ll want to change your password for an additional layer of safety on whatever service the breach occurred. Technically, if everyone has done the right thing — you had a good strong password to begin with, and the service did a proper job of storing it securely — you wouldn’t need to. Particularly since we can’t know how the service stored your password, it’s still important to change it just in case.

If you use the same password on other services, it is important to run around and change the passwords there as well. Never use the same password for different accounts, because hackers will try all the various passwords they’ve discovered in the past.

But the bottom line is that, yes, your email address will likely be uncovered should a breach happen.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

Video Narration

Footnotes & references

1: For the record, I don’t keep credit card information myself. A hack of Ask Leo!, were it ever to happen, would not expose that kind of information.

2: In practice, this is done rarely. It’s assumed that your email address is no secret, as people need to know it in order to reach you. Encrypting that information adds complexity and cost to the entire account management process.

3 comments on “Will a Hacked Website Leak My Email Address?”

  1. Of equal importance to me are these businesses (even retail bricks and mortar businesses) who insist on keeping your credit card number in their computer. There is no need to keep my credit card number in your computer, once you settle with the bank. Large businesses (Home Depot, for example) settle every night. Small business might settle every 1 to 7 days. Once you’ve settled with the bank, you’ve got your money. There is no need for you to keep a record of my credit card number because the transaction is completed.

    And after they grab the email addresses (like Leo says), they then grab the credit card numbers.

    The retailers try to “sell” you on the fact that they can process a refund much faster. But really, how much longer does it take for me to pull out my credit card and stick it in the machine to get a refund. I’ve got the 30 seconds that it takes to do that. The security of my credit card number is way more important than 30 seconds of my time.

    Reply
  2. Regarding Breaches, they are usually referred to as Hacking done by hackers. That sounds exciting in news media.

    But actually, many of the major ones could more accurately be referred to as ‘insider corruption’.
    The large company had an employee or contractor working there, who had access to their database of customer data*. And this employee made a copy of that database (like on a thumb drive), and carried it home (like in their pocket), and then sold it. Certain employees really do need access to this data, to do their jobs. But most do not, and internal data security should restrict access by any other, non-authorized workers. But often, it does not, or not well enough.

    *This why good companies do not, and should not, store your credit card numbers in their customer database. It just makes it that much more valuable a target for either hackers or a corrupted employee. Might have been useful as a convenience for your customer back when, but now most browsers have options to allow them to remember & auto-fill this info, from data stored only on your local machine. That’s much safer; you don’t have to depend on the data safety practices of any company you buy from.

    Reply
  3. We have never used our actual email address for anything.

    Our ISP allows “throwaway” addresses, and we make use of that. Every entity we deal with has a unique email address for us, and all messages filter to our Inbox as normal.

    When / if these attacks occur we can easily delete the email address so we will not receive whatever nefarious messages they send out.

    I agree with James and Tim, it simply does not make sense to me to allow a company to store a credit card number on their server. Also, many Credit Card companies allow you to generate a different number that is attached to your credit card account. Stealing that number from a website is worthless as the number is single use.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.