A Stranger Used My Email
To sign up to online services… again
I woke up very early in the morning today to find out that I received a password reset request for one of my email addresses.
There was a time when this was almost a regular occurrence and I had to go change my password almost on a weekly basis, but I haven’t received such an email in a while so I decided to check that other email. Luckily it hasn’t been breached and the protective measures in place seems to have worked to stop that from happening. But that wouldn’t stop them from using my email to sign up to whatever they want to sign up for. Sure enough, I saw a number of emails addressed to a person who I presume to be the one who tried to reset my password. Two of the emails happen to be from Grab and Uber.
Upon checking Grab’s website from my phone, I saw no way for me to log in without entering the associated phone number, so I left it alone for the moment. With Uber, the login page asked for the associated phone number or email address. This, I figured, was my entrance so I put in my email address and asked for a password reset which immediately showed up on my email. I also found out this person had added his phone number so I changed it to one of mine. This would block anyone else trying to login to the account which was made using my address. Unfortunately I forgot to take note of the phone number before changing it. It might have been useful for me to login to the Grab’s account. Then again, it isn’t. I’ll explain later.
Along the way I kept thinking if I should delete both Uber and Grab accounts that use that email because I’m already signed up to both services with a different one. I’ve had my email addresses being used by strangers to sign up to a number of services before, such as Twitter, Facebook, Instagram, Flipagram, Deezer, Musixmatch, etc., so this wasn’t anything new to me but it’s still something I’ve had to deal with. In many cases I’ve managed to take over the accounts and delete them but some services offer no way to do it.
Thanks to having more than one phone and phone numbers, I didn’t have to sign out of my Uber app on my main phone. I have an Uber app on another phone which I can use to log in to this other account. Having taken control of the new account, I decided I was going to delete it but unfortunately the Uber Riders account page does not offer that option. Apparently once you’re signed up to Uber you’re signed up for life. So now I have two Uber accounts.
What about the Uber Driver profile, did the person try to make an account there too? Apparently not, because there was no driver profile associated with my email address. Also, it turns out that now you can sign up to Uber without entering your credit or debit card details because there was no card linked to the account I just took over.
With Grab, however, the login page only accepts your phone number, no email, and it doesn’t actually let people log in from the web. Once you entered your phone number on the website, it will send a PIN to the Grab app on your phone for you to log in from the app. While this is arguably a more secure method, it doesn’t cater for my situation. At this point I was left with just one option, to send an email to Grab’s customer support asking them to remove the offending account. Or at least remove my email address. Now I’m waiting for their response.
This whole episode got me thinking. Why would a company not allow people to delete their accounts, what would they gain from a dormant one? It may contribute to the number of accounts or users they usually brag about but it adds nothing to the metrics that matter such as usage, or more importantly, revenue. Maybe they’re hoping the person would use it someday for whatever reason?
When it comes to account recovery, why would you only allow a single way to sign in? What if a person had lost their mobile phone and number and need to sign in from a different device?
Third, and lastly, why would anyone, short of malice, would use an email address that not only doesn’t belong to them but contain no part of their name? Why would, for example, a person named Jay Jonah Jameson, try to sign up to an online service using the email address stever@avengers.com? Again, short of malice or prank. They’re not gonna get any use out of it nor would they be able to even access that email. I get it if it were a typo but this is a completely different email address with someone else’s name on it.
