Two accounts were opened using my email address, now what?
September 19, 2015 10:25 PM Subscribe
Two days apart, while on vacation, I received gmail welcoming me to Instagram, then Uber, both of which I do not have accounts with. Should I assume that my gmail was compromised, and if so, what should I do besides change my gmail password and monitor my credit?
The reason I don't think this was just someone fat fingering my email address is that both accounts were started without me even receiving the typical verification emails. Did a malicious process delete those? Upon receiving the emails, I did not follow any links contained therein. Here are the steps I took:
• Changed my gmail password.
• Visited uber.com and instagram.com and hit the "forgot password" links for that email address.
• Logged back into those sites and reset the passwords.
• As I poked around the Uber account, I noticed a name (not mine) and a credit card (also not mine) and no other information.
• The Instagram account had no activity.
• I clicked on the Instagram link that said something like "This account was opened by mistake. Delete Account"
• Uber did not offer a way to delete the account. Apparently I can now ride anywhere I want on someone else's credit card?
Other pertinent details
• I have had two-factor authentication for gmail for several years, and my phone has not left my possession.
• So far no other suspicious activity on credit cards or other accounts.
My questions are:
1. What is going on here?
2. What else should I be doing to prevent further fraud if this is fraud?
3. How likely is it that someone now has all my gmail data?
4. Is it still possible that is this not fraud at all, but some weird coincidence where Uber and Instagram didn't require verification emails? Or maybe someone had set up an account already and accidentally changed the email addresses to mine? Or something else?
The reason I don't think this was just someone fat fingering my email address is that both accounts were started without me even receiving the typical verification emails. Did a malicious process delete those? Upon receiving the emails, I did not follow any links contained therein. Here are the steps I took:
• Changed my gmail password.
• Visited uber.com and instagram.com and hit the "forgot password" links for that email address.
• Logged back into those sites and reset the passwords.
• As I poked around the Uber account, I noticed a name (not mine) and a credit card (also not mine) and no other information.
• The Instagram account had no activity.
• I clicked on the Instagram link that said something like "This account was opened by mistake. Delete Account"
• Uber did not offer a way to delete the account. Apparently I can now ride anywhere I want on someone else's credit card?
Other pertinent details
• I have had two-factor authentication for gmail for several years, and my phone has not left my possession.
• So far no other suspicious activity on credit cards or other accounts.
My questions are:
1. What is going on here?
2. What else should I be doing to prevent further fraud if this is fraud?
3. How likely is it that someone now has all my gmail data?
4. Is it still possible that is this not fraud at all, but some weird coincidence where Uber and Instagram didn't require verification emails? Or maybe someone had set up an account already and accidentally changed the email addresses to mine? Or something else?
Best answer: I also had an Uber account started using my email. I contacted Uber directly, and they verified this happened, and deleted the account.
I have a lot of accounts set up for various services often under one of my email addresses, and honestly think its someone being lazy - not a typo so much as an error.
Surprisingly, there are a lot of services that allow you to get an account set up without verifying the email address, though usually services are limited until you do verify (Ebay is another well know one).
posted by Unsomnambulist at 10:37 PM on September 19, 2015 [2 favorites]
I have a lot of accounts set up for various services often under one of my email addresses, and honestly think its someone being lazy - not a typo so much as an error.
Surprisingly, there are a lot of services that allow you to get an account set up without verifying the email address, though usually services are limited until you do verify (Ebay is another well know one).
posted by Unsomnambulist at 10:37 PM on September 19, 2015 [2 favorites]
Best answer: Since you have two-step authentication enabled, it is extremely unlikely that your email address has been compromised.
posted by alligatorman at 10:38 PM on September 19, 2015 [2 favorites]
posted by alligatorman at 10:38 PM on September 19, 2015 [2 favorites]
Best answer: This happens to me constantly. It's just that way too many sites don't have double opt-in/e-mail verification, which ... makes me incandescently furious. Your email is probably fine; these companies are just shitty and more interested in maybe having a couple more customers than in protecting their users.
posted by wintersweet at 10:39 PM on September 19, 2015 [4 favorites]
posted by wintersweet at 10:39 PM on September 19, 2015 [4 favorites]
This has happened to me as well, and it is definitely just people who don't know their own email address. Nothing to worry about.
posted by joan_holloway at 10:48 PM on September 19, 2015 [5 favorites]
posted by joan_holloway at 10:48 PM on September 19, 2015 [5 favorites]
I recently signed up for Uber and used it on the spot with no verification required. I'm guessing this is what happened to you.
Prior to changing my name post-marriage, I had an extremely common name (even my first-middle-last name combo was exceptionally common, apparently). This used to happen to me with email all the time. And once caused problems with a government background check for clearance -- I mean, really, what are the odds that there are two women born in the same month with the same first-middle-last names who went to the same college at the same time, had the same hair-skin-eye color combo, and both dated (different) men with similar names who worked at the same place? Our campus email addresses were even one digit off from each other, and our personal email accounts were extremely similar. Oddly enough, I'd never met her. She'd had a DUI, and I hadn't, but some search engine trigger got flagged. It took three months to sort out.
Email presence is weird. I wouldn't give it much thought.
posted by erst at 11:31 PM on September 19, 2015 [1 favorite]
Prior to changing my name post-marriage, I had an extremely common name (even my first-middle-last name combo was exceptionally common, apparently). This used to happen to me with email all the time. And once caused problems with a government background check for clearance -- I mean, really, what are the odds that there are two women born in the same month with the same first-middle-last names who went to the same college at the same time, had the same hair-skin-eye color combo, and both dated (different) men with similar names who worked at the same place? Our campus email addresses were even one digit off from each other, and our personal email accounts were extremely similar. Oddly enough, I'd never met her. She'd had a DUI, and I hadn't, but some search engine trigger got flagged. It took three months to sort out.
Email presence is weird. I wouldn't give it much thought.
posted by erst at 11:31 PM on September 19, 2015 [1 favorite]
I have a pretty common name and a very generic e-mail address and I get e-mails for other people's registrations all the time (along with their personal apologies, soccer registration forms, tax documents (!!!), ...). Usually in these situations an e-mail from me is enough to clear it up. I'd just send an e-mail to Uber/Instagram's contact team and leave it at that.
I would stay away from doing anything cute like locking out their account. It seems like a very bad idea to do anything that could be perceived as some kind of intentional mischief.
posted by en forme de poire at 12:06 AM on September 20, 2015
I would stay away from doing anything cute like locking out their account. It seems like a very bad idea to do anything that could be perceived as some kind of intentional mischief.
posted by en forme de poire at 12:06 AM on September 20, 2015
Best answer: If your email were compromised I don't expect you would still have access to it.
Why would someone take over an email account, open Uber accounts with that email, and not change the email account's password? If they can't change the password, they know the original owner can log in and muck with their Uber account. There's no benefit to them I can see.
posted by BungaDunga at 2:05 AM on September 20, 2015 [3 favorites]
Why would someone take over an email account, open Uber accounts with that email, and not change the email account's password? If they can't change the password, they know the original owner can log in and muck with their Uber account. There's no benefit to them I can see.
posted by BungaDunga at 2:05 AM on September 20, 2015 [3 favorites]
Nthing your email is fine, and someone else THINKS they have your email address. Same thing happened to me yesterday -- someone used my email address to open an account on a dating site. I just reset their password to gibberish, delete the account and move on.
posted by kimberussell at 4:30 AM on September 20, 2015
posted by kimberussell at 4:30 AM on September 20, 2015
My daughter gets this all the time because her gmail address is awesome.
It could have been worse, if they're truly stupid and set the account up on their phone then you can't even get back into the account with your own legitimate email. PayPal I'm looking at you.
Two-factor authentication makes this an annoyance rather than a risk.
posted by fullerine at 5:15 AM on September 20, 2015
It could have been worse, if they're truly stupid and set the account up on their phone then you can't even get back into the account with your own legitimate email. PayPal I'm looking at you.
Two-factor authentication makes this an annoyance rather than a risk.
posted by fullerine at 5:15 AM on September 20, 2015
Yeah, I have also had this happen... I was very confused when I got an Uber receipt for a ride in London while I was in Boston, but it turned out to be someone else's account with someone else's credit card attached; I asked Uber to remove me and they did. The other person had put in my email address, either because they didn't type their own address correctly or because they didn't want to give their email.
posted by mskyle at 6:11 AM on September 20, 2015
posted by mskyle at 6:11 AM on September 20, 2015
My husband has this kind of thing happen with some frequency, presumably because people are misentering their email as his (his has a repetition of two letters in a row). When he went to join instagram through facebook, they found that there was already an account with his email, of some woman breeding pit bulls in Virginia. It was very eerie--he instantly had access to her entire instagram account. There was no indication his email had been compromised in any way.
posted by PhoBWanKenobi at 7:43 AM on September 20, 2015 [1 favorite]
posted by PhoBWanKenobi at 7:43 AM on September 20, 2015 [1 favorite]
I just had this happen with Instagram and there was a link right in that "welcome" email that said "Let us know if this isn't your instagram account." I clicked through it and it said it disassociated my email with the new Instagram account.
posted by getawaysticks at 6:20 PM on September 20, 2015
posted by getawaysticks at 6:20 PM on September 20, 2015
This thread is closed to new comments.
Yeah, stealing their accounts is mildly mean, but you'll quickly tire of trying to do anything else. One call to Uber tech support to sort it out with a human will cure any lingering desire to be helpful.
posted by ryanrs at 10:35 PM on September 19, 2015 [22 favorites]