Howdy, all.

I submitted a report via the "contact us" mechanism and it was suggested I 'share my experience' here.

I recently received some spam to my flyertalk email address. Like some of the other reporters, I have an email address that uses address extensions so that it's specific to the site it's registered with, and not used elsewhere. Additionally, I use my own domain for email.

I'll leave the details out of this post, but suffice to say that my email address would not have been selected algorithmically; and it's certainly not used elsewhere. If it was disclosed to spammers, it was either as a result of flyertalk's owners (as some suggested earlier in the thread), or some sort of compromise/scraping of the site.

I don't care so much about the fact that I'm getting spam; part of the point of using per-domain emails is that I can easily block it; the reason I reached out via "contact" is the first place is in the belief that it's more likely a site compromise of some sort rather than intentional disclosure.


n.b., I have no reason to believe it'd be moderators scraping, but please don't be insulted when I point out it's technically possible. I think it's more likely that an account was compromised, the application has vulnerabilities like cross-site scripting or SQL injection, or a system-level compromised occurred.

n.b.b., My email address was certainly not generated algorithmically like one respondent suggested. It consists of a username, a non-standard address extension character, the target domain (flyertalk), all at my own personal domain. There is nobody else that uses my domain on flyertalk, and nobody that has my address part on another domain.

- Patrick