The National Security Case for Email Plus Addressing
How OSINT exploits password recovery flows to expose your digital identity
The humble email address was never meant to be a national security linchpin, yet in our interconnected world it has become exactly that
Discussion on X, LinkedIn, lobste.rs and r/netsec.
TL;DR
- OSINT firms and attackers exploit password recovery flows to confirm account existence and leak partial personal data (phone digits, email patterns, etc.).
- Single Sign-On (SSO) services often use the same email address everywhere, making it easier to correlate accounts.
- This becomes a national security issue when adversaries build large-scale dossiers on government and military personnel.
- Simple email “plus addressing” or masked email solutions can help compartmentalize accounts, thwarting large-scale OSINT.
- Websites should standardize their password reset responses and limit info leakage; policymakers and security pros should push for aliasing tools and privacy-first defaults.
For those who prefer audio content, here's a quick breakdown of the blog post featured in my podcast:
Imagine that by just knowing your email address, an attacker could compile a list of every online service you’re registered with. It sounds like a spy movie plot, but in the digital world, this is a real risk.
The humble email address was never meant to be a national security linchpin, yet it has become exactly that. Today, specialized OSINT firms and threat actors are exploiting everyday password recovery processes to map out our digital lives.
How OSINT Exploits "Forgot Password"
We’ve all seen it: you click “Forgot password?” and the site gives you a hint. “We’ve sent a code to the phone number ending in 67” or an email partially masked as j*****@gmail.com. These clues are meant to help you, but they are a goldmine for attackers.
Specialized firms like OSINT Industries automate this. They feed an email address into password reset forms on hundreds of sites to confirm account existence and gather snippets of personal data.
As security researcher Martin Vigo demonstrated at DEF CON, an attacker can piece together fragments from different sites. By combining these leaks, they can reduce the uncertainty of a target’s phone number from a billion possibilities to just a few thousand. Once they have that, targeted attacks become trivial.
The Single Sign-On (SSO) Trap
"Sign in with Google" or Facebook logins are convenient. They also force you to use the same primary email address everywhere.
Unlike methods that generate unique identifiers, SSO leaves a consistent digital footprint. If your primary email is revealed, an attacker can easily connect the dots between your various accounts. This lack of "identity separation" is exactly what OSINT investigations look for.
Why This is a National Security Issue
The real danger here is scale and intent. Adversaries (including nation-state actors) aren’t just targeting individuals for fun. They are interested in mapping out entire networks of accounts belonging to government officials, military personnel, and key corporate executives.
An attacker can use these OSINT techniques to identify a government official’s online presence. They can then craft a highly convincing phishing attack referencing specific details, like a known partial phone number or a service the target actually uses. When applied at scale, this facilitates mass surveillance and the potential destabilization of critical infrastructure.
Email Plus Addressing
One of the simplest yet most effective ways to disrupt this is email plus addressing. Most providers, like Gmail, allow you to add a "+tag" to your address.
Instead of using [email protected] for everything, you use:
If one service leaks your data, the attacker only gets an isolated fragment. It makes it significantly harder to correlate your accounts across the web.
Taking it Further: Masked Emails
While plus addressing is great, some sites reject the "+" symbol. Sophisticated attackers can sometimes "strip" the tag. For a more advanced solution, I recommend masked email services.
Services like SimpleLogin, Firefox Relay, or DuckDuckGo’s email protection allow you to create entirely unique aliases that forward to your real inbox. To an outsider, an address like [email protected] looks completely unrelated to your other accounts.
A Call for Better Policy
Web providers also have a role to play. We need to standardize password recovery so it doesn't reveal identifying information until a user is properly authenticated. Implementing rate limits and making error messages uniform would go a long way in stopping automated account enumeration.
Summary
Our digital identities are now the front line of national security. A single email address used uniformly across all services is a key that unlocks far more than just an inbox. By adopting plus addressing and masked emails, we can disrupt the trail and protect both our personal privacy and our national security.
Comments and thoughts are also welcome on this tweet: