Is LogMeIn leaking email addresses?

by @edent | # # | 2 comments | Read ~285 times.

Like all security minded people, I use a unique email address for every service I sign up to. This week, I noticed I had started receiving spam to an email address associated with my Join.me account. Join.me is a screen sharing service now owned by LogMeIn.

I signed up for a trial of Join.me back in 2012(!) and as far as I'm aware, never used it again. Checking my records, this piece of spam is the first email I've received to that address in 7 years. The email address in question does not appear in the Have I Been Pwned breach database.

I sent a snarky tweet and was impressed when LogMeIn contacted me directly (my public contact details are on Twitter).

After giving them the details, they replied:

We have completed our analysis and confirmed there is nothing suspicious in our environment.
Additionally, we have a proactive Digital Risk Protection in place to monitor our domains.

Well, that's a good start. But it still doesn't explain where it came from. They also said:

We have identified that your email ID was part of several third party breaches (mostly related to marketing vendors).
Link to the finding - https://dehashed.com/search?query=em.nioj.2102@shkspr.mobi

I wasn't aware of the "Dehashed" service. It's sort of like HaveIBeenPwned but less accurate. If you type in a completely new email address - it will report a false positive if any email on your domain has ever been compromised. Try it yourself.

I reported that back to LogMeIn and am yet to get a response.

As far as I can tell, there are four possibilities.

  1. A spammer guessed my unique email address.
  2. Join.me gave my email address to someone when I shared my screen with them. That user has leaked my address.
  3. Join.me has been breached.
  4. Join.me has sold my email address.

I think it is unlikely that a spammer would be bothered to guess email addresses, and even less likely they'd guess which service I had an account with.

I don't remember actively using Join.Me, nor what their privacy policy was half-a-decade ago. It is possible they shared email addresses back then. But that would be an odd design decision.

So I'm left with the conclusion that - somehow - my email address has leaked directly from Join.Me.

LogMeIn suffered a breach in 2012 - but didn't acquire Join.me until 2018.

All very curious. If you have received spam to a Join.me unique email address, please let them know.

2 thoughts on “Is LogMeIn leaking email addresses?

  1. Anonymous says:

    AFAIK join.me is LogMeIn's own product, it was not acquired. The page you linked says LogMeIn acquired Jive Communications, not join.me, so when you signed up in 2012 join.me was and still is a LogMeIn product.

  2. anonymous says:

    I dont think the website tells any meaningful information. You can add random characters to your email address or use a brand new email address and it says its compromised. I think logmein just soldyouout

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.