Like all security minded people, I use a unique email address for every service I sign up to. This week, I noticed I had started receiving spam to an email address associated with my Join.me account. Join.me is a screen sharing service now owned by LogMeIn.
I signed up for a trial of Join.me back in 2012(!) and as far as I'm aware, never used it again. Checking my records, this piece of spam is the first email I've received to that address in 7 years. The email address in question does not appear in the Have I Been Pwned breach database.
I sent a snarky tweet and was impressed when LogMeIn contacted me directly (my public contact details are on Twitter).
After giving them the details, they replied:
We have completed our analysis and confirmed there is nothing suspicious in our environment.
Additionally, we have a proactive Digital Risk Protection in place to monitor our domains.
Well, that's a good start. But it still doesn't explain where it came from. They also said:
We have identified that your email ID was part of several third party breaches (mostly related to marketing vendors).
Link to the finding - https://firstname.lastname@example.org
I wasn't aware of the "Dehashed" service. It's sort of like HaveIBeenPwned but less accurate. If you type in a completely new email address - it will report a false positive if any email on your domain has ever been compromised. Try it yourself.
I reported that back to LogMeIn and am yet to get a response.
As far as I can tell, there are four possibilities.
- A spammer guessed my unique email address.
- Join.me gave my email address to someone when I shared my screen with them. That user has leaked my address.
- Join.me has been breached.
- Join.me has sold my email address.
I think it is unlikely that a spammer would be bothered to guess email addresses, and even less likely they'd guess which service I had an account with.
So I'm left with the conclusion that - somehow - my email address has leaked directly from Join.Me.
All very curious. If you have received spam to a Join.me unique email address, please let them know.