I have been a paying Proton Mail user for over 5 years and I have never used my default Proton address to send mail to anyone other than a Proton user years ago. I have also never shared that address with anyone other than a handful of Proton users I converted years ago who never use their Proton address.
I have also never emailed any Big Tech email providers with my Proton addresses. And I have never used my Proton addresses for any online account other than banking and my password manager.
And yet, this week I received 2 SPAM emails from Surf Shark VPN at my default Proton address. I have never used Surf Shark VPN in my life. And never considered it as my VPN provider.
How could this have happened?
I have one friend who I know uses Surf Shark VPN and she absolutely hates it. She can’t wait to switch. That friend works in IT and is very security conscious. She is also privacy conscious, but less so than me. I am doubtful that that friend is responsible, but I will ask her on Signal.
One other possibility is that a Proton user, who has a similar username to mine, signed up to Surf Shark and made a typo. But how likely is that?
The reason I have avoided sending emails to non Proton users for so long is precisely because I didn’t want to get SPAM. And yet, somehow it happened. I’m really bummed out.
Well then it can’t be just “Someone accidentally put my address”
that would be too much of a coincidence if you know what I mean.
Maybe you used your Proton address somewhere that was in a data breach, I would check on something like for example: https://haveibeenpwned.com
It’s nice to try and narrow down I guess…
I just checked on Have I Been Powned. I first entered the Proton address I use most of the time to email people, which is not my default address. Nothing. I was not pwned.
Then I entered my default Proton address. The one I never use for anything, and on which I got spammed. Same results. I was not pwned.
This is why this is so strange. I’ve read a lot of testimonies from people who use Proton Mail for everything. They email Big Tech email providers like Gmail, and claim to have never been spammed.
And somehow, I, someone who uses their Proton addresses very conservatively, I got spammed.
Thanks for your clarification
I don’t think it’s a bad idea to ask for relatives who used surfshark maybe they used your address by mistake or something, if im seeing correctly of course you mentioned
I have one friend who I know uses Surf Shark VPN and she absolutely hates it. She can’t wait to switch. That friend works in IT and is very security conscious. She is also privacy conscious, but less so than me. I am doubtful that that friend is responsible, but I will ask her on Signal.
If she did not use your proton address then stuff will get so much stranger and it is possible it could be traced back to surfshark doing something shady? Hard to say without you know…
Yeah. Like I said, I’m doubtful it’s her. We haven’t emailed each other in years. We always communicate via Signal. I know that Nord VPN, which is owned by the same company as Surf Shark, has a loyalty program that rewards you with extra months of service for every person you convert.
I have no idea if Surf Shark has one too. But to my knowledge, such programs don’t ask for your entire contact list. You have to manually choose them and enter their email address yourself. I don’t think my friend would do this without asking me first.
And if it were a situation where the company collects all your contacts and emails them, I would have received an email at my Gmail address too, which my friend has. In fact, I don’t think my friend has my Proton address because they’re not a Proton. The rare times I’ve emailed them, which was an eternity ago, it was from my Gmail address.
Most likely smartphones, where apps require one click to access all saved contact information.
Also I don’t understand why you worded it like this is such a big deal, or even attempting to trace the leak? Info given to others are not private and you can’t control how people safeguard or use it. It is just what it is.
All your comments in the thread and the way you’ve written the post reads like it’s the end of the world.
Relax. It’s just spam. Yes, no one likes it but it’s easy to block senders and report emails as spam. It happens. All you can do is have great opsec. But the account holder is not the only reason always that one gets spam. It could be any number of factors.
You may keep thinking what it is but it won’t change anything now. Best you can do is keep maintaining good opsec and be careful whom you share your email address with.
Was it a legit marketing email from Surfshark? Is the domain owned by them?
You can ask them where they got it from, I believe under some jurisdictions privacy laws like GDPR they have to tell you.
To answer the question in the title, I only recive spam through my linked old gmail address which was in two breaches.
I thought I had great opsec. That’s the point. If you receive SPAM at an email address you’ve never used or shared, that’s weird. Also, I look at my Gmail, and I still get a ton of spam there, despite 95% of the emails there being sent to aliases and not my actual address.
I understand you feel violated by this and that is understandable after putting in effort to ensure this never happens.
There could be the possibility that your email was detected as a valid proton address and ended up being sold to surfshark through a marketing list. This is a common occurrence and surfshark probably has no idea who you are and sent it out to the list it purchased. These marketing lists are not always procured with integrity and you happened to be on it.
On a side note, it is curious HOW this could have even appeared on a liat such as this. Accidentally connected to the same instance as your gmail? Used a public wifi to connect to your proton mail. Maybe even an extension leak.
I am no expert here but there is always the possibility of a “slip” of this information even from your bank.
I hear you. I use the Proton Mail’s apps on both desktop and mobile. And all my devices are connected to a VPN 24/7.
I also read on Wikipedia that Surf Shark is described as a cybersecurity company, and I would assume that they perceive themselves as such. To me, it would be unethical for a cybersecurity company to acquire the email addresses of random people just for marketing. But of course, we know cybersecurity companies are not created equal. Even so, it’s icky to me that a security company would do that.
I am sure that the emails harrypotter@pm.me or harry@pm.me are taken. Yet I wonder if those addresses receive spam simply because they are common usernames that are guaranteed to have an owner.
I don’t appreciate how you are brushing off OP’s very valid concerns. He went through great lengths to keep his main email quarantined / isolated and now that has been violated by some spam company.
YOU do not get to dictate other people’s threat models or how they react to things that violate their privacy. Everyone has their own frameworks. Please respect his.
This is actually a very important post and I am very glad OP shared this because I was also under the impression that my main proton email was isolated as I solely use aliases.
Now that OP shared this I can assess my current model and plan accordingly.
