The Template

This is the basic boilerplate verbiage I use when sending an email to a company to bring the problem of email address validation to their attention:

Please remove my email address from this account.

Someone signed up using my email address in error. Since you don't validate your customer's email addresses correctly, I have begun receiving email messages and notifications intended for them.

As address validation is an extremely simple process, a critical breach of privacy and drastic disregard for potential fraud and identity theft as a result of what is most likely a typographical error could have easily been avoided.

This is a prime example of why email address validation is so important. Aside from the obvious leak of this person's private information, were I a more nefarious internet user, I'm sure I could now initiate the forgotten password procedure and log into this person's account and get other of their personal information with no difficulty at all.

With such a common first initial and last name, I receive misdirected mail every single day from other companies who also do not take their customer's privacy seriously. After years of incredulity that such a simple process could be so mishandled and years of cutting and pasting my boilerplate chastisements such as this, I have created a guide for how to do this correctly. Please review and implement it as soon as possible.

I have attempted to Cc various email addresses at your organization as well as doing various Google searches to find other company contacts. If you receive this message, but you are not the correct person to handle this problem, please forward this message to a more appropriate person.


I sometimes include these insertions based on the content of the email they send me:

Sent me the password in the actual email

    • Not only have you leaked this person's private information, you have **EMAILED ME THEIR PASSWORD** indicating that you store people's passwords **IN PLAIN TEXT**. FOR SHAME!

From a supposed identity protection company 🙄

    • You offer yourselves as a company that sells a service to protection people's privacy. At the same time, you are so incompetent that you can't even handle the simple process of email address validation. FOR SHAME.

From a company with one of those really long, warlording style notices at the footer of the email

You know the one. A really long winded, often threatening message, about how if you're not the intended recipient of the email, you must delete it immediately. That sort of thing. Usually this one follows the previous inclusion.

  • For all your marketing hype, privacy policy verbiage, and attempts to convince customers that you can be trusted, here I am receiving email from your site intended for another person.
    If I've caught you with your pants down over something this simple, what other problems lurk, waiting to be found and, worse, exploited?

And, finally, if applicable:

  • You are also failing to comply with the law and are in violation of the CAN-SPAM Act of 2003 (15 U.S.C. 7701) as there is no unsubscribe mechanism provided in this email.

Sometimes I'll throw in a few more jabs for anything else I might find. In particular if I go looking for email addresses on their website and find really long-winded (and obviously meaningless) privacy policies. But that's the gist.