A simple mistake can make your email messages accessible to strangers.
Nearly 2 billion people use Google’s free email service Gmail, which rightly boasts of numerous measures to protect user privacy and keep accounts safe from malicious activity. With more than 300 billion emails passing through the service every day, you might be surprised to learn that a simple mistake can undo all that and expose your email messages to complete strangers. Not only does this mistake put your privacy at risk, but it can also compromise account security beyond email. Don’t be “smart” with your email address, or sensitive information could leak through like a sieve.
Gmail security is top notch
It’s not just cybercriminals, hackers, or even family members who pose a threat to your email; your biggest enemy might be yourself. Opening the door to your inbox, and especially your Gmail inbox since it’s the most commonly used email provider, is a prime target for those looking to steal everything from account credentials to sensitive personal information. Fortunately, Gmail has some of the best security measures in place to ensure your inbox stays private and potential snoopers are kept at bay.
Google’s Advanced Protection Program, which is primarily of interest to high-risk users such as politicians, activists and journalists, offers the most secure way to ensure that only you can access your account. In July, Google made this security option even more attractive by removing the need to purchase expensive hardware keys and instead opening the program to users with passkeys.
Then there’s the use of large AI language models to protect Gmail users from malware and spam. According to Google, they can detect twice as much malware as the average third-party antivirus and security products. And speaking of spam and malware, Google has also introduced strict authentication for bulk email senders to Gmail users to further reduce the risk of malicious messages getting through.
So what are some Gmail users doing that blows a huge hole in much of this protection? The answer is: try to be clever with their addressing.
Don’t joke with your Gmail address
Both my inbox and the online Gmail support groups are evidence that people like to be clever with their email addresses and can make big mistakes when it comes to privacy and security.
I know from personal experience how someone can make this mistake without realizing it. I used to have a Gmail account of the type [email protected] that I used as an alias for certain investigative journalistic activities many years ago. Any incoming email addressed to this account was automatically forwarded to another account that I monitor more frequently. Over time, I forgot about this alias address and it was even deleted from my password manager. I now have no way of accessing it even if I wanted to, and thus cannot disable this forwarding rule either. That’s a shame, because someone with the same [email protected] account apparently thought they were being clever and used a version of [email protected] instead.
The problems start when you realize that dots don’t matter in Gmail addresses, as Google makes clear in a support document. So if your email address is [email protected], you own all versions of that address with dots. So anyone who sends emails to [email protected] won’t see the replies, but the owner of [email protected] will.
“If someone tries to create a Gmail account with a dotted version of your username,” Google said, “they’ll get an error message saying the username is already taken.” But [email protected] and [email protected] are not the same thing, and that’s where the confusion lies.
As users have noted on X, this rarely happens and some also make the mistake of omitting letters or numbers in the middle or end of a first-last-name address and instead simply typing their name in online contact forms. However, the result is the same and the card must be used regardless of the email platform.
Mitigating the privacy issue when using addresses with dots
I should point out that this could of course also fall into the wider area of forwarding emails to an incorrect email address or typo, and so applies to any email platform and is not an underlying security issue with Gmail. Better yet, just don’t do it at all. Apple users can use the Hide Mail feature, which generates unique, random email addresses that are automatically forwarded to your personal inbox. My preferred email client, Proton Mail, also has a feature to hide my email aliases that works in the same way.
With Proton Mail, it’s easy to create a truly private alias
I reached out to Google for comment and a spokesperson pointed me to the aforementioned “Dots don’t matter in Gmail addresses” support document. If you receive an email that is obviously intended for someone else, Google recommends notifying the sender and letting them know they used the wrong address, and reporting anything that might seem suspicious as spam or a phishing message. Of course, don’t click on links in such emails. I would also recommend emailing the recipient who accidentally used an address with dots so they are aware of the problem. I did that, but the messages still kept coming, so I created a filter rule that deletes them as soon as they arrive.
