I get a lot of spam. A lot. And I didn't sign up for any of it. Just now, I got a spam purporting to come from Transport for London. I did sign up to them, but not from the email addresses that it's being sent to. It's just spam, and it's being sent to the email address that I give when a form requires me to, but I don't want to give my real address.
And it's being sent from a demon.co.uk account, not by TfL.
People buy lists of email addresses from unscrupulous vendors. Unscrupulous vendors create lists of email addresses by using things like Google, and then automatic recognition programs to analyse the results and parse out email addresses. So, if I put "firstname.lastname@example.org" in this blog post, in a few days, Google will index it, and in the fullness of time the address "email@example.com" will be sold to gullible purchasers, who will then spam it. I hope that address doesn't actually exist! Well, I checked, it doesn't. But maybe one day someone will register the domain name farkleparker.com and create that email address. Or maybe they won't - the unscrupulous vendor doesn't care either way.
If a site actually cares about getting real email addresses, then it must use the "double opt-in" system, and I've used a few (a very few) that do. The way that works, is I sign up and give my email address. They then send an email to that address, asking for confirmation. If I ignore that email (or don't get it) then the email address is scrubbed. It's only if I reply, giving a code they sent me, that the email address is added to the list.
The main thing this prevents, is people signing up other people without their agreement. Including firstname.lastname@example.org.
So if email@example.com is in the Ashley Madison leaked list of email addresses, or if it's signed up to any other service that doesn't use double opt-in, then that doesn't actually mean that the owner for the address signed up. All it means is that someone signed up and gave that email address.
Tim Loughton MP, said "if, as looks possible, government email accounts in what should be
secure departments are this vulnerable to being hacked or impersonated
that raises its own serious security issues."
No, Tim. May I call you Tim? Email addresses aren't secret. They aren't supposed to be secret. They're like names. The name "Tim Loughton" is publicly available information, very easy to find, just like your phone number, fax number, address of your constituency in Shoreham, and their phone number and email address. His email address is
firstname.lastname@example.org. I got this from www.parliament.uk, the House of Commons web site. I could now go to any web site I wanted to, and give that email address in a sign-up. I won't, of course. But the fact that your email address is very easy to discover, is *not* a "serious security issue".
And I just read a column in the Telegraph, written by the usual ignoramuses. "What should you do if your email address is in the Ashley Madison list? Apologise."
Bad advice. Because maybe someone else signed up giving your address.