Dutch student collects 15 million GMail addresses rather easily.

From Heise Online;

'In his blog, a student from the University of Amsterdam reports that he gathered around 15 million Gmail addresses from Google user profiles within a month. Matthijs Koot analysed just under 35 million profile links from Google's profile site map, which is easily accessible on the company's servers.
Koot says he used the same IP address for all of the 35 million queries, but Google didn't attempt to stop the mass download. A Google spokesperson told British IT news source The Register that the site map does not make any information available that is not already publicly accessible.' link

From Matthijs Koot's blog;

'This blog runs at Google Blogger. I sincerely hope my account "mrkoot" and blog.cyberwar.nl will not be blocked or banned - I do NOT publish any usernames or other profile data and did not violate policy I am aware of.' link

From email correspondance between Koot & The Register;

'I wrote a small bash script to download all the sitemap-NNN(N).txt files mentioned in that file and attempted to download 10k, then 100k, than 1M and then, utterly surprised that my connection wasn't blocked or throttled or CAPTCHA'd, the rest of them,” Koot wrote in an email to The Register.' link

As a google spokesman points out in a reaction to 'The Register', it's all public available info.
Still, a rather easy way to harvest @ddresses.
Anyone know what the going rate is for such a batch nowadays? j/k.

 

A completely open&accessible database/archive with information of 35 million folks with their partial<->full info regarding work, education, twitter messages, full names, nick names, emailaddresses for a 3rd of them, picasa albums isn't neccessarily worrying.
Unless it's used maliciously like for spear-fishing-made-very-easy.

I wonder how many of those 35 million people actually understood what they agreed to when clicking on 'Agreed, (you can publish my entire Google profile, even if I haven't got a clue what it entails)'.
FYI, I'm not blaming Google, it's just that a lot of people will probably not understand the scope of clicking on 'Agreed' once.

I guess it boils down to the the now famous Humancentipad episode phrase; "Why won't it read?!?!"

 

Reading this makes me even more happy that I scrapped a gmail account that I had. Originally I had gotten rid of it due to "dot blindness" as described here. The article is old, but the problem still exists. I had the same thing as described in the second comment:

Only difference was that I was firstnamelastname and the other guy was firstname.lastname. What I find amazing is that although Google knows about this bug, they still allow someone to make an account with a dot using the same name as an existing account.

 

So - you're ok with personalized spam?

 

That's a misconception. The presence or absence of dots in a gmail username doesn't make any difference. See this link:
https://mail.google.com/support/bin/answer.py?answer=10313#

 

I realize that. However, all the emails I got for this other person were real, not spam. Things like volleyball practice is Thursday, the fire chief wants to hold a meeting, etc. If it was a case of a typo, then there were a lot of people doing it or he gave out the wrong email address to several people.

The conclusion I came to was that he was allowed to make an account putting a dot between first and last name. Besides that, the fact that you can't use hyphens or underscores in an email address is ridiculous, I've never seen another email service that does that.

I also recently received an email from Google Account Recovery with a link to where I can reset my password. It says that if I didn't initiate it, I could just ignore it, someone else probably typed in the wrong address. It's all rather weird since I deleted my Google email account months ago. I suspected that the other guy was trying to reset his password and I got the mail.

 

Interesting. I wonder if you were both using the same account. Did you ever see any sent mail that you didn't send, or anything like that?

 

To be honest, I never looked at sent mail because I never used gmail except as an email address when one had to be given somewhere. I had it set up to forward incoming mail to another account and I use an email client, so I very seldom logged in to the web account.

One thought though, if we had been using the same account, how would he have logged in without knowing the password? Or if he had set his up first I would have had to know his password. Really weird. I deleted the account because I was wondering how much of my mail he was getting if I was getting some of his. I had wrote to a couple of the senders and told them that I wasn't the guy they were looking for, but never got a response.