A person who has used the internet for ten years has entered their email address into roughly three hundred forms. Each entry created a relationship: an account, a subscription, a verification step, a marketing opt-in, or a terms-of-service acceptance. Some of those relationships were intentional. Most were transactional and forgotten within minutes. But every single one left the email address sitting in a database, and databases leak.
The average email address now appears in at least four publicly known data breaches, according to haveibeenpwned.com data. The actual number is higher because not all breaches are reported and not all leaked databases are indexed. That same email address is the login credential for banking, the recovery address for social media, the identifier that marketing platforms use to track behaviour across websites, and the key that connects a person's fragmented online presence into a single, searchable profile.
How a Single Email Address Becomes a Tracking Anchor
When someone signs up for a newsletter with the same email they use for Gmail, they've given the newsletter operator a link to their Google identity. If that newsletter operator shares data with advertising networks (and most do, either directly or through embedded tracking pixels), the advertising network now knows that this Gmail address visited this particular website, opened this particular email, and clicked this particular link.
The tracking compounds across services. The same email address used for an online retailer, a fitness app, a news subscription, and a social media account creates a web of connections. Data brokers aggregate these connections. The result is a profile that includes purchase history, reading habits, fitness data, social connections, and geographic patterns, all linked by a single string of characters.
Email tracking pixels make this worse. A 1x1 transparent image embedded in an email loads when the email is opened, sending the recipient's IP address, email client, operating system, and open timestamp back to the sender. The sender now knows not just that the email was opened, but when, where (approximately), and on what device. This data feeds into advertising profiles. The recipient has no indication that any of this happened. The email looked normal.
The linking function of email addresses isn't a side effect. It's the intended design of modern digital advertising infrastructure. Email is the one identifier that persists across devices, across browsers, across cookie deletions. A person who clears their cookies, uses a VPN, and browses in incognito mode is still identifiable the moment they log into a service with their email address. The email is the persistent key that survives every other privacy measure.
The Password-Reset Problem
Every service that offers "forgot password" functionality treats the email address as proof of identity. Whoever controls the email inbox controls every account linked to it. This is obvious in theory and catastrophic in practice.
An attacker who gains access to a person's primary email can reset passwords on banking sites, e-commerce accounts, cloud storage, social media, and anything else that sends a reset link to that address. Two-factor authentication helps if it's enabled on the email account itself, but many people don't enable it, and some services still allow SMS-based 2FA that can be defeated through SIM swapping.
The concentration risk is staggering. A single compromised email address can cascade into dozens of compromised accounts within minutes. An attacker with access to the inbox doesn't even need to know which services the victim uses. They can search the inbox for "welcome to," "verify your email," "your account," and similar patterns to discover every service linked to that address. Then it's a matter of clicking "reset password" for each one.
This is why using one email address for everything is architecturally identical to using one password for everything. The email address isn't just an identifier. It's a recovery credential, and reusing it everywhere means a single point of failure for the entire digital identity.
Marketing Databases and the Email Supply Chain
When an email address is submitted to a website, it enters a supply chain that the original user has no visibility into and no control over. The website may share it with its email marketing platform (Mailchimp, Klaviyo, HubSpot). The marketing platform may share aggregate data with its parent company. Third-party tracking scripts embedded on the website may capture the email independently and send it to advertising networks. Data enrichment services may match the email against other databases to build a fuller profile.
The GDPR and CCPA theoretically limit this sharing, but enforcement is uneven and the data flows are opaque. A privacy policy that says "share with trusted partners" can cover dozens of companies, each with their own data handling practices and their own breach exposure surface. The user who submitted their email to one website has no way to trace how many databases it now sits in.
Data brokers explicitly trade in email-based profiles. Companies like Acxiom, Oracle Data Cloud, and LiveRamp build identity graphs that start with an email address and attach demographic data, purchase history, credit information, property records, and social media activity. These profiles are sold to advertisers, background check services, and anyone else willing to pay. The email address is the primary key in these databases. Every new service that receives it creates another node in the broker's graph.
Data Breaches: The Compounding Cost of Reuse
A data breach at a low-value service (a forum, a free tool, a newsletter) might seem harmless. The password was unique. No financial data was stored. What was the damage?
The damage is the email address itself. Once it's in a breach dump, it becomes a permanent fixture of the internet's grey market. Credential stuffing tools use breached email addresses to attempt logins across thousands of services. Even without the corresponding password, the email address is now associated with "breached" in every security tool that checks it, which means the owner will face more suspicious-login alerts, more CAPTCHA challenges, and more account lockouts across unrelated services.
Phishing becomes more targeted. An attacker who knows someone has an account at a specific service (because the email appeared in that service's breach) can craft a convincing phishing email. "Your [service name] account requires verification" is much more persuasive when the recipient actually uses that service. The breach data provides the targeting intelligence for free.
And breaches compound. An email address that appears in five breach dumps gives an attacker five data points about the owner: five services they use, five registration dates, five sets of associated metadata. Cross-referencing these creates a profile that's useful for social engineering, even without the passwords.
Practical Strategies for Email Compartmentalisation
The defence is compartmentalisation: using different email addresses for different trust levels. This isn't a new idea, but doing it effectively requires more than just creating a few aliases.
Tier one: a primary email address used exclusively for high-value accounts. Banking, government services, primary cloud storage, and the email provider itself. This address is never entered into marketing forms, never used for shopping, never shared publicly. Its sole purpose is recovery and authentication for accounts that would cause serious harm if compromised.
Tier two: secondary addresses for regular online services. E-commerce, subscription services, social media. These addresses can be permanent but are separate from the primary address. A breach at one of these services doesn't expose the address that controls banking and cloud storage.
Tier three: disposable addresses for one-time interactions. Newsletter signups, free trial registrations, wifi login portals, event registrations, and anything that requires an email but doesn't require a long-term account. These addresses should be unique per service so that spam or breach data can be traced back to the specific service that leaked it.
Apple's Hide My Email and Firefox Relay provide built-in alias functionality that generates unique forwarding addresses. These are useful for Tier 3 but have limitations: if the alias service itself is disrupted, all forwarded mail stops. Dedicated email providers like ProtonMail and Tutanota offer alias features with stronger privacy guarantees.
For Tier 3 interactions where no ongoing communication is needed, synthetic profiles from tools like Another.IO provide complete identity packages with email addresses that aren't connected to any real person. The email isn't just an alias that forwards to a real inbox. It's a fully disconnected identifier. If it appears in a breach, nothing about the real person is exposed because no real person's data was ever attached to it.
The Spam and Phishing Feedback Loop
Every email address that enters circulation generates increasing noise. Spam volume grows over time as the address propagates through marketing databases. Phishing attempts increase as the address appears in breach dumps. The signal-to-noise ratio in the inbox deteriorates until the address becomes nearly unusable.
Most people respond by adding more aggressive spam filters, which introduce false positives. Legitimate emails end up in spam folders. Password-reset emails don't arrive. Time-sensitive notifications get buried. The user is now fighting the consequences of years of email address reuse, and the tools available to them are blunt instruments that create their own problems.
Compartmentalisation prevents this feedback loop from forming. The Tier 1 address, used only for high-value services, receives almost no spam because it was never exposed to marketing databases or low-security services. The Tier 2 addresses receive moderate noise but can be rotated if it becomes excessive. The Tier 3 addresses are disposable by design. Noise in Tier 3 has zero impact on Tier 1.
The Corporate Email Blind Spot
Work email addresses create a different version of the same problem. Employees use their corporate email to register for SaaS tools, industry newsletters, conference registrations, and professional networking sites. Each registration extends the attack surface of the organisation.
A breach at a conference registration platform exposes the employee's corporate email, name, job title, and company. This is enough for targeted spear-phishing. An attacker who knows a specific person works at a specific company in a specific role can craft a convincing email that references industry-specific language and internal processes.
Corporate IT departments often monitor for employee email addresses appearing in breach databases, but the monitoring is reactive. By the time the address appears in a known breach, it's already been circulating in underground channels for weeks or months.
Shadow IT compounds the problem. Employees signing up for unapproved tools with their corporate email create accounts that IT doesn't know about, in systems with unknown security postures, creating breach exposure that's invisible to the organisation's security monitoring.
Measuring the Exposure You Already Have
Before building a compartmentalisation strategy, it's worth understanding the current exposure.
Have I Been Pwned (haveibeenpwned.com) is the standard starting point. Enter an email address and it reports which known breaches include that address. For most long-term email addresses, the number is somewhere between four and twenty. Each entry represents a database where the address (and potentially associated data) was exposed.
Google's security checkup (for Gmail users) shows which third-party services have access to the Google account through OAuth connections. The list is often longer than expected. Each connected service has some degree of access to the account data.
Searching the email address in quotes on Google sometimes reveals unexpected exposure: forum posts, public directories, WHOIS records (for domain owners who didn't use privacy protection), and cached versions of pages that are no longer live.
This baseline measurement is usually sobering enough to motivate the compartmentalisation effort. The practical implementation is gradual: start by creating Tier 1 and Tier 3 addresses, use Tier 3 for anything that doesn't require long-term account access, and gradually migrate recurring services to Tier 2 addresses as passwords are rotated.
The email address was never designed to be an identity system. It was designed to deliver messages. The internet repurposed it into a universal login, a tracking identifier, and a recovery credential all at once. Treating it as expendable for low-trust interactions, and guarding it carefully for high-trust ones, is the most practical correction available.