ANDRI.BLOG
Privacy
7 min read

Why I Give Every Service a Different Email Address

Email aliases are the simplest way to limit your exposure when services inevitably get breached.

This week, Substack notified users that hackers stole their email addresses and phone numbers. The breach actually happened in October — they only discovered it now. A few days earlier, Betterment disclosed that 1.4 million accounts were exposed, including emails, names, and personal details.

These aren't exceptional events. They're Tuesday.

Every service you sign up for becomes a potential breach notification in your inbox. And your email address is the thread that connects them all. That LinkedIn breach? Same email as your bank. That random forum from 2019? Same email as your work account.

Here's what I've been doing instead: giving every service its own email address.

Why Your Email Address Matters

Your email is the key to your digital identity. It's how you reset passwords, verify accounts, and prove who you are. It's also:

  • A unique identifier that can be used to correlate your activity across services
  • A phishing target once it's exposed in a breach
  • Fuel for spam when it gets sold to data brokers
  • A password reset vector if an attacker controls your inbox

When the same email appears in multiple breaches, attackers can build a profile. They know you have a Netflix account, use a particular bank, shop at certain stores. That makes phishing emails much more convincing.

Email Aliases: The Simple Solution

An email alias is an additional address that forwards to your real inbox. The magic: you can create a unique alias for every service.

Sign up for Substack? Use substack.7x9k@yourdomain.com.
Create a Reddit account? Use reddit.3m2f@yourdomain.com.
Register for an online store? Use store-name.8n4p@yourdomain.com.

All these addresses forward to your actual inbox. But if one gets breached, only that service is affected. You know exactly who leaked your data (because the alias tells you). And you can disable that single alias without touching anything else.

The Services That Make This Easy

You don't need your own domain or technical knowledge. Several services handle this automatically.

SimpleLogin (€30/year)

My recommendation for most people. French company, now owned by Proton (Swiss), so it's solidly in the EU privacy sphere.

  • Create unlimited aliases with a few clicks
  • Works with your existing email
  • Browser extension for quick alias creation
  • Open-source code
  • GDPR-compliant

The free tier gives you 10 aliases, which might be enough to start. The paid plan removes limits and adds features like custom domains.

Proton Pass (included with Proton Unlimited, or ~€24/year standalone)

If you already use ProtonMail, Proton Pass includes "hide-my-email" aliases. It's integrated with their password manager, so new signups can automatically generate both a unique password and a unique email.

Firefox Relay (free tier available, ~€12/year for unlimited)

Mozilla's option. The free tier gives you 5 aliases — limited, but enough for your most sensitive accounts. Paid tier is unlimited and lets you use a custom subdomain.

iCloud Hide My Email (included with iCloud+)

If you're in Apple's ecosystem, this is built in. Safari can auto-generate unique email addresses during signups. Works well if you're already paying for iCloud storage.

Fastmail Masked Email (~€42/year)

Fastmail is an Australian email provider with excellent alias support. If you want to replace Gmail entirely with something private, this is a strong choice. Integrates with 1Password.

How I Set Mine Up

Here's my actual workflow:

1. Choose a service — I use SimpleLogin because it works with any email provider and the Proton ownership gives me confidence in long-term privacy.

2. Install the browser extension — When I'm on a signup form, one click generates a unique alias.

3. Use a pattern that makes sense — I use servicename.randomchars@sl.pm. The service name helps me know who it's for; the random characters prevent guessing.

4. Store aliases in my password manager — Each login entry includes the unique alias. If I need to find what email I used for a service, it's right there next to the password.

5. Periodically review — Maybe once a year, I look through my aliases and disable any for services I no longer use.

What Happens When a Breach Occurs

This is where it pays off.

Say Substack gets breached. With aliases, I know exactly what to do:

  1. Disable the compromised alias — The breached email stops receiving mail immediately. Phishing emails to that address go nowhere.

  2. Create a new alias — For services I still use, I generate a fresh alias and update my account.

  3. Watch for misuse — If spam or phishing starts arriving at the old alias, I have confirmation the data was actually exploited.

  4. Know who sold your data — Ever wonder which company gave your email to spammers? When each service has a unique alias, the mystery is solved.

Compare this to using one email everywhere: you'd change nothing, hope for the best, and deal with increased spam and phishing attempts forever.

The Realistic Approach

You don't have to go all-in immediately. Start with:

High-risk services first — Financial accounts, healthcare, government services. These hold the most sensitive data.

New signups from now on — Use aliases for everything you create going forward. No need to update old accounts unless you're motivated.

Gradually migrate important accounts — When you're changing a password anyway, update the email too.

Low-stakes stuff last — That random cooking website you signed up for once? Don't bother updating it. Just use aliases for new stuff.

What About Work?

This is primarily for personal accounts. Your work email is your work email — you can't alias that easily, and your IT department would have questions.

But for personal stuff — every streaming service, online store, forum, newsletter, social media account — there's no reason to use the same email.

The Phone Number Problem

Email aliases solve the email problem. But Substack also leaked phone numbers, and that's harder to address.

Some options:

  • Use a VoIP number for services that demand phone verification
  • Leave the phone field blank when it's optional
  • Consider whether a service really needs your number

In the EU, GDPR's data minimisation principle means companies should only collect what they need. Many phone number requests are optional — check if the field is actually required.

Common Objections

"It's too much work" With a browser extension, it's literally one click. The password manager integration means you never have to remember which alias you used.

"What if I lose access to the alias service?" Export your aliases regularly. Most services let you download a list. Also: choose a reputable service that isn't going to vanish.

"Some services block alias domains" Occasionally true. For those, you have options: use a custom domain (SimpleLogin and others support this), or temporarily use your real email for that specific service.

"Won't they just look up my IP address?" Companies correlate data in many ways. Aliases aren't perfect anonymity — they're practical breach damage limitation. Perfect is the enemy of good.

The Bottom Line

Every email address you share is a liability waiting to happen. Every breach notification proves that services can't protect your data.

Using unique email aliases means:

  • Breaches are contained to single services
  • You always know who leaked your data
  • Phishing becomes obvious (wrong alias = fake email)
  • You can cut off a compromised address instantly

The setup takes 10 minutes. After that, it's one extra click per signup.

Next time you see "Enter your email," you'll have a choice: hand over the same address you've been giving everyone for years, or create a unique one that limits your exposure.

The services won't stop getting breached. But you can stop giving them the same key every time.

▸ TAGS
#privacy#email#aliases#data-breach#security
▸ STAY IN THE LOOP

Weekly. No spam. No fluff.

← BACK TO ALL ARTICLES