Cleanbox
Features Helpdesk Blog Pricing Contact
Sign in Start free trial
Blog
privacy aliases tips

How to Find Out Who Sold Your Email Address

9 min read Sep 9, 2025

You start getting spam to an address you barely use. Someone sold your email — or it was leaked in a breach. But who? With the right setup, you can find out exactly which service was responsible.

The alias detective method

The principle is simple: use a unique email address for every service you sign up for. When one starts receiving spam, you know exactly where it came from.

With email aliases, this is practical:

  • Sign up for Amazon with amazon@yourdomain.com
  • Sign up for LinkedIn with linkedin@yourdomain.com
  • Sign up for that random webshop with randomshop@yourdomain.com

When randomshop@yourdomain.com starts getting spam about cryptocurrency, you know the random webshop either sold your data or was breached. No guessing. No ambiguity.

Setting this up with Cleanbox

  1. Use a custom domain or @cleanbox.me aliases
  2. Create a unique alias for each service (Cleanbox's random alias generator makes this quick)
  3. Keep a mental model or label for what each alias is used for (use the note field on each alias)
  4. When spam arrives, check which alias received it — visible in the message log and on the alias detail page

What to do when you find the source

If it was a data breach

  1. Check Have I Been Pwned — search the alias address to see if it appears in known breaches
  2. Change your password on that service immediately
  3. Enable two-factor authentication if available
  4. Consider disabling the alias and creating a new one for that service

If the company sold your data

  1. GDPR request (if you are in the EU or the company operates in the EU) — Send a formal data deletion request under Article 17. The company is legally required to delete your data and stop processing it.
  2. CAN-SPAM complaint (US) — Report to the FTC at spam@uce.gov
  3. Disable the alias — The quickest practical solution. One toggle and the compromised address stops receiving email entirely.
  4. Create a replacement — If you still use the service, create a new alias, update your account, and disable the old one.

If you do not know which it is

Check Have I Been Pwned first. If the address does not appear in any known breach, and the service's privacy policy allows third-party data sharing, it is likely that your data was sold or shared with marketing partners. Read the privacy policy — many companies disclose this (buried in legal language).

Prevention: the alias-per-service strategy

The best time to set this up is before a leak happens. With Cleanbox:

  • Free plan: 3 aliases — use for your most important services
  • Personal plan ($5/mo): 10 aliases — enough for most online accounts
  • Premium plan ($15/mo): 30 aliases + custom domains — a unique alias for everything

The cost of an alias is near zero. The cost of having your real email address in every marketing database and data breach is ongoing spam, phishing attempts, and lost privacy. Prevention is cheaper than cleanup.

For more on the alias approach, see Email Aliasing Explained: What It Is and Why You Need It.

Related articles

Cleanbox vs Traditional Email Security: Why Spam Gateways Are Overkill for SMBs

16 min read

Email Security Threats in 2026: A Comprehensive Overview

20 min read

The Best Free Email Tools for Privacy in 2026

10 min read

Ready to take control of your inbox?

Start protecting your email with Cleanbox — free plan available, no credit card required.

Get started free