How to protect your email address from data breaches
Data breaches expose millions of email addresses every year. Once your address is in a leaked database, you become a target for spam, phishing, and credential stuffing attacks. This article explains practical steps to minimize your exposure.
The problem
When you sign up for a service with your real email address and that service gets breached, your email is now:
- In publicly traded breach databases
- Sold on dark web marketplaces
- Used in automated spam and phishing campaigns
- Tried in credential stuffing attacks (attackers try your email + common passwords on other services)
You cannot undo a breach. Once your address is out there, it stays out there.
Prevention: one alias per service
The single most effective protection is to never give out your real email address. Instead, create a unique alias for every service you sign up for.
How this protects you
| Scenario | Without aliases | With aliases |
|---|---|---|
| Service gets breached | Your real email is exposed. Spam hits your main inbox. | Only the alias is exposed. Disable it — spam stops instantly. |
| Credential stuffing | Attackers try your email on other sites. If you reuse passwords, they get in. | Each alias is unique. The attacker cannot connect it to your other accounts. |
| Identifying the source | Spam arrives — you have no idea which service leaked. | Spam arrives on a specific alias — you know exactly which service was breached. |
Example workflow
- Sign up for an online store using
store-amazon@cleanbox.me - Six months later, that store gets breached
- Spam starts arriving on
store-amazon@cleanbox.me - You disable the alias — spam stops immediately
- Create a new alias for the store if you still want to use it
- Your real email address was never exposed
Additional protection layers
Use unique passwords everywhere
Even with aliases, always use a unique password per service. A password manager (1Password, Bitwarden, etc.) makes this effortless.
Enable two-factor authentication
Enable 2FA on your Cleanbox account and on every important service. Even if your password is compromised in a breach, 2FA prevents unauthorized access.
Monitor your aliases
If an alias you created for a specific service suddenly receives spam from unrelated senders, that service likely sold or leaked your data. Disable the alias and consider closing your account with that service.
Use Shield for sensitive aliases
For aliases tied to financial services or healthcare providers, enable Shield with Gatekeeper mode. Only approved senders can email that alias — even if the address leaks, unauthorized senders are automatically rejected.
If your email is already compromised
If your real email address is already in breach databases:
- Change passwords on every service that uses that email
- Enable 2FA everywhere possible
- Start using aliases going forward — you cannot un-breach your email, but you can stop giving it out
- Set up filters in Cleanbox to deny emails from known spam patterns
- Whitelist trusted senders and let Cleanbox spam detection handle the rest
The long-term strategy
Over time, as you replace your real email with aliases on each service, your exposure shrinks. Old breaches become irrelevant because the leaked alias is disabled. New services only know your alias. Your real address gradually disappears from the internet.
This is the core value of email aliasing: not just convenience, but damage containment. Each alias is a firewall between one service and your real identity.
