Your Email Address Is the Skeleton Key to Your Whole Identity

In 2025, the threat-intelligence firm Synthient pushed a single dataset into Have I Been Pwned: 2 billion unique email addresses and 1.3 billion unique passwords, harvested from credential-stuffing lists scraped across the open and criminal internet (HIBP). If your email has been online for more than a year or two, statistically it's in there. And that's the problem this post is about — not the breach itself, but what your email becomes after enough breaches stack up.

One-sentence answer: Your email address is dangerous because it's the single identifier that links your breached passwords, your data broker profile, and your account recovery for nearly every site you've ever signed up for.

TL;DR

• The average internet-using American's email appears across multiple Have I Been Pwned breaches; checking yours takes 10 seconds.
• Data brokers use email as a primary "join key" to merge breach records, public records, and purchase histories into a single profile.
• Credential stuffing turns one leaked password into attempts against hundreds of sites, because attackers know people reuse.
• The fix isn't a stronger password. It's a different email address per signup — using an aliasing service.
• Separating your emails breaks the join key, which breaks the link between your leaks.

Your email is the most reused identifier in your life

Think about how many places you've typed it. Banking. Shopping. Doctor portals. Your kid's school. Every newsletter you regretted. Every food-delivery app you used twice. The HR portal at three jobs ago.

Now think about how many of those have been breached. A 19-billion-leaked-password study released in 2025 found that 94% of leaked passwords are reused or duplicated across multiple accounts (Deepstrike). The 2025 Verizon DBIR reported that stolen credentials were the initial access vector in 22% of all confirmed breaches (Verizon).

The password is the obvious problem. The email is the silent one. Because the email is what makes every one of those breached records findable and joinable.

How "credential stuffing" turns one leak into hundreds

Credential stuffing is the laziest, most effective attack on the internet right now. Here's the chain:

1. A site you signed up for in 2017 gets breached. Username (your email) and password are exposed.
2. The dump gets sold, traded, or dumped publicly within weeks.
3. Attackers feed your email/password combo into automated tools that try it against hundreds of sites — Netflix, PayPal, your bank, Instagram, gaming accounts, AWS, your work SSO.
4. Even at a success rate of around 0.1%, the math works because volume is free (OWASP).

Notice what carries through every step: your email. The password is the key being tried, but the email is the doorknob. Without a consistent email identifier across sites, the attack falls apart — there's no way to know that "[email protected] on site A" is the same person as "[email protected] on site B."

Data brokers do the exact same thing — legally

Data brokers don't run credential stuffing. They run something arguably worse: identity resolution. Their entire business model depends on taking fragments of information from different sources — a court filing here, a marketing list there, a breach dump on a third site — and merging them into a single profile.

To merge two records, you need a shared key. Name plus zip code helps. Phone number is useful. But the most reliable join key for online records is email address, because it's unique, structured, and almost always present.

When LexisNexis Risk Solutions or Acxiom builds a profile on you, your email is one of the spines they hang every other data point on. Lexis-Nexis alone claims data from over 37 billion public records plus billions more from commercial sources (Tom Kemp). Knitting that together at scale requires a stable identifier per person. Email is it.

This is why we've argued in our pillar post on why leaks happen but the link is the real risk that a single data point is rarely the harm — the harm is what gets joined to it. Email is the joining.

Phishers love your email for a different reason

There's a third group reading your inbox address: phishing operators. When a phisher knows your email appeared in the Adobe breach AND the LinkedIn breach AND the Dropbox breach, they don't have to guess which platforms you use. They already know. That informs the lure.

You get an "urgent security alert" that names the exact platform you actually use, because the attacker bought a breach dump that confirms you're a customer. The phish lands not because it's clever but because it's accurate.

The fix: one email per signup

You can't unleak your existing email. You can stop making it worse.

Email aliasing services give you a fresh, working email address for every site you sign up for. Mail sent to that alias forwards to your real inbox. The site sees [email protected]. The bank sees [email protected]. The streaming service sees [email protected]. To them, you're three different people.

When one of those sites inevitably gets breached, the leaked record contains an alias that exists nowhere else. There's nothing to join it to. Credential stuffing fails because the email-password pair doesn't appear on any other site. Data brokers can't merge the record into your existing profile because they don't know the alias maps to you. Phishers don't know what other platforms you use.

You break the join key. That breaks the link.

The four aliasing services worth knowing

A 2025 comparison of these tools by State of Surveillance ranked SimpleLogin highest on overall feature set, with DuckDuckGo's free unlimited option as the best no-cost pick (State of Surveillance). All four hit the core job: every signup gets a unique address.

Walkthrough: setting up DuckDuckGo Email Protection in 5 minutes

DuckDuckGo's free, unlimited option is the easiest entry point:

1. Visit duckduckgo.com/email/login and create a @duck.com address (this is the address that holds all your aliases).
2. Enter the personal inbox where forwarded mail should land.
3. Install the DuckDuckGo browser extension on your laptop, or the DuckDuckGo Privacy Browser on your phone.
4. Next time you hit a signup form, click the email field — a "Generate Private Duck Address" button appears.
5. Tap it. A unique address like [email protected] gets created and pasted. Mail to that address forwards to your real inbox, with trackers stripped.

The whole thing takes about as long as ordering coffee.

What you can do today

1. Check what's already out there. Go to haveibeenpwned.com and search your primary email. Count the breaches. If it's more than three, your email is officially a join key.
2. Pick an aliasing service. DuckDuckGo if you want free and unlimited. SimpleLogin if you want the most features. Apple Hide My Email if you live in Apple's ecosystem.
3. Don't migrate everything at once. Start using aliases for new signups today. That alone caps the damage.
4. Replace high-value account emails over the next month. Banking, email, primary social. Use a dedicated alias per account, never reused.
5. Lock down recovery. Your email is also the recovery channel for your phone number — see our piece on how SIM-swap attacks chain through your email. Then pair the cleanup with the 50-site data broker opt-out list so brokers can't keep rebuilding what you just split apart.

The CTA

Aliasing breaks the join key going forward. It doesn't unjoin what's already been merged. Leak Check Me's privacy agent scans the major broker sites, helps prepare eligible opt-out actions for the profile they've already built around your email, and patrols for relistings. One scrub mission is $20.

Sources

• Have I Been Pwned — Synthient Credential Stuffing Threat Data
• Have I Been Pwned
• Deepstrike — Compromised Credential Statistics 2025
• Verizon — 2025 DBIR research on credential stuffing
• OWASP — Credential Stuffing
• Tom Kemp — A Closer Look at Data Brokers' Sources of Data
• State of Surveillance — Best Email Alias Services 2026
• DuckDuckGo Email Protection — Help Pages