Blog / Identity Theft

What someone can do with your email address: Threats and protection explained

There’s not much you can do online without setting up an email address first. Want to preview an app? Use your email address first to create an account. Looking for a discount code? You’ll have to sign up with an email address to claim the perks. We give out our email address to so many platforms that it’s unlikely we could list them all. However, this widespread sharing can have a darker side — with some luck on their side and misfortune on yours, another user might gain access to your email address.

Author image

Kamilė Vieželytė

June 10, 2025

9 min read

What information does your email address hold?

By itself, your email address might not reveal much — only the username you’ve chosen and the domain of your email provider. For instance, if your email address is [email protected], the “name” refers to your username, and the “emailprovider” is the domain.

The username is as revealing as you decide it should be. It might be your full name or abbreviation, your birthday, a nickname you like using online, or even a random combination of numbers and letters. The more it reveals about your identity upon first glance, the more information others can absorb from it.

It’s important to know that email usernames are a one-and-done deal. Once you’ve set it, you can’t change it, and the only way to have a different username is to create a new email account. The longer you use your email address, the more it pops up online as verification for different accounts and services. Someone might trace back your email from account A to account B, learning more about your online activities or your personal information in the process. 

What can someone do with your email address?

Knowing your email address opens ways to find you deeper down the internet. If your username is your full legal name, someone can look up more personal information, like your date of birth, country of residence, employment, or family.

With just an email address, they can’t peek inside your inbox, learn all your online accounts, or directly intercept your letters. However, they can use this information to conceive schemes targeting you specifically. And if someone gained access to both your username and password, your personally identifiable information and sensitive data would be at risk of being exposed.

What can someone do with your email without a password?

Without a password, malicious actors can’t cause direct harm to your email account. However, they can use phishing emails, spam, and attempt password resets to disrupt how you use your inbox.

By looking up your email address online, they might access public information associated with your personal accounts and use it to create the perfect spear phishing campaign to target you.

Spear phishing is a type of social engineering attack when cybercriminals pick one particular user and create scams that they would be specifically susceptible to. For example, if they know you’re interested in rare collectibles, they’ll send phishing emails pretending to be a retailer. Before reaching out to you directly, they’ll build a fake marketplace website that they’ll use to obtain your email address, password, and credit card information.

Your inbox can become the top destination for spam mail. Anyone can enter your email address to sign up for newsletters or annoying email lists, flooding you with daily junk mail. Although this can seem like an annoying prank at first, it can become more malicious.

If your email gets spread around, you might start seeing an influx of spam letters with suspicious links or attachments. These regular phishing attacks are widespread, and the content is more generic than spear phishing. However, they’re highly effective, as they remain one of the most common ways hackers gain access to login credentials.

Even if they can’t access your inbox directly, cybercriminals can request account resets related to your email address. This can be done in tandem with brute force attacks. Criminals force you to reset your account password, expecting you to use a combination that is memorable and easier to breach. If they figure out the new password, they can attempt to break into your account.

What can someone do with your email with a password?

If someone has your email address and password, you risk losing access to your email account, especially if you don’t have multi-factor authentication (MFA) switched on. They can log in to your account, immediately change the login credentials, and switch on MFA to their devices, preventing you from accessing it.

Once inside your inbox, criminals can read your private communications, intercept your mail, and commit identity theft by sending emails under your username. If you use a multiservice account like Gmail or Microsoft Office, they can interfere with all services associated with the account, like cloud storage or personal contacts.

The damage doesn’t end here. Cybercriminals can see which accounts you signed up for using this email address. They can attempt to log in to these accounts and change passwords. If you’re unable to access your email anymore, you can be fully locked out of these compromised accounts, too.

If you’ve used this email to sign up for services like banking, government portals, or medical insurance, cybercriminals may be able to commit identity theft and financial fraud. They can steal sensitive information, like your full address or Social Security number, and put it on the dark web.

By gaining access to a single account — your email — cybercriminals can completely wreck your digital identity and endanger your personal information.

How do hackers get your email address?

You don’t necessarily have to be a hacker to find someone’s email address. Like your name or phone number, an email address is easy enough to find on public websites. However, cybercriminals usually look for email addresses to exploit in databases gathered from data breaches.

When a company or a website experiences a data breach, the stolen data usually contains usernames, email addresses, payment information, and account passwords. Cybercriminals can then compare email addresses they’ve gathered against the breach data to find matching passwords.

What are the signs that your email address has been leaked?

Receiving the occasional spam email or two doesn’t necessarily mean your email has been leaked. However, if you’re seeing an influx of phishing emails out of nowhere, your email address might be impacted by a data leak.

Although phishing emails can look very similar to legitimate communication, you can keep an eye out for specific red flags:

  • Check the sender’s email domain. It might look similar to a real email address but contain different symbols, like a “0” instead of an “o” or a lowercase “L” instead of an uppercase “I”.
  • It’s recommended not to open suspicious emails and move them to the junk folder. However, if you’ve opened the email, you can compare it against a legitimate email. If the sender refers to you by your email username, that’s probably all the information they have about you. Check for obvious misspellings, which usually also indicate a phishing email.
  • If you’re on a desktop, hover over any buttons and hyperlinks, but don’t click them. If you see abbreviated links or domains similar to but not an exact match for a real service, the email is likely a phishing attempt.
  • See if the email contains any attachments. Your email provider may automatically scan these to detect malicious software. Never download or open any attachments to suspicious emails.

You might see frequent unsuccessful attempts to access your email or other online accounts, receive password reset requests, or get alerts on your authenticator app to verify new login sessions.

What can you do if a scammer has your email address?

If a scammer has gained access to your email address, the damages can range from restricted account access to identity theft. Scammers can reset the passwords of accounts registered with your email, locking you out of numerous services. They can also change the password of your email account and update recovery methods, locking you out completely.

Cybercriminals might create new accounts and send emails impersonating you, essentially stealing your identity. If you use the impacted email account to access your banking account, criminals can attempt to access and steal your financial details.

If you'd like to learn more, take a look at our guide on what to do if a scammer has your email address.

How to prevent your email address from being leaked or breached

Email security can be fickle — you can’t always ensure that your email address won’t be published without your consent. However, you can pick up secure email management habits to help prevent your account from falling into the wrong hands.

Review your existing accounts

Sometimes, you create an account that you use once and never again. While it rests in the back of your mind, cybercriminals might be evaluating how much this account is worth. Review which online accounts use your email address and deactivate those you deem no longer necessary.

Think before you sign up

Likewise, consider before you sign up for new online services with your email address. Can you view the website as a guest, or is an account really necessary to access all features? Consider how secure the site is and keep track of the accounts you create.

Create a secondary email address

If you need to use an email address for multiple services but don’t want your personal information exposed, you can create a secondary email address. Then, you can dedicate your primary email to important mail and accounts only, while the secondary serves as a burner account for unwanted emails and spam.

Set up email filters

If your account is swamped by suspicious emails, you can set up filters in your inbox to sift them out. Spam filters look for malicious links and attachments and redirect these emails into the junk folder.

Reinforce account security

If you suspect someone has access to your email address or has tried to get your password, you must ensure your account remains secure. Change your email password to a new, strong one that only you know. Set up multi-factor authentication and add biometric authentication to prevent someone from accessing your account without the verification device.

Use dark web monitoring

An average person handles around 168 passwords. Manually tracking nearly two hundred accounts would be a full-time job. Instead, you can use a dark web monitoring service like NordProtect that automatically checks if your email address, phone number, or Social Security number has been exposed.

Protect yourself from identity theft

The biggest threat posed by a stolen email account is identity theft. Cybercriminals can use your personal data and an account solely tied to you to impersonate you and commit crimes in your name. To keep your personal information secure, you can get NordProtect’s identity theft protection service. If you became a victim of identity theft, you could be reimbursed up to $1M for eligible recovery costs.

Your email address is your digital signifier, indicating who you are online. With NordProtect, you can keep the threads of online accounts leading back to your email strong and your identity protected.

Author image
Kamilė Vieželytė

Kamilė is curious about all things compliance. She finds the prospect of untangling the complicated web of cybersecurity legislation satisfying and aims to make the nuances of identity theft prevention approachable to all.

The credit scores provided are based on the VantageScore 3.0® credit score by TransUnion® model. Lenders use a variety of credit scores and may utilize a different scoring model from VantageScore 3.0® credit score to assess your creditworthiness.

You have numerous rights under the FCRA, including the right to dispute inaccurate information in your credit report(s). Consumer reporting agencies are required to investigate and respond to your dispute but are not obligated to change or remove accurate information that is reported in compliance with applicable law. While this plan can provide you assistance in filing a dispute, the FCRA allows you to file a dispute for free with a consumer reporting agency without the assistance of a third party.

No single product can fully prevent identity theft or monitor every single transaction.

Some features may require authentication and a valid Social Security Number to activate. To access credit reports, scores, and/or credit monitoring services (“Credit Monitoring Services”), you must successfully pass your identity authentication with TransUnion®, and your VantageScore 3.0® credit score file must contain sufficient credit history information. If either of these requirements is not met, you will not be able to access our Credit Monitoring Services. It may take a few days for credit monitoring to start after a successful enrollment.

NordProtect's dark web monitoring service scans various sources where users' compromised personal information is suspected of being published or leaked, with new sources added frequently. However, there is no guarantee that NordProtect will locate and monitor every possible site or directory where consumers' compromised personal information is leaked or published. Accordingly, we may not be able to notify you of all your personal information that may have been compromised.

Identity and cyber protection benefits are available to customers residing in the U.S., including U.S. territories and the District of Columbia, with the exception of residents of New York and Washington. Benefits under the Master Policy are issued and covered by HSB Specialty Insurance Company. You can find further details and exclusions in the summary of benefits.

Our identity theft restoration service is part of a comprehensive identity theft recovery package that offers a reimbursement of up to $1 million for identity recovery expenses. To access the support of an identity restoration case manager, you must file a claim with HSB, which NordProtect has partnered with to provide the coverage. HSB is a global specialty insurance company and one of the largest cyber insurance writers in the U.S.