I use a unique email alias for every website I sign up for, including Fedora. Recently, I received a spam email on the alias I specifically created for this forum. Since this alias was never used elsewhere, it suggests that my email may have been exposed in some way—either through a data breach, a vulnerability, or bots mining user information.
Has anyone else experienced this? Could there be a leak or an issue with how emails are handled on the Fedora forum? I’d appreciate any insights.
Logged in users can see email addresses. So, I guess some spammer took the time to make an account to find other addresses.
You can set the ‘privacy’ checkbox in the account system to not show most data, but Privacy Statement for the Fedora Project :: Fedora Docs notes that email address may well be public always. We can see if we can hide email more, but as noted in the link above some services we use use email address as the account name.
It does indeed, but it provides a right of opt-out. I’ve just exercised that right by going to the Settings on my Fedora account and checking the “Private” box.
But even before I did that, when I went to my profile on this Fedora Discussion website, in the “Preferences” tab my email address was shown with a label under it stating “Never shown to the public”.
Does the forum then hide email addresses even if “Private” isn’t switched on in the Fedora account itself?
The Discourse platform itself does hide the email addresses, but some of the other systems around here (e.g. FAS, Bugzilla) don’t (when the user is logged into those services).
You can check that for yourself by accessing your (or other’s) Fedora Account System page
at https://accounts.fedoraproject.org/user/some-account-name/.
So, I guess some spammer took the time to make an account to find other addresses. 