Not OK Cupid – A story of poor email address validation

Original Article ↗ Hacker News Discussion ↗

Broken basics & “enshittification”

  • Several commenters generalize the blog’s issue to a broader sense that basic web functions are routinely broken: unsubscribes fail, logins don’t work, payment pages are dead, and sites give no way to contact support.
  • One example: severe input lag and jumbled typing in Google Search on Android unless you wait ~30 seconds, seen as unacceptable for a core, cash-rich product.
  • Some frame this as part of a general “enshittification” of tech, where things feel constantly broken and nobody is accountable.

Email validation failures & misdirected accounts

  • Many report accounts or notifications created with their email at banks, credit bureaus, retailers, Amazon, Apple, PayPal, Venmo, credit card companies, universities, and more.
  • Consequences range from nuisance spam to serious exposure: job offers missed, factory IT/SCADA credentials sent to the wrong person, detective crime-scene videos, utility bills, and personal identifiers (e.g., national ID numbers) revealed.
  • People with common or short Gmail usernames are especially affected.

Dating apps, OkCupid, and misaligned incentives

  • OkCupid is widely described as having declined sharply: more bots and scams, less trustworthy, worse user experience, especially post-acquisition by Match Group.
  • Others counter with positive past experiences, including long-term relationships and marriage, but agree the service has changed since roughly 2010–2015.
  • Broader critique: dating apps’ business model is to maximize engagement and recurring fees, not successful matches (which cause churn).
  • Ideas floated include nonprofit matchmaking or escrow-based “pay on successful match/marriage” models, but commenters doubt consumer willingness to pay and note practical and incentive problems.

Coping with spam & legal angles

  • Common strategies: marking as spam, creating filters to auto-delete, or using aliases to kill a compromised address. Some threaten CAN-SPAM complaints; links to the FTC’s fraud/spam reporting portal are shared.
  • There is skepticism that complaints or blog “shaming” will materially change behavior; filters are seen as the only reliable defense.

Email as identity, security questions & aliases

  • Using email as a login ID is criticized as insecure (password reuse, massive exposure of addresses) and impractical for users who change providers.
  • Some advocate owning a personal domain for a “lifetime” email identity.
  • Security questions are seen as weak; advice is to answer with password-manager-generated phrases, though this may clash with phone-based support workflows.
  • Fastmail-style masked emails, custom-domain catch-alls, and vendor-specific aliases are praised as powerful tools to manage spam and identify leaks, though managing hundreds of aliases requires supporting tools and clients.

Security & ethics around misdirected accounts

  • Some users “take over” misdirected accounts (resetting passwords, changing details) to stop spam; others argue this is unethical and possibly illegal (e.g., CFAA), even if companies and mis-typers are careless.
  • An additional OkCupid-specific issue is noted: emailed match links that auto-log into accounts; a report of this was allegedly marked WONTFIX.