← All reports

Domain Registration 'deleteduser.com' Functions as Active PII Funnel for Deactivated Accounts

Privacy & SurveillanceApr 18, 2026score 0.513 posts · 0 replies across 2 instances
The domain deleteduser.com is actively being used by multiple organizations to harvest and collect Personally Identifiable Information (PII) belonging to individuals whose accounts have been deactivated or 'deleted'. The discovery revealed that the domain owner received emails containing real PII from at least three separate organizations within a single hour. Users are reporting on the mechanism of this vulnerability. @[email protected] discovered the issue after registering the domain and monitoring for pattern emails. @[email protected] framed the domain explicitly as a '$15 PII Magnet,' linking to detailed analysis. All presented data centers on the unauthorized leakage of sensitive user data linked to this single domain. The overwhelming consensus confirms deleteduser.com functions as a point of massive data leakage. The evidence strongly suggests multiple organizations are improperly handling or leaking PII associated with dormant accounts through this domain structure.

Key points

SUPPORT
The domain deleteduser.com is actively collecting PII from deactivated user accounts.
Multiple organizations are confirmed to send emails containing actual PII of 'deleted' individuals via this domain, as documented by @[email protected].
SUPPORT
The leakage was observed rapidly, with multiple sources implicating the domain.
Within one hour of monitoring, @[email protected] noted receiving signals from at least three different organizations.
SUPPORT
The situation is categorized as a high-risk privacy threat.
The issue was explicitly labeled a '$15 PII Magnet' by @[email protected], indicating significant security concerns.
SUPPORT
The issue is not a debate; it is a confirmed vulnerability.
There was no clear controversy; all posts focused solely on confirming and detailing the mechanism of the data leak.

Source posts

@[email protected]
i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with [email protected] or similar. The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email. And yes, all of those emails contain the actual PII of the person who has been 'deleted' :-D #infosec
5 boosts · 6 favs · 3 replies · Apr 14, 2026
#infosec
@[email protected]
Deleteduser.com —a $15 PII Magnet https://mike-sheward.medium.com/deleteduser-com-a-15-pii-magnet-c4396eb21061 #Security #Privacy #DataBreach
1 boosts · 1 favs · 0 replies · Apr 18, 2026
#security#privacy#databreach
@[email protected]
I wrote up this cursed discovery with more details: mike-sheward.medium.com/deleteduser-com-a-15-pii-magnet-c4396eb21061 #infosec
1 boosts · 0 favs · 0 replies · Apr 15, 2026
#infosec