A security researcher discovered that many applications handle user deletion by overwriting email addresses with placeholder domains like deleteduser.com, rather than fully deleting records. This practice exposes Personally Identifiable Information (PII) through misdirected emails and reveals widespread non-compliance with privacy regulations. The article highlights a critical data handling vulnerability affecting numerous services.
Background
GDPR and CCPA regulations require services to delete user data upon request, but many systems were not originally designed for true data deletion. Instead, they often overwrite fields to maintain database integrity while technically complying with deletion requests.
- Source
- Lobsters
- Published
- Apr 18, 2026 at 09:19 AM
- Score
- 7.0 / 10