Because of the username. Many people forget their own username, for example: my username is pineapple and someone else's is pineapple2. And they end up using their username to recover their password. If your username is a common namesake, word or homonym, this makes the situation worse.
I have a friend with a firstname.lastname@gmail.com account.
Someone out there apparently doesn’t realize that address doesn’t belong to them, because for 10 years he has been getting signup confirmations, appointment reminders, and very personal correspondence meant for the confused individual.
Over the years I have and continue to receive emails destined for other people. After years of trying to help people realize the errors of their ways (sometimes you just can't find the destined people).
Some of my favourites are the tax information (and other common business related correspondence) on their Disney songwriting royalties (I make more before my first coffee break than they do all year on streaming revenue, but they've got a fair number of songs), there is also a bank account tied it in Peru (CFO doesn't care but I'm not locking her out - I do have some compassion.. not much but it's there), but OTOH I've permanently locked people out of their brand new iPhones because they all choose to use my email address, or the person on the other end types it in wrong for them. I also think people don't read what their browser saves and later populates for them.
People will also just randomly give out fake addresses (that are real) when signing up to just to get a discount.
It's a single word that was popularized through pop culture years after I created it, and one letter away from being a traditional western name (and also one character toggled from a popular Hispanic one).
Also a very wealthy PTA mom in Mountain View uses my email address all the time. Our children are doing very well.
Sites should always confirm an address by having you authenticate a link before permanently using it in perpetuity. It would stop a lot of bad actions.
I mark as spam all emails coming from companies that don't have a link to remove the email from the account that triggered it because someone added it by mistake or maliciously.
I was just reading more about the Estonian developers of it there, BlueMoon Interactive. They also created the FastTrack P2P protocol and wrote Skype. Pretty impressive group there.
