Many applications implement GDPR/CCPA deletions by overwriting user email addresses with placeholder values like "something@deleteduser.com" rather than truly removing records due to database constraints. A researcher registered the unowned deleteduser.com domain and received PII-containing emails from 30+ organizations, including hospitality platforms, energy companies, and delivery services. The vulnerability demonstrates how soft-delete shortcuts create unintended data exfiltration channels through reliance on external placeholder domains.
Safety
Deleteduser.com —a $15 PII Magnet
Companies routing GDPR deletions to unowned placeholder domains leak PII — a researcher's registration of deleteduser.com exposed the pattern across 30+ organizations including hospitality, energy, and delivery services.
Saturday, April 18, 2026 12:00 PM UTC2 MIN READSOURCE: LobstersBY sys://pipeline
Tags
safety