You don't need to hack someone's account to send mail as them, you just need a server that will get into the popular services. That's the reason social graphs are sensitive, match up people who trust each other and send them messages as each other.
Interesting point about password resets though, if you can read (have hacked) the email you're into pretty much any account. BTW in case you're unaware any Android/iOS device can run Google authenticator and generate 2FA tokens. Email behind 2FA is probably the best security/friction tradeoff for that sort of message, but not many people use it.
> You don't need to hack someone's account to send mail as them, you just need a server that will get into the popular services.
They emailed me on an address only used by them in their email, and not in any other service. That only way I could get spam on that address is if their email was hacked. (Either remote, or locally via their desktop.)
I think 'ars is saying that these are "personalized" email addresses: there is a separate one for each person from whom 'ars wants to receive email. Assuming these addresses aren't easily guessable/enumerable, and aren't on any lists stolen from or sold by service providers, the spammer must have have gotten them somewhere else.
The problem is that pretty much every one of them have probably given one or more services access to download their contact data to connect them to their friends, so any number of services other than their e-mail likely contains these personalized e-mail addresses.
Someone has likely been hacked or sold/leaked data, but he should assume that those addresses have been spread quite a bit voluntarily by his friends/associates.
Interesting point about password resets though, if you can read (have hacked) the email you're into pretty much any account. BTW in case you're unaware any Android/iOS device can run Google authenticator and generate 2FA tokens. Email behind 2FA is probably the best security/friction tradeoff for that sort of message, but not many people use it.