On June 29, 2015, I received email from Travelocity thanking me for creating an account. I did no such thing—or, wait, did I have an account already? Sure enough, I set up one in 2006, according to my archived emails. Why this notification now? I wrongly assumed the thank-you message was a mistake, or even a marketing ploy, to get me to sign into the account. But who remembers a password from 9 years ago? So I clicked the forgot password link and had a new one sent.
I wouldn’t understand until later that someone in Florida created a new account using my email address. But Travelocity never sent confirmation to verify that the email address was valid or belonged to the person who signed up for the service. As such, by resetting the password, I had access to someone else’s account, which, fortunately, contained no personal information (like credit card numbers). But I didn’t understand this circumstance until later, when, in a routine check of my online accounts. I discovered an itinerary for a hotel stay that had just passed.