Spam received at password recovery email


I received some spam to the email I registered as my Blockstack password recovery email. I didn’t expect that this email would be accessed by those sending spam. I don’t believe this email has been disclosed in any other context.

Is there an obvious explanation or is something unexpected going on here?


This seems unexpected to me. We don’t use email addresses in any way that should disclose them externally.


You could have given an app the permission to use your email address. This is the same as for the reovery.


I suppose that’s possible, though my understanding is that we’ve never actually passed email addresses to developers as part of the email scope. See


Then the issue is not up-to-date. I just managed to retrieve my users email address via scope ‘email’.


Thanks for testing – that’s news to me!


Tried to add email scope but Blockstack after authentication didn’t return the email address. Is there any other way we can get email address ?