How a parent gave each child's account its own alias and caught a Roblox-era data leak

Kids' accounts are uniquely exposed

Caroline's two kids have accounts on Roblox, Minecraft, Discord, the school portal, Khan Academy, Brilliant, Duolingo, Code.org, and most of the kids' streaming services. Originally she'd used a single shared family Gmail for all of them — which meant every breach in the kids'-game space (and there have been many) exposed the family-wide identity. It also meant any parental-control settings tied to email arrived in the same inbox where she also handled school-PTA newsletters and pediatrician communications.

The privacy concern was obvious: kids' game accounts get breached more often than adult financial accounts because the security posture of the game vendors is lower and the attacker payoff (account takeover for in-game items) is high. Caroline wanted to make sure that when (not if) Roblox or Minecraft suffered another credentials leak, the email used for the leak wouldn't be the same address her bank, doctor, and child's school used.

The operational concern was equally important: she wanted per-kid + per-service visibility. If her older child's Discord started getting unusual recovery emails, she wanted to know immediately, in a way that distinguished it from her own Discord activity (she's on Discord too).

The setup: alias per kid per service, all routing to her

1. Registered a short family-brand custom domain. Pointed MX at EmailAlias.io Premium.
2. Generated one alias per kid per service. Pattern: <kid-name>-<service>@<family-domain>. Eighteen aliases across two kids and nine services.
3. Set the kids' accounts to use those aliases for both login email and recovery email. Removed the shared family Gmail from every kid account's recovery flow.
4. Configured exposure-detection alerts on every kid alias. Any spam or unusual activity is routed to her, not the kids. Kids don't see security alerts — she does.

What changed

Caroline now has a complete map of her kids' digital identity. When she occasionally audits the alias dashboard, she can see which aliases are quiet (normal), which are noisy (something happened — investigate), and which can be retired (kid moved on from that game).

The big catch came six months in: her younger child's Roblox alias started receiving Russian-language phishing emails for what looked like a game-credential reseller. Caroline checked: Roblox hadn't publicly disclosed a leak, but several smaller kids'-publishing platforms had. The phishing was new, the alias was specific, the conclusion was clear — somewhere in that publishing chain the kid's email had been resold. She reset the Roblox password, generated a fresh alias, updated the account, killed the leaked one. Done in 30 minutes.

Her own primary inbox is unaffected by any of the kids'-service noise. The family Gmail (still active for PTA, doctor, school updates) hasn't received a kids'-game phishing attempt since the migration.

What this would have cost without aliases

The financial cost of a kids'-game account takeover is usually small (a few dollars of in-game purchases at most), but the psychological cost on a kid whose account gets compromised is real — particularly for an account they've put years of play time into. A Roblox or Minecraft world wiped out by an attacker can mean weeks of repair work or a complete restart. Aliases make the account itself easier to defend, but more importantly they isolate the family-wide identity so a single kid's account compromise doesn't expose mum's banking email or dad's work address.

The broader cost framing: family-wide email reuse is the soft underbelly of household privacy. Every kids'-service that leaks an address is a permanent contribution to the family's targeting profile, which is what scammers and phishers buy and merge. Aliases break the join key — even if every kids'-service in the family's stack eventually leaks, none of the leaked addresses correlate to the same household, the same school, or the same bank.

What she tried first

Caroline's first move was creating dedicated Gmail accounts for each kid. That worked logistically but failed at the privacy goal: Google's identity-correlation across the family's devices linked all four Gmail accounts behind the scenes, and any leak of any of them effectively leaked the family identity to anyone willing to query the breach lists for related addresses. Aliases on her own custom domain don't have Google's correlation layer behind them.

She considered shared aliases on the kids' game accounts via Apple's Hide My Email feature. That worked for the Apple ecosystem but not for Roblox/Discord/the school portal, which need a custom-domain or direct email that isn't tied to Apple ID. EmailAlias.io's per-service aliases on her family domain cover every platform without dependency on a specific OS vendor.

The day-2 operational reality

The maintenance rhythm for Caroline is calendar-driven. Once a month she audits the alias dashboard while the kids are at school — about 10 minutes — and disables any aliases for services the kids no longer use. New services that the kids want to sign up for require asking her first, which she's framed as a normal family rule rather than a security policy. The kids accept it; it's easier than explaining why every game gets its own email.

She reports the biggest unexpected benefit is the parental-conversation framing: when she explains why kids get their own aliases, it opens an annual conversation about online privacy that wouldn't naturally happen otherwise. The kids now understand at a basic level what an account breach is, why it matters, and why they shouldn't reuse passwords. The technical setup turned into a teaching tool.

“

I think of it as giving each kid's account its own front door. If someone breaks one door down, the rest of the house stays locked.

Frequently asked questions