The email address I use for my Peplink account is something I made just for use with Peplink. It’s a nonsensical combination of letters and numbers, created by a privacy-enhancing service provider that I use. That company is called Abine.
The other day I got a single scam message on the address, and no more of them. That could mean a few different things. In no particular order:
Peplink’s database of email addresses (and perhaps other information) used for the accounts has been compromised.
My privacy-enhancing service has had its database of generated email addresses compromised.
My email service provider (i.e. where all of the messages end up; it’s a big one like gmail but it’s something else) has had some kind of compromise.
Something about mail addresses being harvested from messages in transit. After all, email isn’t a secure thing at all.
I will say that #3 is particularly unlikely. The organization would eventually know about the breach and make an announcement, to preserve their reputation. I can’t say anything about #1, #2, #4.
I wonder if Peplink would comment on whether there has been any suspected data breach in whatever system(s) would know these email addresses, or if there is anything about the environment the messages pass through on the way out.