Last week's GDPR/CCPA spam is a Princeton study but it's still very wrong. Careless selection, fake e-mails not declaring it's research, and worst ending with a legal threat that is a lie. Pleased with the responsiveness of the people at Radboud I approached about this, looking forward to Princeton responding to complaint as to what went wrong.
This is an interesting thread on the situation as well.
Last link I promise, it also hit at least one domain provider in Ireland.
Ton's personal Mastodon instance