I just received a snail mail notice from Thawte indicating that I have certificates that are up for renewal. Now, I do have certificates from Thawte, so I assumed that the notice was about one of those... but I was thinking, I don't have any certificates expiring soon, do I?
Then I opened the letter. It did, indeed, indicate that two web server certificates, specified by domain name and order number, were up for renewal in April and May. But they aren't my domains. If I were a malicious person, I could probably contact Thawte and, armed with the domain name, order number, certificate type, and expiry date, get access to mess with the accounts: change the password, get the certificate revoked, etc.
And of course, having received information for other people, I have to wonder, who has received mine?