I would have expected them to ask me to message them, in order to resolve the issue of not having access to my old email. Instead, they assume that I still have access to it, by simply contacting my email provider!

If I could do that, I wouldn’t have lost access to it through would I?

  • NuXCOM_90Percent@lemmy.zip
    link
    fedilink
    English
    arrow-up
    80
    ·
    5 months ago

    I mean… It would be nice if they put a nicer message there. But I mostly agree with that.

    Look up how people social engineer their way into apple accounts and so forth. The more you put the burden on a (perpetually) underpaid CSR the easier it is to steal an account, Spin a sob story and then harass the CSR until they just reset your password so you will go away. Except there is no guarantee that is YOUR password and now we have yet another stolen account.

    • bogosort@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      18
      ·
      5 months ago

      Also works on EA accounts. Got mine stolen through Customer Service a few months ago. But when I contact them through the email the account was set up with they don’t reinstate me.

      Wish there was a solution to these problems that deals with both issues.

      • NuXCOM_90Percent@lemmy.zip
        link
        fedilink
        English
        arrow-up
        24
        ·
        edit-2
        5 months ago

        There is.

        2FA. No, not the fucking “we’ll send you an SMS” bullshit that is increasingly used to just highlight an active phone number for spam purposes. Proper TOTP with the code backed up to a proper service (bare minimum, Bitwarden)

        Someone can steal your password and even your email account (unless you TOTP that too…). They still can’t get into your account unless you are an idiot who gets tricked into providing the 2FA key.

        In a perfect world? Have your TOTP credentials in one encrypted database/Bitwarden account and your passwords in another. In reality? Just use a trusted service. I used to be a big fan of Keepass but protecting that with a yubikey (or similar) is a huge mess.


        The recent push for passkeys (?) is a nice-ish middle ground. People don’t need to understand how to paste a TOTP code into Bitwarden but they still need to approve a login. That said, I hate it since so much of it is dependent on a single device that can generally be opened by just applying REDACTED to the screen and doing REDACTED to narrow down the lock code significantly.

        • FlihpFlorp@lemm.ee
          link
          fedilink
          English
          arrow-up
          5
          ·
          5 months ago

          not an SMS

          OMFG YEEEEEEESSSSS I HATE THOSE I’m not even super duper security focused I just love the idea of even a bot farm has to guess a code within a 30 second window

          Meanwhile sms codes usually expire between a ten minutes and an hour, usually a half hour, but thats if at all

          As much as I hate them they’re better than nothing :/

          • lud@lemm.ee
            link
            fedilink
            English
            arrow-up
            2
            ·
            5 months ago

            I doubt bruteforce has been used in one of these attacks. The service should detect a bot entering many combinations per second.

            The main problem with SMS is that someone could social engineer the mobile operator support to give them a new SIM.

            Probably not something you should worry too much about unless you are in any way a target, but still.

            • FlihpFlorp@lemm.ee
              link
              fedilink
              English
              arrow-up
              1
              ·
              5 months ago

              I also said way less than what I was thinking but you pretty much summarized the other half of what I was thinking with people being able to get the authenticator which is in this case the message

              I also just plain don’t like them

              Idk why beyond the reasons I said

        • Victor@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          5 months ago

          Quick question, how do you back up a 2FA “code” to Bitwarden? Sounds like a wise thing to do for my current 2FA accounts.

          • NuXCOM_90Percent@lemmy.zip
            link
            fedilink
            English
            arrow-up
            3
            ·
            5 months ago

            Really depends on your current tool so RTFM on that.

            But when you are activating it in your account? There is a QR code you are supposed to scan. And there is almost always a button like “Having trouble?” or “Show TOTP Key” or whatever. Click that and you get a long alphanumeric string instead. Paste that into the TOTP field for Bitwarden (or Keepass or whatever) and it will generate codes for you.

            Once or twice I have had to actually use my phone camera to decode the QR code so that I can manually type in the TOTP code/seed, but I think the last time I did that was in like 2020?

        • SnipingNinja@slrpnk.net
          link
          fedilink
          English
          arrow-up
          1
          ·
          5 months ago

          That said, I hate it since so much of it is dependent on a single device that can generally be opened by just applying REDACTED to the screen and doing REDACTED to narrow down the lock code significantly.

          Would that work with my pin which is the equivalent of 40483770487025502574448? Or is a password better?

          I think a pin like that is harder to remember for people, and even to get it using fingerprints is difficult because you cover a lot of the numbers giving false information

  • Zelaf@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    22
    ·
    5 months ago

    This is news to me, just checked my account and the email is of a domain I no longer intend to renew so I guess I’m screwed then lol

    • cosmicrookie@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      21
      ·
      5 months ago

      No! Youre not! Just make sure you change your email in discord accounts settings before your domain runs out.

      They send an email to your current account to check that its you. Then you can change it to a new email

      • bobs_monkey@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        ·
        5 months ago

        Is that an old person thing? I have one custom domain exclusively for my work email, and while I was at it I made one for my personal just because I could.

  • TrickDacy@lemmy.world
    link
    fedilink
    English
    arrow-up
    10
    ·
    5 months ago

    Do you really expect them to allow you to circumvent the only easy way we have to verify ownership of an account?