So, as you read in my previous post,

some of my accounts were hacked
last week. I recovered my access to
Facebook and Gmail, due the option
to recover your password.
I could not do this on my Last.FM and
SourceForge.net account, because the
attacker also changed my email address,
to make recovery impossible.
Since the attacked accounts shared the
same password, I changed passwords on
other sites that share the same password.
Some sites, like ning.com, did send me a
confirmation about the changed password.
I think this is a good option, to send a
confirmation about changes. I am thinking
to add this feature to BlaatSchaap.be as well
next update.
I am just thinking. If the website is ‘hacked’
and someone gained access to the account,
but NOT to the email address, then this appears
to be good behaviour. But what happens if the
reverse happens. If someone hacked access
to the email address, uses the recovery option
to gain access to the website, and then changes
the password.
In that case, this offers no value. I suppose, I should
also store the IP address that requested the password
change, just to be sure.
Then, e-mail address changes. Some sites send a
confirmation mail to the old email addess if you
try to change your email address on the site. This
is good behaviour *if* the old email address is still
working. At one time, I had the problem, one of
my (webmail) email providers disappeared from the
internet (I used to have this andre@mailmij.nl email
address, untill BigFish, the company behind it, disapeared)
My point being. What if my reason to change email
address is the fact that I cannot access the old
one.

« »