Identifying ACTUAL inactive accounts, and requiring 2FA


We've had a few recent problems with old accounts being hacked for the purpose of "selling" goods (ie, scamming) in our member-to-member marketplace using these stolen identities. (The amounts are in the low thousands of dollars each, so it's serious.) Our forum has been around for 17 years (although only on XF for 3; before that on vBulletin), so I'm positive that we've got thousands of accounts with weak passwords that are going to be easy pickings for this approach in the future.

In talking about my best approach for managing this on the DragonByte Security resource thread (I've bought it -- a great way to address password security moving forward), someone suggested that I force 2FA on the old accounts, using email as verification, so that somebody trying to use an account that hasn't logged in for X amount of time will need access to the original email account. (I'm also assuming that anybody legit who has no access to an ancient account to receive a 2FA confirmation will be motivated to get in touch with us via the Contact form.) I like this idea, but I'm not sure how best to do this.

The obvious place to start seemed the "Batch update users" controls, but I'm not so sure. For example, I can select "Last visited between" and make the most recent login, say, a year ago (that counts as inactive, right?) -- does that really exclude everyone who's logged in during the past year? Because while I'm happy to encourage 2FA, I'm not at all prepared to require it for all current users (140,000 according to the widget, but I don't know what constitutes "active" in for that widget.)

Can I use also batch update to turn on 2FA for these inactives, and specify email as the method for them?

Or do you have some better suggestion for me to secure these old accounts?

Andy, I have no idea why I ask questions here, when the answer is so often contained in the addon collection I've already bought from you. 🤣 I swear that I really did look for something like this in your add-ons first, and clearly simply missed it!

Will be installing Security Lock Manager today!
I did a forced password reset to my users in August 2021. 150k+ accounts. Last I checked was May 2022 and over 25k users had performed the reset and were back on the forum.

It's a risk. Potentially a catastrophic risk.

I use all the password tool options available, and had Ozzy create a couple for me as well.

I STILL get a request or two a week from users who cannot access their registration email. Handled one this evening. Initially, that was dozens a day...

Scammers will forever get thru. Had a registration in Nov that posted a handful of normal replies in threads. Every IP was from one cell carrier and every IP was in the same city radius. Usual scam to take a classified transaction off the forum, and even tho this member was suspicious, they fell for it and are out their $$. I have a warning posted, and "reset" the warning every few months for Classifieds. But people are deal hunting and will get suckered.
Last edited:
Top Bottom