Send notification when there are two-step verification or connected account changes

digitalpoint

Well-known member
It would be nice if XenForo has better handling of account security when something important on the account changes. For example, say an account was hijacked and the email address was changed.

First, it would just be nice is if the old email address was notified of the change. Even better would be if that email contained a link that allowed the recipient to undo the change (without authentication in case password was also changed). Link could be valid for a certain period of time (say 7 days).

Notification of changes of any data that affects a user's ability to authenticate would be nice... email address change, password change, two-step auth changes, connected account addition/removal, etc.
 
Upvote 15

Chris D

XenForo developer
Staff member
First, it would just be nice is if the old email address was notified of the change.
This already happens.

Even better would be if that email contained a link that allowed the recipient to undo the change (without authentication in case password was also changed). Link could be valid for a certain period of time (say 7 days).
We don't do this, but I don't think it's necessary. We include the IP address of the user who changed it and log the IP address under xf_ip so it should be reasonably simple for an admin to verify an unauthorised change.

Notification of changes of any data that affects a user's ability to authenticate would be nice... email address change, password change
Password changes trigger a notification too.

So there's a few things here that are maybe reasonable but for the most part we either already do them or they don't really feel compelling.

Notification of two step verification and connected account changes might be the most significant so renamed the suggestion to account for that.
 

digitalpoint

Well-known member
This already happens.
Oh good, how did I not know this? lol

We don't do this, but I don't think it's necessary. We include the IP address of the user who changed it and log the IP address under xf_ip so it should be reasonably simple for an admin to verify an unauthorised change.
Ya, although talking about larger sites (million or so users). Allowing them to sort out the issue themselves is preferable in my eyes vs. just having the info needed for an admin to sort it out for them. The more users you have, the less it scales. Totally different scale of course, but imagine if Facebook or Google account hijacks required Facebook/Google admins to get involved. Would need a giant building just to house all these full time admins. :)
 

Wildcat Media

Well-known member
Notification of two step verification and connected account changes might be the most significant so renamed the suggestion to account for that.
đź‘Ť

I know it's annoying when one of my banks will send a notice any time I log in on an "unrecognized" device, but there is always that one time someone gets their account hacked into, that they'll wish they had been notified. Any helpful notification is always a plus.
 

digitalpoint

Well-known member
In my dream world, it would be nice if it was abstracted out to a single function across the board. For example, instead of having emails that are more or less the same for each type, just have a phrase along the lines of x_changed_body_html. And pass in x as a variable.

Right now, there's email_changed_body_html and password_changed_body_html, if we were to add a notice for two-step and connected accounts, that's additional replication. And I was also thinking about some custom things I have that are going to require it as well (not my case, but as an example, what if you had bank account info, credit cards, cryptocurrency deposit addresses, etc.).

Would love a method that allowed you to pass in the variables for the alert emails, have an optional parameter that was something like "allow undo". With that undo link included in the notification email.

The current situation where someone is alerted that their email was changed, but they can't do anything about it other that figure out how to contact an admin and sit and wait until a human gets back to them while the hijacked account could just be doing whatever in the meantime is less than ideal. Ends up being unnecessary/more work for admins investigating and restoring the account as well as possibly needing to go and do spam reversals (now we have to selectively delete conversations/posts from the point the hijack happened without destroying the real user's content via spam cleaner). The sooner we can put a stop to the hijack, the better. A simple "undo change" link the rightful owner could click seems like the quickest/simplest way to me.
 

Wildcat Media

Well-known member
The current situation where someone is alerted that their email was changed, but they can't do anything about it other that figure out how to contact an admin and sit and wait until a human gets back to them while the hijacked account could just be doing whatever in the meantime is less than ideal.
That would be my worry also. I do use Dragonbytes Security on one of our big forums and it can detect some illicit activity on its own (especially with staff accounts), but only an account owner knows for sure what is happening with their account. We've had rare instances over the years where a spouse or adult child gets into the member's account and posts under it--it's often legit, but the capacity is there for someone to really make a mess of things or worse, take over the account by changing the password and email. The longer a problem sits, the worse it can get.

The sooner we can put a stop to the hijack, the better. A simple "undo change" link the rightful owner could click seems like the quickest/simplest way to me.
I like that idea.

That leads to another idea I had--soft-delete user accounts at first, then have them purged after 30 or 60 days (so GDPR doesn't have a hissy fit). That would help someone recover from a hacking incident (or a "fat thumbs" incident) where an account is deleted that shouldn't have been. Something only a Super Admin could recover, though.
 
Top