A quick search on the exotic name that was written on “my” account revealed that a large number of Epic Games users had the same thing happen to them when they were about to register. The problem has been known for several months. Furious, I emailed support and asked how in 2019 you can offer a service that doesn’t even require email verification when a new account is created. The only response I got was “Should we delete the account?”
Then followed the classic emailing back and forth to restore the account, but I never received an answer to my question. Talk about a security failure – and at a service that has barely existed for six months.
That night I fell asleep in a rage. I thought of the time my Spotify account was hacked and without any verification measures the perpetrator managed to change the associated email address – leading to an energy-sucking recovery process coupled with the admittedly helpful Spotify support. Or why not the time my Minecraft account got hacked and then moved far beyond the horizon without the slightest approval on my part?
I also thought of that time when I was hanging out in a sunny vineyard in Italy and Netflix happily emailed out that “someone has now logged into your account from tjottahejti”. Logged in myself quickly as attan, used the function Log out from all devices and changed the password – so that time the result was luckily just an Amarone-infused adrenaline rush in the middle of deepest Valpolicella.
This is too bad. Email addresses, usernames and old passwords are leaked too often, and protecting logins with only a single security step (if even that) should be outlawed. It doesn’t matter that accounts on services like Netflix and Spotify are less critical to get rid of. It doesn’t matter that credit card information is protected and that you run no risk of identity theft or financial damage when your account is hacked.
It’s about signals. That the entertainment giants do not take even the most basic security measures to save the time and energy of paying users is disrespectful. Two-step verification is far from flawless, but would still make a big difference. Email account verification is another thing that really just needs to be in place before launching a service in our millennium.
Take care of your users. We actually pay to use your services, and they often occupy a large place in our media consumption. If you are big, you actually have to be kind.
Bonus surfing tips: The site twofactorauth.org reveals which well-used sites and services do not offer the protection of two-factor authentication, and has a handy Twitter feature to call sinners to repentance.