We hadden onlangs drie TL1-gebruikersaccounts die duidelijk waren gehackt/gecompromitteerd/overgenomen - waarschijnlijk via een gecompromitteerd wachtwoord. De aanvaller heeft de oude e-mailadressen gewijzigd (en verwijderd!) en vervolgens spam gepost.
Wat kan een beheerder in deze situatie doen? Is er een manier om de oude e-mail te herstellen, zodat ik de gebruiker kan informeren? Verstuurt Discourse e-mails naar een adres dat wordt vernietigd, om de gebruiker van het voorval op de hoogte te stellen?
We hebben uiteindelijk gewoon hun accounts geschorst. Maar ik ben benieuwd of er beheerdershulpmiddelen zijn die ik mis of hoe anderen dit probleem hebben aangepakt.
I just tried it out: the old email address was notified.
This is an automated message to let you know that your email address for
%{site_name} has been changed. If this was done in error, please contact
a site administrator.
Your email address has been changed to:
%{new_email}
You can check the email logs at /admin/email-logs. If you filter by username, you should see both the confirmation email sent to the new address and the notification sent to the old address.
If the notification e-mail can include an authentication link that won’t complete the deletion of old e-mail unless link is clicked, that may help unless their e-mail accounts are also compromised.
Suspending account seems like a good first step, and sending manual e-mail to old address to notify user and make sure you are talking to a legitimate account holder not spammer before releasing suspension of account (after removing new imposter email).
I haven’t had to deal with this situation myself, hope there will be some more helpful advice posted. If their email client has been compromised there may be nothing you can do until/if that is resolved unless you have any other way to communicate with account holders. You could make public posts on your site warning members about what is happening.
That’s possible. It already works that way for staff accounts but there is a setting to enable that for everyone. But it also means users who lose access to their email address can no longer change it on their own
That makes sense to not be a default setting for everyone, can be annoying if regular user lost access to previous e-mail then needs to open help-ticket to get that corrected.
The other slightly less secure system is to just have a notification e-mail with a notice that says “If you made this change, no action is required, but if you don’t recognize this action click link to report unauthorized access.” Not sure if that is a feature integrated with discourse or can probably be done with a plugin or something.
Yes indeed, that is a decent template there you had already posted earlier.
That is probably good idea, to be reoccurring a few times can be good for important warning/alert.
This seems like sort of unusual phrasing for this kind of alert, not sure when/if email change would be an “error.” Depending on the level of suspiciousness of the change more urgency in the alert can be good, like **Suspicious email change alert!!!** Please contact us right away if this is not recognized!" Also phone alerts can be good and/or automated temporary account suspension if admins want to be super fancy.
