We recently had three TL1 user accounts that were obviously hacked/compromised/taken-over — likely through a compromised password. The attacker changed (and deleted!) the old email addresses, and then posted spam.
What can an admin do in this situation? Is there a way I can recover the old email so I can notify the user? Does discourse send emails to an address that’s being destroyed, notifying the user of the occurrence?
We ended up just suspending their accounts. But I’m curious if there are any admin tools I’m missing or how others have tackled this problem.
I just tried it out: the old email address was notified.
This is an automated message to let you know that your email address for
%{site_name} has been changed. If this was done in error, please contact
a site administrator.
Your email address has been changed to:
%{new_email}
You can check the email logs at /admin/email-logs. If you filter by username, you should see both the confirmation email sent to the new address and the notification sent to the old address.
for preventative measure, maybe think about enabling 2fa for all? staff for sure i think would be a good idea. also, might be worthwhile to suggest password manager to your users - people should be using password managers with complex passwords these days.
