We recently had three TL1 user accounts that were obviously hacked/compromised/taken-over — likely through a compromised password. The attacker changed (and deleted!) the old email addresses, and then posted spam.
What can an admin do in this situation? Is there a way I can recover the old email so I can notify the user? Does discourse send emails to an address that’s being destroyed, notifying the user of the occurrence?
We ended up just suspending their accounts. But I’m curious if there are any admin tools I’m missing or how others have tackled this problem.
I just tried it out: the old email address was notified.
This is an automated message to let you know that your email address for
%{site_name} has been changed. If this was done in error, please contact
a site administrator.
Your email address has been changed to:
%{new_email}
You can check the email logs at /admin/email-logs. If you filter by username, you should see both the confirmation email sent to the new address and the notification sent to the old address.
for preventative measure, maybe think about enabling 2fa for all? staff for sure i think would be a good idea. also, might be worthwhile to suggest password manager to your users - people should be using password managers with complex passwords these days.
If the notification e-mail can include an authentication link that won’t complete the deletion of old e-mail unless link is clicked, that may help unless their e-mail accounts are also compromised.
Suspending account seems like a good first step, and sending manual e-mail to old address to notify user and make sure you are talking to a legitimate account holder not spammer before releasing suspension of account (after removing new imposter email).
I haven’t had to deal with this situation myself, hope there will be some more helpful advice posted. If their email client has been compromised there may be nothing you can do until/if that is resolved unless you have any other way to communicate with account holders. You could make public posts on your site warning members about what is happening.
That’s possible. It already works that way for staff accounts but there is a setting to enable that for everyone. But it also means users who lose access to their email address can no longer change it on their own
That makes sense to not be a default setting for everyone, can be annoying if regular user lost access to previous e-mail then needs to open help-ticket to get that corrected.
The other slightly less secure system is to just have a notification e-mail with a notice that says “If you made this change, no action is required, but if you don’t recognize this action click link to report unauthorized access.” Not sure if that is a feature integrated with discourse or can probably be done with a plugin or something.
