Malicious personal messages followed by account self deletion

This user has found a way

1 Like

Hi @Brixey
Update, another Discourse team member has confirmed how this is possible. For a PM/topic,notifications and user to disappear from the discourse forum. I shall PM copy you in. The team are working on it for you.


It is possible to do this

  1. Create a new account
  2. Read just enough to reach trust level 1 (you need that to earn the ability to send a PM)
  3. Send one PM and one reply max – because accounts can’t self delete with more than 2 posts
  4. Do this all within 2 days – because accounts can’t self delete more than 2 days after account creation
  5. Trigger account self-deletion

Pretty hard to do all that, but it could be done, so we’ll have to think about the ramifications here.


Hi Jeff
Number 3
You’ll have to up that number of posts to at least 4 because that’s how many she sent me, all but the opening post being deleted within seconds as soon as the “views” showed I was reading it

Thanks for the help here btw


It’s possible there is a bug that is not counting PMs in there @gerhard? We should definitely make sure that’s working as designed in terms of allowed user self-deletes.


Don’t know if it’s at all relevant, as all this is way above me, but the person concerned uses Ipads for her internet use.

1 Like

We’ll get to the bottom of it for sure, we take abuse very seriously and we want everyone to be safe by default!


We did find a bug here where PMs were not counted towards the max 2 posts limit that prevents new account self deletion. That’s … pretty bad, my apologies. Hopefully @gerhard can get that fixed and backported lickety split!


It looks like it’s a 1 post limit where posts in PMs aren’t counted at all. First posts in topics don’t seem to count as well. :frowning:

So, what should the new rule be? Count every post unless the post belongs to a PM with a system user (e.g. discobot)?


Yes, count almost everything, exceptions should be super rare.


Hi Guys,
Just wanted to say thank you all, for taking this seriously and looking into it so quickly and thoroughly


I have to say, I really appreciate this entire discussion. You show your commitment to open source ideals by not only reproducing the problem, but sharing steps on how it can be reproduced publicly, and working on a solution where we can see it. That’s impressive.


It is a shame that @Brixey didn’t qualify for the “bug reporter” badge. :wink:


If the offending user also resides in the EU then restoring messages they explicitly deleted (without consideration as to whether they can or not) would likely be in violation of the GDPR.

1 Like

Just to clarify
I didn’t request the messages be publicly restored simply retrieved to my PM’s as they were originally sent so that the user concerned canot send a threatening message and then delete it once read.
I can’t see that breaching GDPR?


Possibly, which is quite ironic when the offender had no respect for the privacy of the person they were sending their nasty messages to in the first place! :woman_facepalming:t3:


Yes that is indeed a problem with the GDPR, but it’s her data. Have you
tried contacting your local law enforecement agency?

1 Like

This is a common misconception, but no it likely wouldn’t be considered a breach of GDPR. The purpose of the processing is because they broke the rules of the community. GDPR doesn’t prevent site owners from investigating such incidents.

If they break the terms of the community or break laws you have every right to investigate.


We fixed the problem of PMs not counting toward the max 1 post limit for self-deletes. The fix was also backported to the stable and beta branches.