[wp-forums] angelin.deboral lost the email to her old user ID

Mika A. Epstein ipstenu at ipstenu.org
Thu Sep 8 16:49:24 UTC 2011 

Otto - You hit the problem here.

She DOES NOT know what the old email was. If she said "My email was 
foo at yahoo.com but now it's bar at gmail.com" I would've been fine.  She 
doesn't remember the email address.  (I tried to hint it at her 'Was it 
on Yahoo?'  cause IMO it's about as obvious as mine!)

There's no URL listed in her account to check.

The plugins Michael spotted list her but not in any of the commits.  
Those are all niravmehta - I did look.

I have no idea who she is.

The only one of those proofs is that per facebook and google, it LOOKS 
like her (Thanks, Kathryn, from sparing me a FB look)

But why? No posts, no plugin changes (which, if it mattered, she could 
ask niravmehta to change that). What's she missing? Or what am I missing 
that makes this matter?

(I'm M.Ipstenu on Words With Friends for this reason. I used a 
toss-away email with Zynga and then deleted it. We live, we learn ;) )

On Thu, 8 Sep 2011 11:30:54 -0500, Otto wrote:
> We've been handling this through the password reset email address a
> fair amount (pw-reset-2011 at wordpress.org). They should email there.
>
> My general approach is that if I can find positive proof that the
> person is the same, then I change the email and give them the account
> back.
>
> What constitutes proof?
> - If they have a URL on the account and still own that site, then I
> ask them to put a post or a text file up proving that they own it.
> - Custom domains have WHOIS records that can be useful for verifying
> site ownerships.
> - If they can tell me what the email address was before (email
> addresses are hidden from normal user views). This one is dicey, so I
> use it with more care when there's themes or plugins attached to the
> account. If it's just forum posts, then I'm a bit more lenient.
> - If they're well known and I trust them. Hey, reputation is
> everything in open source.
> - If I can find confirmation via browsing the web and finding
> references, links, anything that will convince me that I'm not making
> a mistake.
>
> Things like that. I tend to be a bit forgiving on this, but careful,
> basically. Also, since we're using email, I have a record to fall 
> back
> to if I need to reference what changed. So far, it hasn't really been
> a problem. Most have either been really obvious or somebody saying
> "hey, my email used to be foo at bar.com but now it's foo at barbar.com, 
> can
> you change it for me?"...
>
> Only once have I had to tell somebody no, out of, oh, hundreds now.
>
> -Otto
>
>
> On Thu, Sep 8, 2011 at 10:47 AM,  <ipstenu at ipstenu.org> wrote:
>> Her latest post:
>> 
>> http://wordpress.org/support/topic/i-want-the-emailid-associated-with-account-as-i-have-forgot
>>
>> Backstory.
>>
>> She had an id (angelin.nadar -
>> http://wordpress.org/support/profile/angelinnadar/ ) with NO posts, 
>> and she
>> lost the password.  No big, except she also forgot which email 
>> address it
>> was.  Furthermore, the email address no longer exists (per yahoo, I 
>> emailed
>> it directly).
>>
>> So now we have a case where she says "I am this user name, but I 
>> can't prove
>> it in any way shape or form, because I don't remember the password 
>> or the
>> email.  But can you reset the password for me anyway?"
>>
>> And I said "No, that's what we call 'social engineering.'  Tough 
>> titties,
>> move on."  (I said it nicer!)
>>
>> Do I think it's her? Probably yes, but with no posts to the name, I 
>> can't
>> even spot-check the IP to be certain, and the security mole in my 
>> heart
>> screams in abject hate at the idea of just handing over an ID, when 
>> I don't
>> know what else it may effect.  I highly doubt there's any risk in 
>> this
>> particular situatino, but I'm not personally comfortable opening the 
>> door.
>>  Especially since (1) no posts exists for the old account, (2) she 
>> has one
>> (unanswered) topic with the new one and (3) merging accounts 
>> involves buying
>> Otto a home brewery set at this rate.
>>
>> Am I being too knee-jerky paranoid about security?  (I swear, Nacin, 
>> I took
>> the tin foil out of my hat today!)
>> _______________________________________________
>> wp-forums mailing list
>> wp-forums at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-forums
>>
> _______________________________________________
> wp-forums mailing list
> wp-forums at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-forums

More information about the wp-forums mailing list