Completely agree, Match.com does the same thing. Not so long ago a user signed up to their site using my email address (never figured out why).
They were able to create an account and subscribe to the site without ever verifying the email, so for a week or so I was getting notifications sent to me without any way to unsubscribe from the email.
Clicking any of the links in the email signed me in as the user and gave me full access to their account and billing information. I ended up going into their account and turning off all email notifications to make the emails stop.
Edit: Just checked my trash folder and an email sent on the 8th of August still contained valid login keys to access the account.
> Not so long ago a user signed up to their site using my email address (never figured out why).
If they used legit billing information, with a name other than yours, it was probably a legitimate typo of the email address while signing up, using copy-paste to avoid typing the email address a second time. They probably haven't yet realized they aren't getting emails for their account.
Someone (or two people with the same name) has signed up for a Hertz car rental account and a trash removal service account using a name that could reasonably be mapped to my gmail username. I presume they either have <my_username><2/year/other_number>@gmail.com or <my_username>@<some_other_provider>.
You'd be surprised how often this happens. I had a similar situation with someone who accidentally used my email when buying a new car.
For a while I was getting emails from the Hyundai dealership that had auto-login links that would have let me do all kinds of things, including requesting a (paid) tow of the car from my house back to the dealership, scheduling (or cancelling) maintenance, ordering extras and part, and more..
Luckily through that logged-in area I was able to find the individual's phone number and we texted back and forth until he understood the problem and called his dealership to update his info.
This is genuinely amazing to me. And the IT guy that set up that Hyundai system is probably getting paid plenty to do it, despite massive flaws like this.
Security is a cost center with no output and no drawbacks when you cut it (as the business people see it). So it is often quickly underfunded til some major incident.
That's really strange, isn't it? Because it only takes one major incident for a company to go entirely out of business in many cases. Or for CEOs to get ousted or step down, as in the Ashley case, or any number of other irreversible catastrophes. It would seem to me security should be the most important part of the entire process.
Then the CEO blames the IT dept, shareholders lose their investment and CEO moves on to next job with the bonuses he got for cost cutting still intact.
I find it hard to believe that they didn't know better. They were using 12 rounds of bcrypt to store the passwords, afterall. Assuming just the DB is compromised, they would likely be okay because of that. I'm not sure how often systems are so entirely pwned as to gain access to their source code repos and their entire production database. That seems like an outlier kind of attack, though I think the same thing happened with Sony.
I don't think it's fair to say that this was a security oversight, so much as it was a conscience decision to make the system have less friction for users by utilizing these login tokens.
I have a nice Volvo dealership in California that is sending me updates on someones car service, as well as the billing for some storage locker as well.
Apart from that, i get about 5 to 10 of real emails like this each month. Looking at the email addresses in Gmail i can see a lot of address that try to use a period in the address.
I know, password reset keys are as bad as login keys, but usually they expire after a certain time frame.
F*ck login keys.