So, obviously, just came from a less than technically satisfactory - but also really uncool - support conversation. I'm used to support being technical analfabets - but rude and arrogant as well? New low, Spotify. I'm attaching the transcript at the end, and I hope you fire the guy in question out the window, screaming something about Eurovision, from his office-chair.
The issue is this: if you happen to have a user-name on spotify that someone has picked up - which is really easy thanks to the social network integration - this allows them to do the following: attempt to log in to your account with a wrong password until the account is marked with "suspicious activity". The password is then invalid, and the e-mail that you might attempt to reset your password with does not receive reset-emails.
(As a precautionary measure, you understand, while you connect your account to facebook, to make this exploit even easier to use in the future).
The result being that now you, the owner of that account, with the user-name that can't be changed, are not able to log in to your account any more. There are no traces of the suspicious activity specifically - only valid logins are stored. And you are stuck having to contact support to be able to log in again.
You can also request password resets with your user-name alone - again, not a great design idea, but that at least doesn't invalidate your password if it's spammed, and it leaves something behind.
Since /everyone/ working with Spotify are loved by everyone they interact with online, I can't imagine that they would ever have an issue like this, of course - but some of us are not so lucky. And you've basically handed an option to anyone on the internet here, in a very simple way, to annoy people a lot.
And no measure that I can take now will prevent it. Because I can't change the user-name that you've made transparent to the whole login-system, and I can't hide it from the outside point of view of your database. I can change my e-mail all I want, that won't change this. This is a design-choice, and it's not very good. It's an old issue. And it has actually been addressed before, when the social integration first became available, specifically to address this. I was one of the people who requested it.
So we already had - at one time - the option to only have the e-mail as a valid login-method. You've since changed that, for whatever reason that I certainly can make a qualified guess at what is.
In any case, my suggestion is: allow users to have the option to hide the key database-name, and to only allow logins via the e-mail address, or some non-transparent username.
PLEASE NOTE: turning off the spam-prevention is not actually a solution to the "issue". I know what you're thinking, it's not a solution. Stop right now.
Disallowing the user-name logins, however, solves, and solved, the issue: all the cool people who everyone love can share their login/username with all their cool friends and be cool. And the paranoid nerds who believe in conspiracy theories about "internet security", "encryption" and "private information" can then just unhook this option in the user-preferences.
And as a result of that "change", everyone would be **bleep**ing happy, both the cool people and the ones who are not. So have solidarity with the uncool people who design database-systems not made by Microsoft, and upvote this, please.
transcript follows:
The following is a record of your online chat.
General Info |
| Chat start time | Sun, 29 Mar 2020 13:44:09 +0200 GMT |
| Chat end time | Sun, 29 Mar 2020 14:15:44 +0200 GMT |
| Duration (actual chatting time) | 00:31:34 |
| Operator | DarellM |
Chat Transcript |
Info: Thanks for getting in touch. So we don't get disconnected, please keep this window open during the chat.
Info: Hey there! Thanks for contacting Spotify Support. You're chatting with DarellM.
NOTE: So we don't get disconnected, please do not navigate away to another browser or app during this chat.
Info: Hi. Was just forcibly bounced on all my two devices today, at some point earlier in the day. The password recovery does not work, I've waited for an hour or so now - no new messages. I believe I've mentioned before that the password recovery facility still accepts the "user name", and that - in spite of me specifically asking for this, and having the option cleared in the preferences - user-name based login, rather than e-mail address only, is still allowed. This means that anyone who knows that user-name, which I've used elsewhere, will be able to annoy me by attempting to log in consecutively with the wrong password, and simply spam the recovery facility until it won't respond, to me or anyone else, on account of predictable anti-spam measures. Now, please make sure: that I, or anyone else, can't use the user-name to spam the password recovery. And that you will need the e-mail address to log in. I will now wait, without music, on your login-portal that requires an always online presence in practice -- because screw us who worked our asses off to make digital music a thing - that you can earn money on, and the rest of us almost went to prison for: DRM is amazing, and must be there, and clearly shall be a hindrance to the enjoyment of the product, as otherwise the record company people wouldn't think it will work. But whatever. Thanks for nothing.
Info:
DarellM:Hello there!
DarellM:I'm sorry to hear that you're having trouble logging in. Don't worry! I'll definitely check your account here.
DarellM:I think I can explain what happened.
Our system saw suspicious activities on the account so we’ve reset your password.
If your requested password reset emails aren't being received, then we must change the email address so you may get your access back.
DarellM:Please provide:
- a new email address
- a PayPal Invoice ID for a payment made to the account (to verify that you own the account in concern). To find the Invoice ID:
1. Log into PayPal.
2. Click on your most recent payment made to Spotify.
3. In the Transaction Details, find the Invoice ID.
The Invoice ID starts with P0.
Me: ...yes, I realize that. Wait a moment.
DarellM:Sure thing.
Me: xxxx
Me: I could probably send you the invoice, but.. no upload in the chat. Which.. probably is just as well..
DarellM:I just need the new email address.
Me: I have an alias for my protected account, but it will be on the same domain as the last one once the name resolves - that might cause an issue.
Me: my xxx address is xxx
Me: That might work.
DarellM:Thank you.
Me: Otherwise, xxxxx
DarellM:xxxxx is now on the account. Please check the email I sent you as well.
Me: Right. Confirmed it.
Me: Can you still /attempt/ to log in with my username, though?
DarellM:Yes you can.
Me: Because that is a problematic issue. Alternatively, you can change my username. Add some numbers and things to it and send me a confirmation, perhaps.
DarellM:Did you receive the password reset email I sent?
Me: I got the confirmation, and I requested another e-mail reset, which I confirmed. I'm setting a new password now.
DarellM:Great!
Me: Ok. That worked. Now - since I'm going to assume the whole "require e-mail address" thing doesn't work - you will need to change my user-name.
DarellM:Your username is set when you created the account. I'm afraid that there's no way to change that right now.
Me: Right. How can that be done, please?
Me: Do I genuinely have to create a new account, just to avoid an anti-spam measure being exploited?
DarellM:Can you tell me more about the "require email address" concern you have?
Me: There was an option we discussed, the last time this happened, that would increase the security. And save your spam-filter considerably.
Me: To require the e-mail address to log in, and to hide the user-name from every outward portal-access.
Me: The user-name could then still be there, but not be an entry to spam your login and password recovery facilities.
DarellM:Where did you get those information from?
Me: This option apparently exists, but it clearly does not work any longer.
Me: I don't know, Darrel, I don't memorize the names of people on support.
DarellM:Was it from us? I don't see any contacts from before. Were those information given via chat?
DarellM:I have no idea of any way to "save spam-filter". Can you provide more specifics?
Me: Yes. And I can see that you've recently installed an entirely new login facility. Wonderful. I'll save you my assesment of that.
Me: But it is not actually a real issue to disallow using only user-names to request password recoveries, or attempt logins.
Me: The use of that user-name, that is well-known on the intertrons, is what is causing the "suspicious activity".
DarellM:I'm not sure what you're talking about. You can enter your email address or password on the Password Reset page and still get the same password reset email. Give it a test.
DarellM:The reason why your old email address is not getting the emails is they're somehow getting blocked.
Me: I assure you, I do not typically spam my logins, or require password recoveries very often - until my account is locked on account of "suspicious activity".
Me: Now, "suspicious activity" is the same as "password recovery spam".
DarellM:And you're saying that you intently request password reset emails to block your account?
Me: That I can use my e-mail address now - does not change the fact that someone could still use my user-name -- which is widely circulated on **bleep**-forums for moron-terrorism -- to spam the account until it is marked with "suspicious activity".
Me: No, I do not request these passwords or attempt logins like this at all.
Me: I've requested two, today, when my account became locked, and I couldn't listen to music.
DarellM:Your account wasn't locked at all, xxx.
Me: The solution is to disallow user-names from being possible to use to request passwords or attempt logins.
Me: Then what happened? I haven't changed the password in yonks.
DarellM:I'll be happy to send that as a feedback to the proper team.
Me: You also said, earlier, that my account was locked on account of suspicious activity. Was that lies?
Me: Did you just dump it out for no reason to explain a problem?
DarellM:Can you tell me where I said that the account was locked?
Me: "Our system saw suspicious activities on the account so we’ve reset your password."
DarellM:That's not locking. That's resetting the password. A locked account will not be accessed because there's no way to reset the password.
Me: Obviously, if you change the password, or disallow me from login in, then yes, I'm locked out.
DarellM:What we did is log every device of from the account and reset the password. Theoretically, with an email that has no issues with receiving our password reset emails would be able to log back in to the account.
Me: The point was that you have seen "suspicious activity", and it is caused by the login attempts - that are not from me.
DarellM:A locked account, with the correct email address/username and password would not be accessible.
Me: The unsuccessful account logins will obviously not be stored. Do you undestand?
DarellM:I can't confirm what triggers these automated password resets. If you wish to get an investigation. I'd advise contacting your local anti-cybercrime authorities.
Me: Oh, come on, are you for real?
Me: Screw this. |
----
Plan
Free/Premium
Country
Nårge
Device
(iPhone 8, Samsung Galaxy 9, Macbook Pro late 2016)
Operating System
(iOS 10, Android Oreo, Windows 10,etc.)
My Question or Issue
Staff / Moderator/ 2 years ago in Social & Random