Recent Account Hacks

[BMSteve]

Since Affinity like many other forums and organizations can't keep my personal details safe I want to delete my account and have all my details permanently scrubbed.

How can I do that, there is no delete account option ?

[AffinityMakesMeWonder]

Guys, why start yet another thread about this issue?

You can post into the official thread instead…

[SFurniss]

@BMSteve

Please email dataprotection@serif.com from the email address in use on the account you want to be deleted clearly asking us to delete the account. We'll then get back to you within thirty days in line with GDPR requirements.  

[Guest]

1 hour ago, SFurniss said:

@BMSteve

Please email dataprotection@serif.com from the email address in use on the account you want to be deleted clearly asking us to delete the account. We'll then get back to you within thirty days in line with GDPR requirements.  

Why do you have to make it so difficult that we need to ask here how to do it? Add an option in the settings

[carl123]

13 minutes ago, JonathanDe said:

Why do you have to make it so difficult that we need to ask here how to do it? Add an option in the settings

What if someone hacked into your account (or mine) and hit the delete account button?

I much prefer Serif to ask me to email them from the same email address in use on the forum account, as some sort of verification that it is truly me requesting my account to be deleted.

Think what would happen if I hacked your online electricity supplier account and they did not check/verify that it was you when I requested, they stop supplying you with electricity - what fun that would be!

 

[v_kyr]

6 minutes ago, carl123 said:

What if someone hacked into your account (or mine) and hit the delete account button?

What if someone hacked into your account and got your used email-address from here, then sends the request for your account deletion?

9 minutes ago, carl123 said:

I much prefer Serif to ask me to email them from the same email address in use on the forum account, as some sort of verification that it is truly me requesting my account to be deleted.

Could be automated either way, as do other services too, by sending first an confirmation email with an additional confirmation link.

[carl123]

5 minutes ago, v_kyr said:

Could be automated either way

It's automation that causes a lot of cockups/mistakes/hacks

I much prefer a highly trained human dealing with sensitive/important issues

[v_kyr]

9 minutes ago, carl123 said:

It's automation that causes a lot of cockups/mistakes/hacks

I much prefer a highly trained human dealing with sensitive/important issues

I can argue the opposite, that humans do a lot of errors too here, or do respond very late (if at all) to such requests. Thus well-tested out automation processes do reacts much faster than any human operator could here.

Creating an account for a forum and posting contents are automated processes here, there is no human involved in order to be able to do that, so it's logical to also automate an user requested account removal on demand.

[carl123]

7 minutes ago, v_kyr said:

Creating an account for a forum and posting contents are automated processes here, there is no human involved in order to be able to do that

I think you will find that all first posts have to be approved to prevent spam bots using these so-called perfect automation systems from spamming the forum

The approval service is done by those pesky humans

[walt.farrell]

46 minutes ago, v_kyr said:

What if someone hacked into your account and got your used email-address from here, then sends the request for your account deletion?

While it was easy to pretend to be someone else and forge an email "from" header using a basic email client, some email providers are now using spam prevention measures (e.g.,  DKIM, SPF, and DMARC) that will cause receiving systems to reject the email if it does not actually come the expected originating system. That helps prevent some fraudulent requests such as you mention, though not all. But probably enough, especially for the major email providers, to make an email request a good first control.

Next, I the request will be handled by a human, and (I think) only after a follow-up conversation with the user who requested it. So, even if someone could spoof the deletion request simply knowing your email address, and your email provider doesn't use one of the protection mechanisms to prevent spoofing, they still would need actual access to read your email.

[v_kyr]

1 hour ago, carl123 said:

I think you will find that all first posts have to be approved to prevent spam bots using these so-called perfect automation systems from spamming the forum

The approval service is done by those pesky humans

Here on the forum, on other huger systems with much more traffic many of these things (unsubscribe, remove account) are (as already said) by software performed automated processes. - Think about online stores, or some bigger sites newsletter subscribe/unsubscribe system features here, there is no human who has to check and approve 200K daily requests.

49 minutes ago, walt.farrell said:

... Next, I the request will be handled by a human, and (I think) only after a follow-up conversation with the user who requested it. So, even if someone could spoof the deletion request simply knowing your email address, and your email provider doesn't use one of the protection mechanisms to prevent spoofing, they still would need actual access to read your email.

Of course there is nowadays better email protection by providers and it's also a reason why most of them moved over to strict TSL 1.3 usage instead of weaker former versions, in order to prevent some MitM attacks etc. - But the main point here was and still is, that the forum software here could overall offer to ease an user requested account deletion process. And since having an obligatory email address is the main way to create and sign up for a forum account (no valid mobile phone number and further data is needed), a 2FA Email approach is also usable for the forum as on user demand automated request to remove her/his account.

[walt.farrell]

26 minutes ago, v_kyr said:

Here on the forum,

Which is what we're discussing. New user accounts on the forum are automatically approved, by emailing the user and having the user click a button.

However, no posting is allowed by that user without manual human verification.

[walt.farrell]

6 minutes ago, Margriet said:

I also activated the google identify app, but I can still login without it.

The 2FA is not required for logging in. From experimenting, it is used to protect some of your account information (display name, email, password, etc.) from changes, and some (device information) from being viewed or changed.

[Patrick Connor]

26 minutes ago, walt.farrell said:

The 2FA is not required for logging in.

on an existing device only. These are the current settings once you have turned 2FA on. (which is optional for members and required for Admins and Moderators)

 

[v_kyr]

4 hours ago, walt.farrell said:

New user accounts on the forum are automatically approved, by emailing the user and having the user click a button.

That's pretty much the same approach I named for a possible automatically approved unsubscription/account-removal process.

4 hours ago, walt.farrell said:

However, no posting is allowed by that user without manual human verification.

if the company has the time and the staff to do it that way fine, then they could set it up in a similar fashion for account deletions too. - For endusers what counts more and thus is usually more important, is to have a hazzle free capability to unregister/unsubscribe too. So to press somewhere under their profile just some optional confirmation button, instead of explicitely sending emails, with some explanatory texts, to some specific email-account here!  - What then happens behind the scenes, aka if some human person first crosschecks all that, isn't maybe that relevant for endusers as far as their request is handled in some reasonable time here.