Open in app

Sign in

Write

Sign in

A WORD ON SECURITY

I looked too deeply into the pit of many services

Gianna Brachetti🐙Truskawa
7 min readJul 23, 2022
Google’s Password Checkup says that I have 24 passwords that might have been compromised.
Google’s Password Checkup informing me about my Saturday activities

A quiet Saturday morning. An email by Zalando but in Estonian: You have requested to change your email address. Well, I surely had not — and thus started my journey into password and account recovery.

The Zalando story is a thing of its own and as I am typing this, my account recovery is still ongoing. This prompted me, however, to check if any of my passwords had been compromised. I had not used this account in a long time, so it was possible I re-used it somewhere or forgot to active 2FA.

Google Password Checkup to the rescue. 24 passwords compromised, many more in danger. With some of these accounts I do not ever remember that I ever had an account — so I grab a cup of hot chocolate and get to work, naively assuming that I will be able to reset my password with at least those that I have still been using. Buckle up, this is going to be a surprise.

Screenshot of Google’s Password Checkup. Apparently my account for leapforceathome.com has been compromised. No clue what it is, and it is redirected to something different.
What was that again? I honestly do not know.

Is this still on?

One of many services that leads you into the void

Turns out, a few online-shops or services I have been using have in the meantime be bought by other companies — the website I registered with years ago is redirecting to the new one. Obviously, you cannot log in with your account because you never had an account with that new service. Can you be sure the old company has deleted all the info they had about you? Can you be sure your password is not saved anywhere still, without encryption? You can not.

I guess the only thing that remains to do is adding these services to your list and eventually contact every single provider, asking them nicely to find your information and delete it. Which, I am sure, will most likely still not happen, GDPR or not.

Upon trying to log in, it says “We are sorry. There was an unexpected error when handling your authentication request to identity provider.”
I don’t even remember what account that was

Blinkist

Google’s Password Checkup will tell you to change it in the app — the app however only lets you change your email, not your password.

Does this make any sense?

Nowhere does it say that you can do this via their website — but you can.

Happy Cheeze

Me trying to log in and change my password with their new domain. What was I even thinking.

If you’re not living in Germany, you might not know them. They produce extremely good vegan cheese based on fermented nuts. Like, really damn good. Turns out they wanted to find investors and renamed their company. New website, everything. You guess it: Did I ever receive any information via email? Nope. Can I change my account details now? lol. They do make really fucking good cheese though, check it out.

Dropbox

Turns out I had an old Dropbox account for an email address I almost forgot about. When logging in with my old details, Dropbox asked me for an audio challenge to prove I am human. The human I am, I failed to hear the numbers correctly for the first time — but if you try audio challenge for another time, they lock you out saying “Use of the audio challenge for this user has been too high. Please try again.”. Quite the infinite loop they send you in now, isn’t it.

While it is great they try to add another layer of security via audio captchas, when that is the only possibility offered and not even working correctly, they are failing accessibility. Which makes password changes, 2FA activation, or account deletion tedious to impossible. Yay!

Dropbox asked me for an audio challenge to prove I am human but since I failed the first time, I cannot do it a second time. It then says “Use of the audio challenge for this user has been too high. Please try again.”
Dropbox audio challenge fuckup

Digital Doughnut

Let me honest with you, I have no clue what digitaldoughnut.com even is or what lead me to have an account there. Maybe age got the best of me, I do not remember I ever registered at all yet Google claims I did save account details for that one. Which leads my paranoid self to try and change it. Which doesn’t work.

When my login failed, I tried to reset my password but they claim the user is not found. Good then?

Facebook

Since Facebook can be used as a login for many other services, it is crucial you change your details there, too — and add Two-Factor-Authentication (2FA). Luckily they offer multiple methods, yet could do with a usability overhaul. When I changed my password, they immediately prompted me to check my previous logins from other devices and services, as well as enabling 2FA if it had not yet. Does any of that contain I link I could click on? Not at all. You’ll have to find your way.

Facebook user prompt to review their account after they changed their password. It gives you two options: 1. Review other services, 2. Stay logged in. Neither of them are clickable though.
Clicky clicky nothing happening me not happy

Xing

Not a fan of the service but kept it in case old friends would like to get in touch. Now here we are, my password might be compromised as I have not changed it in many years, and I locked myself out successfully. They offer to send you a code to get back in so that you can finally delete or update your account info but alas! that code is never coming, no matter how often I request it to be sent.

Screenshot of Xing asking me for an activation code that is sent to my email address. That code is not sent, so I requested it again, and Xing is telling me they sent a new code, and the old is no longer working.
Xing, you are so beautiful when you lie.

Remember Ello.co?

I clearly did not and I was very fond of the idea back in… 2013? Well, I cannot get in there either. Guess who doesn’t get an email to get back into their account? Yup, your favourite Tentacle Quing. Guess they could somehow smell that I considered deleting it.

Where’s my email, Ello?

Apparently I still get new followers there though?

Gmail notifications that three different users started following me since March 2022
Who cares, Ello. Who cares.

The cherry on top: My bank account

Amazon also decided they wanted to piss me off today and weirdly did not allow an order of a whopping 5 EUR if these are paid by my credit card. Mae me suspicious but the card is fine, my account doesn’t show any weird movements, I got 2FA in Amazon and so on, so what. I figured I could just use my debit card instead which requires 2FA for each transaction via an app. A relatively new development from my bank.

Sounds like a good idea — until you need to reinstall the app. You need a QR code sent VIA POST by the bank in order to being able to use the app again. Yes, you can request the code via the app but then it miraculously says there was an error, please try again.

No problem, I’ll just log into my bank account and send them a message. That’ll surely work?

Nope, you fool! In order to send messages, you also need to verify it is you via the SecureGo Plus app which is the very reason why I’d have to send them a message. Are they available via phone over a weekend? Ha… ha.

Ran Google Password Checkup again and it says I have come form 24 compromised passwords to only 4. Wohooh.
Yay.

Now I am reaching the end of my capacities. Only 4 compromised passwords to go, and a couple of resused ones (probably from before 2010 tbh and before you tell me off now think again and think really hard if you might not have (had) any skeletons in the cupboard). The compromised ones are those that I was not able to delete or change due to any of the mess on the service providers’ side, so I’ll call it a day for now (and call my bank on Monday, bloody hell).

What do we learn from this?

Oh, folks, I don’t know. Use 2FA, change your passwords frequently, use a password manager, yadda yadda. But you know what: It’s not always the users. For us, the most important take-away is: Do not trust anyone handling your data. Systems will fail and humans will forget to look into that.

Service providers: This is on you.

Allow users to use 2FA. You’d be surprised how many do not.

  1. Allow users to always, and everywhere, change their password.
  2. Work on usability and accessibility. MAKE IT EASY FOR EVERYONE. Depending on what private information they had saved in their account with you, they might want to hurry to make it unavailable to anyone who is not authorised to have it.
  3. Monitor your systems and make sure they work — eg. if you send people a code to allow them to get back into their account so they can prevent identity theft, SEND THE BLOODY CODE. And send it immediately.
  4. Inform your users if your services is discontinued and what happens with their data, esp. if it might be continued by another company. Delete ALL of their information if they have not reacted to your info after a specific period of time.

Now I could find you some resources on how to create save systems for your users, encrypt their data correctly, make them accessible, and monitor if your services to keep them save are working at all times — but that would be working for you for free after I already spent hours of my time trying to find a way in your systems to make my old accounts disappear or inaccessible for others. You’re welcome.

Security
It Security
Infosec
Password Security
Password Management

--

--

Gianna Brachetti🐙Truskawa

Written by Gianna Brachetti🐙Truskawa

239 Followers

Interntl. SEO Expert by day. Flatmate of an octopus & amateur poet by night. Non-binary. Tends to prefer music over people at times. ʎ|y

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams