To protect your privacy: email us with billing or account questions instead of posting here.

Deleting account and starting over - verification?

hydraSlav
hydraSlav
Community Member

I was trying to get a feel for the process of deleting an account to start over. My concern is for a malicious user attempting to delete my account.

However I wasn't able to find any link on how to proceed. So let's say a malicious user pretends to be me, and requests you to delete the account and start over. What sort of validation does the bad user have to provide to pretend to be me? I am concerned with social engineering here... unbreakable encryption is great and all, but not that useful if someone who can sound convincing enough can destroy it.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @hydraSlav

    This is a great question, and I’m glad folks are thinking in these terms. It can be valuable to understand the ways in which someone might attempt to compromise an account such that proactive steps can be taken to prevent any harm.

    I assume you’re talking about a case where someone writes to us and says they’re completely locked out of their account, with no way to recover themselves, and that they’d like to start fresh. In cases like that, and really any case where we’re making changes to an account, we verify that the person writing in can receive emails to the email address on the account. Simply sending an email is not good enough, as email headers can be spoofed. Once we have verified that the individual can receive emails sent to the appropriate address we will then send a special email to that address which will allow the account to be marked for deletion. We do not actually mark the account for deletion ourselves. That action is performed by the customer (or, in a worst case scenario, whoever is receiving their emails).

    No data is actually lost at that time. If by some chance there were a problem it would be possible to reinstate the account and all associated data.

    Long story short the ability to receive emails at the email address associated with the account is the verification.

    I hope that helps!

    Ben

  • hydraSlav
    hydraSlav
    Community Member

    Thanks @Ben that helps.

    Kinda reinforces my inclination that main email password should never be kept in a password manager (writing a post about that now)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @hydraSlav: I'm not sure I follow. If you have your email account credentials in 1Password, someone would already have to have access to your account to get it...and then they could just delete it from there themselves if they wanted to. Did you have something else in mind?

  • Yeah, I have to say I don’t agree with that premise at all. :) Not sure why you wouldn’t protect one of your most important accounts.

    Ben

  • hydraSlav
    hydraSlav
    Community Member

    @brenty No, what I meant was: If my email password was saved in 1P, and I forgot my Master Password, I would not be able to even "delete and start over" cause I would not be able to confirm my identity to 1P support team without having access to my email, as @Ben said.

    And I wouldn't go creating random email address just to sign up with 1P for the second time (or third)

    As for attacker gaining access to my vault and email password that was saved in the vault, I made a post here listing all the reason why email password shouldn't be saved in a password manager.

    I would love to hear both of your comments there. Thank you.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @brenty No, what I meant was: If my email password was saved in 1P, and I forgot my Master Password, I would not be able to even "delete and start over" cause I would not be able to confirm my identity to 1P support team without having access to my email, as @Ben said.

    @hydraSlav: Ahaaaaaa. Okay. That's where I was confused: you not being able to delete your own account is a very different problem from the original premise of this discussion regarding the concern of someone else getting you account deleted. So I totally missed that. :)

    And I wouldn't go creating random email address just to sign up with 1P for the second time (or third)

    Well, you could...but if you no longer have access to your email account, it stands to reason that you should setup a new one to use if you are not able to recover it. However, if you are able to get into your original email account again after all, the rest is irrelevant.

    As for attacker gaining access to my vault and email password that was saved in the vault, I made a post here listing all the reason why email password shouldn't be saved in a password manager. I would love to hear both of your comments there. Thank you.

    Hmm. I'm still not understanding what reason you're referring to. Why it would be a bad idea to save your email login credentials in a password manager? Certainly it's a personal choice, so you can choose not to, but there's not a security risk to storing it there. Quite the contrary. Personally, I save everything securely in my 1Password.com account, and have a copy of my Emergency Kit in a safe place in case I ever need it, so I'm good. :sunglasses:

This discussion has been closed.