Nike.com allows easy account take over
I am unsure whether to post this as it exposes potential harm to millions of accounts...
Nike.com apparently lets you take over an account by calling in and verifying the email address and phone number associated with the account.
My account was just hacked, someone called in and used my information to change the email address to my name @outlook.com (same as my gmail account).
Their only solution was to delete my account. This is terrifying. Someone did this with my Ebay account. They changed the phone number, email (same email, except it was @outlook.com), and password. Thankfully, Ebay has an account takeover department that helped me fix the issue within an hour. For fun, I ended up emailing that @outlook.com email asking them why/how they did it and they just replied back "why can't you just let go of it...". > This is not a bug bounty program. We make no offer of reward or compensation for identifying issues. But at our discretion, we may still choose to thank you Cool. I guess no whitehat will ever tell them anything. Batter than immediately and zealously trying to prosecute people I guess. Thanks for sharing your story! A decent amount of disclosure programs explicitly call out social engineering as unacceptable conduct and submissions. However, social engineering is a very valid method for attackers and in many cases, offers the path of least resistance. While I understand why companies don’t want good faith security research to call and try to trick the human factor, this is still a very real attack vector that needs attention and to be fixed as in what you’ve described. Can't you just call in and change it back then? They said they couldn't change it back. They said they would have to delete the account. So far, it's been referred to the "Elite Support" team... waiting for info. So you're saying they can't just do it?