Someone changed email address on my account!

[Steven Lingenfelter]

I just received an email notification that someone had succeeded in logging into my account. I went to attempt to login and my password did not work. I clicked the link to reset my password and saw that my email address had been changed to the domain of a customer of mine that recently started using a different company for support. I take that to mean that this customer called in (after trying to reset my account password numerous times - I received those notification emails as well) and talked to someone in support and that person in zoneedit support updated the email address in my account to this person's email address so that they could reset my password - rather than directing that customer to create their own account and moving their DNS zones to their own account. How is that ok? At this point I don't remember if I had any other domains on my account (at one time I did but it has been some time since I needed to login to my account) so potentially a COMPETITOR of mine is now logged into my account. Again, how is that ok?

 

[sandy]

hi there. Please reply with a domain name or user ID.. You can send it in to access@zoneedit.com and we'll take a look

thanks
sandy

 

[Steven Lingenfelter]

I just sent it.

 

[sandy]

replied.

thanks
sandy

 

[Steven Lingenfelter]

Well, as much as I appreciate you creating them a new account and transferring the zones to that account, I have to ask. Why would I continue using this service or ever look at expanding my use of it when your support in collusion with this customer can be allowed to do what they did? I can’t tell you how much this disturbed me. It was a complete breach of trust and unheard of in any industry for tech support to change contact information so that someone could gain access to someone else’s account, especially when the contact information wasn’t even on any of the hosted domains – neither my original contact info nor what you changed it to was on any domain hosted by you. It would have been JUST AS EASY to have created the customer an account THEN and transfer the domains THEN. Had I been using Zoneedit as my primary DNS provider (thank God I wasn’t), as I had at one time intended, then ALL of my customers would have been exposed to this customer who was allowed to “hack” my account and then to the IT Service Provider that they then gave access to my account. “Fixing” it has really become less the point. My only point in restoring access to my account is to see what other services I have there and transfer them as quickly as possible to an organization that understands that you cannot do this sort of thing – EVER.

 

[sandy]

the account only contained the two domain names that we were contacted about so no other domain would have been affected. It is our normal policy to have a new account created for this purpose but as the account of concern
contained only the two domain names we were contacted about, and were provided authenticated domain ownership proof... access was granted. i am very sorry for the inconvenience. The support representative who handled this support concern has been reminded that our policy requires a new account to be created.

thank you
sandy