Page MenuHomePhabricator

Account recovery for Aaa839
Closed, ResolvedPublic

Description

aaa839 has regained access to his account.

This thread raised an curious investigation about the behaviour of password recovery when
(1) the account has an unauthenticated email address, or
(2) a local account and SUL have different email addresses attached to them.

Interested stewards and devs should read the thread to find out more.


Carried over from this Meta thread.

An editor (whom some of us have met at Wikimania) has lost his account and got in touch off-wiki to see if it is recoverable. "Email this user" is not enabled on his account and he says he tried the recover password option but didn't get any email - I guess he simply hasn't attached an email to his account.


Identity checks

Account status

Account holder knows and has access to the mail address linked to the local accounts.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 9 2017, 10:55 AM
Aklapper added a subscriber: DerHexer.

(I've set Security here but please not that this task is not access-restricted.)

Dereckson added a subscriber: Dereckson.

So, the first step is to check the identity of the requester.

The easiest thing in this case could be the web of trust: does the requester met other Wikipedians at Wikimania or other events?

Dereckson added a subscriber: dungodung.EditedFeb 9 2017, 11:06 AM

According this page, @dungodung confirms to have been in contact with the user.

@dungodung: did you contact him by phone / webcam or irl? If so, we progress towards the identity verification.

As a former steward and still trusted user with a lot of involvement to our movement, I'm inclined to trust @dungodung.

dungodung added a comment.EditedFeb 9 2017, 11:18 AM

The Ranko Nikolić problem has already been resolved within T157191. I believe Deryck is referring to something else that's unrelated to me.

Dereckson reassigned this task from Dereckson to hoo.EditedFeb 9 2017, 11:25 AM

Okay, I see this is the message afterwards, and @hoo is already taking care of this.

So:

  • Deryck C. checked Aaa839 identity (how? Facebook isn't enough)
  • @DerHexer confirms we can trust Deryck C. for the check

@deryckchan Next step is you try a side channel to check identity, like irl, phone or webcam.

Bawolff renamed this task from Account recovery to Account recovery for Aaa839.Feb 9 2017, 2:10 PM
Bawolff added a subscriber: Jalexander.
deryckchan added a comment.EditedFeb 9 2017, 2:45 PM

Been in touch with aaa839 by video call per @Dereckson 's comment. Let me know what's next - I assume I'll need to pass his contact details to a steward privately?

Reedy added a subscriber: Reedy.EditedFeb 9 2017, 2:50 PM

FWIW, he does have an email account set, but is a Yahoo one... And it looks like it was never authenticated. I wonder if it's just the usual ongoing Yahoo email problems?

Will have a look at the BounceHandler logs and see if anything pops up

EDIT: Nothing in BounceHandler logs...

Do we send password reset emails to users with non authenticated email addresses?

Dereckson updated the task description. (Show Details)Feb 9 2017, 4:30 PM
hoo added a comment.Feb 9 2017, 7:10 PM

Do we send password reset emails to users with non authenticated email addresses?

We don't… I guess we could trigger another confirmation email to the email address already set on the account, if that would be helpful here.

Reedy added a comment.Feb 9 2017, 7:12 PM

Do we send password reset emails to users with non authenticated email addresses?

We don't… I guess we could trigger another confirmation email to the email address already set on the account, if that would be helpful here.

Presumably it would... If that is the users email (still)

When aaa839 read Reedy's comment that the account had a Yahoo address, he
wrote to me

"my yahoo should be [email address redacted]
that the only one which is my real yahoo,other than this was not my Yahoo
mail address"
(verbatim text conversation quote)

So I think it's worth trying to send an email to that unconfirmed Yahoo
address.

Legoktm added a subscriber: Legoktm.Feb 9 2017, 8:38 PM

Do we send password reset emails to users with non authenticated email addresses?

Yes, we do.

Reedy added a comment.Feb 9 2017, 9:26 PM

FWIW, @deryckchan emailed me to confirm the address is set, and indeed, the one he thinks it should be, is the one it is -- and it is :)

Dereckson added a comment.EditedFeb 9 2017, 10:12 PM

Do we send password reset emails to users with non authenticated email addresses?

Yes, we do.

@deryckchan So, as the reset password feature should work and reach the right mail, could you ask Aaa839 to check the spam folder?

Dereckson updated the task description. (Show Details)Feb 9 2017, 10:13 PM

@Dereckson I asked him to check the Yahoo email address that @Reedy
confirmed was linked to his account. He says "spam folder, main inbox
nothing was Wikipedia related"

Maybe password reset doesn't work with unauthenticated email addresses
after all?

Reedy added a comment.Feb 10 2017, 3:13 AM

Who triggered it and from what wiki?

@Reedy "just a few minutes ago in zh wiki", said aaa839

Reedy added a comment.Feb 10 2017, 9:59 AM

No bounce records or bounce log

I've just manually authenticated their email address via MW

@deryckchan I just noticed that on his "globaluser" from CentralAuth, the email is different, and is an MSN one... Do they have access to that?

Reedy updated the task description. (Show Details)Feb 10 2017, 9:59 AM

The CA email is going to override anything the local wiki databases have...

The CA email is going to override anything the local wiki databases have...

Yeah. I'm sure I looked before and I don't remember it being different. But cannot swear to it

deryckchan closed this task as Resolved.EditedFeb 10 2017, 12:12 PM

Thanks everyone for the help. I read from aaa839 this morning that he had recovered his account.

Further details:
He said he suspected the password reset email tripped off an email filter in his Yahoo mailbox, so he disabled it, asked for two other password reset emails from two different Wikimedia sites, and there it was. This happened at about 04:30 GMT - before Reedy's comment at 09:59GMT (T157671#3016341) that Reedy had manually authenticated aaa839's email address. He also received a password reset email at his MSN email at about the same time. The Yahoo email address received the reset email triggered by the English Wikipedia; the MSN email address received the reset email triggered by the French Wikipedia.

So I'm not sure what made the difference (@Reedy, did you manually authenticate his account a few hours before you told us about it?)... but he is back in his account.

deryckchan updated the task description. (Show Details)Feb 10 2017, 2:21 PM
Reedy added a comment.Feb 10 2017, 3:30 PM

So I'm not sure what made the difference (@Reedy, did you manually authenticate his account a few hours before you told us about it?)... but he is back in his account.

Nope, I did it just before I posted...

I guess the frwiki one was @Dereckson... I tried to trigger some from zhwiki after authenticating the email... But they seemed to give errors (it flipped back to Chinese after submitting, so no idea what it said)

At least it's fixed! :)