WingNews logo WingNews GitHub [2]
top | item 32153370

Nike.com allows easy account take over

16 points| sem000 | 3 years ago

I am unsure whether to post this as it exposes potential harm to millions of accounts...

Nike.com apparently lets you take over an account by calling in and verifying the email address and phone number associated with the account.

My account was just hacked, someone called in and used my information to change the email address to my name @outlook.com (same as my gmail account).

Their only solution was to delete my account. This is terrifying.

9 comments

order
[+] sc00ty|3 years ago|reply
Someone did this with my Ebay account. They changed the phone number, email (same email, except it was @outlook.com), and password. Thankfully, Ebay has an account takeover department that helped me fix the issue within an hour.

For fun, I ended up emailing that @outlook.com email asking them why/how they did it and they just replied back "why can't you just let go of it...".

[+] nutbear|3 years ago|reply
Thanks for sharing your story!

A decent amount of disclosure programs explicitly call out social engineering as unacceptable conduct and submissions.

However, social engineering is a very valid method for attackers and in many cases, offers the path of least resistance.

While I understand why companies don’t want good faith security research to call and try to trick the human factor, this is still a very real attack vector that needs attention and to be fixed as in what you’ve described.

[+] fron|3 years ago|reply
Can't you just call in and change it back then?
[+] sem000|3 years ago|reply
They said they couldn't change it back. They said they would have to delete the account. So far, it's been referred to the "Elite Support" team... waiting for info.