I was hiking-slash-camping with some friends in the Qumran this week. Known for where the Dead Sea Scrolls were found, it's a plateau on the northwestern side of the dead sea, bordered by tall rocky mountains and the shore of the sea's upper half. Well, the remaining half, to be more accurate, since evaporation and salt sequestration by the Dead Sea Works has rendered the lower half of the iconic salt lake not much more than a sad collection of salt sloughs. Still, the remaining portion of the Lowest Place on Earth™ can be pretty majestic, and it was refreshing to disconnect for a little while.
I was fairly incommunicado for the better half of the week, so when I got back to civilization, I didn't appreciate seeing this in my email:Sure enough, someone had logged into my Newegg account, switched the email address to "firstname.lastname@example.org", changed the password, and placed an order - which mercifully failed to go through, thanks to the attacker not having the CSC on hand to complete the transaction. I'm pretty sure I didn't try to order $99 worth of Xbox Live gift cards while pitching a tent in a mound of salt-encrusted dust, so I clicked over to Newegg's site to see what options they had for customers who had gotten their account hacked. They had no online recovery or recourse other than to contact their customer service, which wouldn't open for another four hours. Timezones. Sigh.When I finally called them and asked to restore my access, the rep said that the only thing they could do was lock everyone out of the account. Why? Because I didn't have the password. Because I can't reset it. Because the email was changed. Because my password was hacked. They wouldn't change the email on it, they wouldn't accept any identifying info proving I was me, they wouldn't do anything that could give me my account back. Again, the only solution they offered was to essentially destroy the account and have me register a new one. Normally I wouldn't have minded, but I've had my Newegg account since 2003, and the order history on it was useful to me. Call me sentimental. But the rep couldn't offer me anything else, and neither could the supervisor I escalated to. Defeated and annoyed, I let them close the account.I have no idea why Newegg has this policy. Amazon, by comparison, offers a much better fraud detection and account recovery system, which I had to use about a year ago when I saw unauthorized charges there. They automatically detected unusual activity, locked everyone out of the account, and canceled the fraudulent orders that were placed before I even noticed anything was wrong. When I did notice, one call to provide some personal information only I could know was enough to make everything peachy keen again. Why Newegg has seen fit to adopt the self-destruction method of account 'recovery' is beyond me.Bootnote: It was definitely my stupid fault for not having a better password on there. It was a crappy old eight-character password that was probably leaked through a recent hash bust (like this one). Actually, scratch that: this tool tells me it's not one of the LinkedIn hashes. Still, I had changed all my passwords since then - except for the Newegg one.