Isn't this flow what more ore less what you would expect? Could someone suggest what would be the appropriate alternative here?
- The inconvenience to the deactivated account is minor: one SMS verification code and the account is back, queued messages get received, etc.
- Persons who lost their phones probably don't have a good fast way of proving their identity, as their identity is tied to their phone number in WhatsApp's model.
- Needing to quickly lock out spammers, thiefs or hackers is probably far more frequent than abuse of this feature.
- If abuse of this feature becomes a recurring problem, I'd expect WhatsApp to react and adjust the flow to place more burden on its user.
The auto-delete part is slightly more worrying, but if you don't use WhatsApp during 30 days, your account and group membership probably isn't very precious. Backups are automated and separate. You can still easily re-create an account with the same number then.
The story might be "Apps should stop using SMS and phones numbers as the source of identity", and while I generally agree, most comments don't seem to be about this and WhatsApp is maybe _the_ one app whose success was based on this very idea.
As YetAnotherNick said, logout might be the better word to describe the impact here (plus, a fairly aggressive inactivity deletion period).
I agree with you in principle, but I still don’t understand how else to mitigate this: WhatsApp must get a lot of cases of stolen unprotected phones. The victim can ask their operator to lock the SIM card, but their WhatsApp account would still be out in the open.
With the continuous improvements in mobile OS security defaults, I’d expect this scenario to become less and less of a problem, but it must still be accounted for.
The process still goes through support ticketing, so I’d expect a spike to be noticed and stopped.
Whoops, my comment isn't very clear, sorry. I meant: "but their account would still be active and in the hands of the thief, if there is no way to quickly deactivate it, e.g. before receiving a new SIM card from their operator that would enable you to prove your identity to WhatsApp."
Do you mean how long is account recovery by the SIM/number owner possible, or how long can the phone thief continue using the WhatsApp account if the owner doesn't recover?
Maybe I misunderstood the comment you and parent comment were making. I interpreted it as "they can recover it via SIM, so the lockout method isn't needed".
My point to that is that it is true, but the lockout would prevent a thief from using it until the new SIM is received. Versus a thief having access until the new SIM is received.
I use telegram instead of Whatsapp, but I would hate for anyone to have any time at all on my account. I'd prefer to immediately lock the whole thing down and figure it out once I have everything sorted.
Since when logout comes with a "we'll delete your account if you don't log back in in 30 days"?
This is just an atrocious flow. A better approach would be a "temporary emergency block", and then give the user a week to sort it out, otherwise the account is automatically reinstated.
While 30 days sounds extreme, I’ve got plenty of warnings in the past 25 years from sites which wanted, and did delete my account because I didn’t visit their site in a specified timeframe, like half a year, or a year.
I got one from Discord a few days ago. I didn't check if it was real or phishing, and I didn't check my password manager. I can't remember why I would have created a discord account so I'll let it go. Maybe I was self squatting.
>Imagine an automated form of this where you can just mass deactivate antagonistic accounts
I wish I had this power for other social media sites, such as Twitter and Nextdoor. I'd just mass-deactivate ALL accounts. The world would be better off.
> The auto-delete part is slightly more worrying, but if you don't use WhatsApp during 30 days, your account and group membership probably isn't very precious.
I've had plenty of times where I'm offline for a few weeks. Would cut it very close to having my entire account deleted.
This is trivial to mitigate with per-account rate limiting.
On top of that, if a specific account is targeted at the rate-limit, a flag could be put in place to let support disable the automation for that account.
I'm not sure how relevant that threat model is (OS level security would probably be enabled for people susceptible to be targeted in such a way. Support could advise to do it before toggling the flag, etc.), but anyway the hypothetical flag would only be about making sure the automation doesn't happen and the ticket goes to support. Support can then manually handle the rare edge case and place more burden on the person attempting to deactivate the account.
With your suggested approach, the attacker is free to use the account to impersonate the victim until they get a new SIM card, which could easily take days or weeks.
This seems like a degredation compared to the current abuse potential which is mostly limited to logging you out.
>This seems like a degredation compared to the current abuse potential which is mostly limited to logging you out.
I think it depends on who you ask. IIRC there was a stat that showed a substantial % of people only use WhatsApp rarely and they might not notice the deactivation and/or miss the 30 days deadline, getting their accounts deleted.
I can't tell if you're being serious or sarcastic. It genuinely looks like the former but I have to assume it's sarcasm because I can't believe anyone would seriously post this..?
Years ago I bought my dad an Audible subscription, but because it was a gift I signed up with my email address and then changed it to my dad's address on his birthday. Somehow I ended up inside his Amazon account because I used his email address. I guess some of the backend logic is hard to get right the first time.
Another time I was talking to a credit union CTO who was dealing with someone blocking other people's account access by picking a random account number and making 3 bogus guesses to lock them out. At the time the credit union had a policy that required calling them to unblock... which was a PITA on weekends when people need money.
Speaking of Amazon's account process, I have a really annoying problem with theirs. Apparently I somehow managed to create two amazon accounts with the same email address, but different passwords. They have different order histories and addresses and everything, but the account name is identical. It sometimes makes it confusing to tell why an order I placed hasn't shown up.
Interestingly, I can't change the password on one account to the password of the other account. The attempt fails. Which is... somewhat concerning.
This was considered a feature back in the day; it was called MASE - Multiple Account, Same Email. I'm pretty sure you can just change the email on one of them to get out of that state.
The way it was explained to me: originally, Amazon didn't want there to be any barriers to someone making a purchase on the website, not even the barrier of having to reset a forgotten password. So the choice was made to allow people to create new accounts with the same email address (such as when attempting to check out; that's when this would likely happen). Each account was distinguished at login by its email + password combination.
It was indeed called "Multiple Accounts, Same Email", though I only heard that term applied to it much later (after the phenomenon of these accounts was identified as a problem that the company needed to resolve). I don't think it was exactly what I'd call a feature, in the sense that I don't think anyone expected users to do it intentionally, so much as it was "We don't want to lose a purchase to someone getting stuck at the login screen".
The Web and its users have evolved significantly since those early days, and resetting a password by email is no longer the barrier it once was. Among other reasons: web users are savvy to the idea of having accounts, which was not true in Amazon's early days; and email is a lot faster and more reliable now.
Allowing multiple accounts to share an email address proved to be a problematic decision later on for a number of reasons. Amazon doesn't allow this any more, at least not from the primary sign-in screen; it gives an "Email address already in use" error.
Microsoft have a similar problem relaterade to them merging a lot of services but not accounts. I have an old Xbox Live account on my Xbox 360 which I can’t reset the password for since the email/username was the same as for my Skype account and my Hotmail/MSN account back in the days. This mess is still causing me tons of problems anytime I try to log in to something Microsoft related.
Back in the late 90s, there weren't a ton of free email services and most people used an account from their ISP. Extra accounts were hard to come by. If you had a family sharing an internet connection, they might very well share an email address too. This let them have individual Amazon accounts.
So I have an amazon.com and amazon.in account. The latter one is my main account but the former one I created to redeem a gift card I got from a survey.
Seems more like an artifact of Amazon having enabled global logins late into product development than a "feature" to me.
Are you sure it's two accounts? I am using the same login on two different Amazon sites as well, but I'd call that SSO more so than "two accounts on one email address", since all data is separated by country, but the email and password are the same.
Maps to the account me and will (if configured correctly) put the mail in a folder called folder if such exists.
The reason you might want many accounts with the same email seem many to me if you don't realise that you can create arbitrary distinct emails this easily.
Yes, that's exactly what plus addresses exist for!
It seems to me like all benefits of the "exact same email, multiple accounts" feature are vastly outweighed by the inconvenience for users simply forgetting that they already have an account, and creating a second one by accident that way.
I mean, even I end up almost creating an account by accident every now and then (mostly on sites using the horrible "signup is the default, login needs one additional click" pattern), and I do so using autofill from a password manager!
Indeed! And even worse, some services will happily accept "+" in email fields, but then some part of the service fails to encode the "+" sign correctly, so some features may be broken in unexpected ways.
Sometimes you can't even contact Customer Services because "your account doesn't exist" (because you cannot feed the correct email address to their customer service site).
Thankfully it's rare, but when it happens it's extremely infuriating.
Just so you know, that plus-hack is by no means universal (in addition to the frustrating “you can’t use a plus sign” thing you’ll encounter at various email fields around the net).
Gmail supports it. Microsoft does not. Neither does Yahoo/AOL. It likely was not widely supported in the 90s either. It’s a nice hack but it doesn’t solve every problem.
You are not alone!!! I am in the exact same situation. I've told this to so many people and no one believes. I'm stunned I stumbled on this. Small world
Is it possible that one account was created using an email address and the second account using a phone number, and then some where down the line each account got updated with the missing information so that now both accounts look identical?
I had a similar issue when I created two accounts on different regions using the same email address, then Amazon started operating in my country and they started redirecting one of the accounts to my country, leaving me with a mess of two accounts that would randomly connect to three different regions.
It was really annoying as I would login on my browser to one account normally, but when I ordered an Amazon stick, it came with a different account from a different region preinstalled and would complain I didn't signed up for Prime.
I ultimately fixed the issues by manually changing the email on each account to a different address, but it was very confusing until I figured out what was happening.
Oh well, not Amazon but I got stuck in the ecommerce of a large shop chain. I can't register because they tell me I already have an account. So I use that email to recover the password but I can't because the account must be activated. So I ask for an activation link but I can't because that account doesn't exist. I guess they have different databases or microservices taking care of different steps of the registration process and something crashed at the wrong time and my overall record is inconsistent. I gave up a couple of years ago. I buy from them when I go to one of their physical shops.
Holy crap I did this this on accident when I tried signing up for an Alexa skill in the Alexa app and accidentally created a new account with same Amazon.com email address, then got flagged for suspicious activity cause I was on a VPN and got blacklisted. It took so many calls for customer support to acknowledge there was even an issue and they still told me to just use a different email in the end. I was passed and just made a new Amazon account with the original email address, but simply added a period in the middle and still use it while locked out of the other original account. It’s bonkers lol
I have no idea if this would work and don't want to risk messing it up for myself, but have you tried changing (one of) the account emails?
On the website go to the Your Account page ("Account & Lists" dropdown -> "Your Account" section -> "Account" link, which goes to https://www.amazon.com/gp/css/homepage.html ) and click "Login & security" to get to it. Same place you'd update your password/etc.
Maybe that would work, but I'm also concerned about messing something up. In particular, tripping some bot detection/account duplication algorithm and getting my account banned and all its content gone. I'll suffer the small annoyance rather than risking the black swan disaster.
I wouldn't worry about that. I've had multiple Amazon accounts (with different emails!) going back many years. Never been an issue. They even make it easy to switch between them with the "switch accounts" function.
I've done this, but I was pretty sure I managed to have both accounts with the same password at that point in time. On the plus side, you can change email addresses, so now I have amazon@ and amazon2@ and all is sensible again.
They're on the same TLD; amazon.com. I assume they were merged from some service Amazon bought and combined user accounts with, but I honestly am not sure.
Someone with my name bought a new iPhone in Bismarck, ND last week. They gave AT&T my iCloud email address which is firstname.lastname. An honest mistake, I guess.
AT&T dutifully asked 'me' to confirm my email address. I did not.
Aaaand... now I still get all of his account email. So what's the point.
I've been struggling with this for years - but with a fun twist. My gmail address is first.last, and someone in the UK keeps using it - but they do not have remotely the same first name, and they don't spell their last name the same as I do (the single-L in my username here is a less common deviation, their surname is the more common variant).
Years. I've closed netflix accounts, I've sent them sms from their telco's webtext portal asking them to stop, and still there's a koneill out there who is very, very confused about why his email doesn't work. I know where he lives, I know what pizza he ordered, I know his name, his phone number, I just don't know his email address. And apparently, neither does he.
The number of services that fail at email validation (or keep sending you reminders, forever, that you haven't validated), blows my mind. For such a simple process, that seems to exist on every single service I (and koneill) sign up for, it has a surprisingly low rate of successful implementations.
There is a woman in another state that must have a gmail address very close to my wife’s. We know when this woman gets Botox, how much she pays for her kids dance lessons (a lot!), and so much more. You would think she would realize at some point, but it has been years and my wife still gets so much of her mail.
I used to get email for a guy in California when he would buy something from Harbor Freight, rent a movie from Redbox, or order a pizza. Those started tapering off about a year ago, so he must have figured it out.
The strangest one was I was receiving email for a colonel in the US Army! For a few years I kept getting these group emails to all these army officers about upcoming training exercises. I thought about replying to let them know they shouldn’t be sending them to me, but was worried about getting in trouble, so never did. They continued for years, but finally stopped. I always wondered if the guy had a .mil address and accidentally used gmail.com.
I have a similar problem. I have a half dozen different people sending their emails to my gmail account. One of them is a woman who signed up my address for her health care provider, and they're quite liberal with what kind of detail they're willing to put in an email. I tracked her down on Facebook and mentioned it to her, and she seemed to get that it was a problem she might want to solve, but to this day I still get all those emails.
As dysfunctional as the legal system seems to be at times, I'd be pretty surprised if she could find a lawyer willing to try that. At the very least, she'd half to pay a fair amount out of pocket just to initiate the suit, and this is someone who already hasn't shown much persistence in just getting the email address corrected with her provider.
A lawyer would presumably tell her that a case against me would certainly fail, and the healthcare provider has much deeper pockets. Go after them.
> How does it work for a paper mail - from what I understand it could be illegal to open any letter originated to some other person's name.
This is a federal law called "Obstruction of Correspondence" and it is fairly specific to USPS mail. It applies to letters & packages that are either in a postal facility (including the mailbox) or have transited through it. It does not apply to email.
for paper mail here in Canada I just see it's not for me, mark a line though it and write "Return to Sender, no longer at address". Then it gets put in the outgoing mail system (a slot where I receive my mail, or could also take it directly to any standing postal box, or the post office). Then it goes back though the postal system (for free) to originating sender in most cases.
For anyone else who runs across this, in the US you want to also put a line through the bar code at the bottom of the letter, so it cannot be scanned. Once a piece of mail gets that code, the post office stops reading anything else on the letter and just delivers the mail to where that code says it goes. So you can toss it back in an outgoing slot with 'return to sender' on it as many times as you like, and they'll just return it to you. Until you get lucky and the mail carrier sees it when gathering up the outgoing mail, and helpfully obscures that barcode for you.
Yep, very similar situation here. I get a lot of email for two different people, one in Texas and one in Leeds.
I also started getting a ton of spam from some cell phone retailer in Jakarta - someone used an email address of mine to sign up for a SIM, it seems, and unsubscribing from their crapflood is behind a password, assuming they'd even honor it. I blackholed their mail server at mine, but that doesn't scale.
And I get an endless stream of "a lot has happened since you last logged in" any time I un-blackhole Zuckerbook, and I've never used them.
At this point, every commercial entity I do business with gets a unique email address so I can turn them off. But that doesn't stop the confused/stupid/malicious from using them.
If I can find the time, I've been wanting to write a new milter-type tool to make it much easier to control which mail servers I'll talk. Yes, this is how SMTP dies. But at least it will be usable for me in the mean time.
I got a gmail invite pretty early and choose a single Spanish word that's the equivalent of John.
I'm the recipient of bank statements, cell phone statements, medical information, invitations to parties, and answers to HOA complaints. But more than anything, I'm the world's most prolific subscriber to dating websites, and my taste covers the whole spectrum and back.
I keep using the email address to use for low importance stuff. It's also a good way to see that clicking "Unsubscribe" actually works. Or better, the Spanish equivalent: "Darse de baja". I know the words very well.
I'm in exactly the same boat. Eventually I opened one if his phone bills which had his phone number (UK). I rang him and tried to explain the situation which quickly turned surreal.
He argued that I was lying about getting his phone number from his phone bills because he doesn't get his phone bill emailed out to him. I said yes, that is correct. Your phone bill is emailed to me. Eventually I got frustrated with him and told him I was trying do him a favour and he accused me of hacking his email account.
Then over the next few hours he called me back multiple times to tell me he had called the police, how much trouble I was in, and to tell me to stop calling him and harassing him or he would press charges. I pointed out he was the one that kept calling me, and somehow that registered and he never called back.
He did fix his phone account so I don't get those, but I get plenty of other email for him.
I got a free peacock account this way. They just recently disabled their credit card, but I was able to watch the world cup for free and that's all that matters
I don’t quite know why, but my combination of first and last name on gmail is such that I get email directed at other people with the same name as me, including financial documents. Wild stuff. I would reply with “um you probably should check before sending” but after a while I just started ignoring it.
My gmail address is [email protected]. Not a particularly common last name, and I thought it lucky when I got that address early on. I've since come to view it as mostly a curse.
I get email invoice every time Orkin goes out to spray a house in North Carolina. No option to say "this isn't me", and I've given up calling to tell them after multiple cycles.
The elderly German couple that would email their train itinerary so that their cousin could pick them up at the station. I would politely reply that I am not their cousin, and consequently their cousin would not be at the station. And six months later we start again.
Someone in Canada with first initial + last name that results in my last name kept getting wired money, and I would get in email with instructions. Of course no "not me" option. I haven't seen one of those in a while, hopefully he figured it out.
And so many more stories of people with my last name or close to it happily sending me their email... But I've had the address for practically forever, and really don't want to let it go.
I got service emails for the same year, model, and color Honda Civic that I own from a dealer in the UK. I am in the US. That alone was spooky.
The car was owned by somebody who matched my first initial, last name email address. (Edwin, I believe…)
I tried to unsubscribe. I tried to contact customer service. Nothing worked.
Each email would come with a little video walk around of the car. Eventually I started responding saying that their paint looked better than my car, etc.
I don’t get them anymore. I presume the owner sold the car.
I've received Amazon gift cards, customs approval for a yacht arrival in Vanuatu, spreadsheets from Iraqi oilfields, children's book reports, pictures of dogs meant to be sent to veterinarians, etc etc.
Same situation, but on mine I got emails from some lady on the other side of the world that wanted to adopt a kid, then later she was scheduling some Botox applications, both cases I was half surprised that they didn't double check and half curious to see what comes next.
Same story here, bro. It was really interesting when my cousins wife emailed me (not thinking it was new) about my cousins infidelity. That one made me rethink the safety of email addresses
Given there's a couple peeps who can't figure out their email address, I do my best to click on 'not me' or just ignore the confirmations intended for other people. But if I get mail for others that should have been confirmed, I mark it spam, because it is. Sometimes that includes an unsubscribe, which sometimes works.
Hey just fyi: they’re not doing it for the purpose of locking people out. They’re doing a distributed account breakin. Doesn’t matter to the thief who’s money they steal, so just try “password” on everyone’s account until you get in.
Years ago I started a Netflix trial account while with the family at my mom's place. I intended it to be for her, and called it 'grandma <her name>'. I ended up paying for it (she never has, directly). But apart from when we're around she barely used it and got back to linear TV (though via internet). Meanwhile, my wife and kids love it and it is among our streaming portfolio (for lack of a better term). So basically it is a Netflix account on someone else's name, though a family member. She kept getting these emails that someone logged in to her account, and every time I answered to her 'yeah that was one of us'. Eventually I changed the email address of the account to my own, and now I keep getting called 'grandma <her name>'. And you know when she watches Netflix? When we're around (well, my kids do then). Now the other day my wife got some kind of confirmation error that this was our account, and ever since the writing's been on the wall that we'll get into trouble on this. Btw, we can only pay for it via gift cards or manual bank transfer. The automated system does not work, and every time it gets our card denied. Honestly, it is an abysmal customer service (my wife tried to sort it out on various occasions w/them; still broken).
Netflix added a way to export your profile's watch history etc to a separate account...
(this is the only reason I could think of why you wouldn't just make a new Netflix acct. lol)
I kind of enjoy these stories since I'm in the inverse situation. I have a [email protected] address with my real name, which is pretty unique. I feel a bit annoyed and paranoid sometimes that, since my name is unusual, a Google search will bring up a ton of personal information that I'd really rather be a bit harder to find. But at least I don't get a ton of emails meant for random strangers who put the wrong email somewhere!
I know periods don't count, supposedly, but I still get emails for someone with the same name as mine. My email is first.last, theirs is firstlast. I wonder how much of my stuff they get erroneously?
You are correct that the period doesn’t count. Both email addresses belong to the same account. A possible explanation is that they have entered your email as a mistake.
Instacart has some sort of similar issue, signed up under my email, changed the email address to my wife, support requests get sent to both of our addresses.
Too bad it didn't work for the entire meta user base. We could free the world. It would be like independence day when they uploaded the virus to kill the mothership.
I get why one would feel this way if this was one of Meta’s social media apps, but WhatsApp is one of the biggest messaging apps used in so many countries and perhaps also helped kill the telecoms companies paid sms plans to force cheaper sms msging rates, if anything WhatsApp is perhaps the best value Meta has provided to the world, bringing the world closer.
Kinda surprised the parent made such a mistake since Whatsapp was very well known in tech circles for charging an incredibly low fee pre-FB acquisition. And the parent's HN account dates from 2010...
They probably got initial funding from investors thinking about a future exit. Investors aren't as interested in a company that intends to simply survive on modest profits forever. This is also why startups tend to magically die when big companies aren't doing well.
I always feel I'm in a twilight zone with whatsapp. Am I the only person who doesn't want or need to give the app all of my contacts, or even register with just phone number? Phone number is such an intensely and irrevocably identifiable token and so hard to change, that using it for pervasive messaging seems insane to me :-/
I hate these apps that absolutely need a phone number. I couldn't pay my bill on my cellphone one month, lost the number and now I can't access either my WhatsApp or Telegram accounts.
You can port your phone number to a voip provider if you will be out of the country for a while. Use a sip phone app, and the "transport layer" sim that you happen to use will have nothing to do with the phone number that is intermingled with your identity.
FWIW, Telegram actually handles this pretty well. You just have to have loged in on another device while you still have your phone. You can use that other device to deauth your lost or deactivated phone and auth new logins on other devices.
Sadly I didn't use Telegram for 6 months and when I went to use it I found out they had a 6 month timeout on your login and it basically wipes your stored credentials after 6 months :(
I'm sure you're not the only one, but in a tiny, tiny minority. Using the phone number as the identifier was pretty much the main selling point of Whats App.
I feel the same way but this wariness is amplified by the fact that I don’t trust Meta. Still, I’d be more inclined to sign up to Whatsapp than create a Facebook account; a few real-world friends have said they’d prefer to use Whatsapp over SMS – particularly for sending photos.
Oh, if you're willing to follow its demands, whatsapp is a super smooth experience. All my family uses it.
But the funnel is brutal. Try signing up from anything but a phone, or try not giving it full permissions, etc etc - and you'll have a miserable time. It's a vicious vicious sweet and alluring Black Mirror episode.
Maybe it would break a lot of things, but my gut instinct is I wish it were illegal for an app to slurp up, even with the user's consent, all of the user's contacts. Any such entries should be manual.
I don't use $SERVICE. I never want to use $SERVICE. I certainly don't consent to $SERVICE having my contact info because some acquaintance/friend/family member who doesn't know any better tapped "allow" on a button. But because it's allowed, any number of immoral companies like Facebook have my info, even though I've made a conscious decision never to use them due to their privacy violations.
well it is by far the most used messenger app in the world with 2+ billion users so in that sense it seems prescient but i'd agree it's still questionable how they'll monetize it.
Yes but the original founders did that. Zuckerberg took it from them and immediately lied about data sharing, there's a reason why the founders left in disgust
One of the co-founders, Brian Acton, has funded most of Signal (~100M USD) in his post WhapsApp life. It is a very hacker mindset solution. Instead of turning to the law to enforce nebulous claims against a megacorp, make a better product with the money you got from said megacorp.
I know "nothing to hide" is never a strong argument but even if Signal is a CIA honeypot, if it keeps my personal conversations from becoming marketing fodder, sign me up!
I'm definitely not a "nothing to hide" guy, but if the CIA wants something on me they're going to find it in 5 minutes. They would only be using a backdoored Signal to get the smart guys; so I guess I have to thank the smart guys for the CIA giving us Signal...
I'll never understand why people don't place value on integrity. I mean day to day people and not stockholders. Zuck controls what happens at Meta, it's not a board decision on stuff like this unless Zuck tells them to do it.
Another very annoying one is when doing forgot password changes the password and emails you a copy, so some funny guy can just go and keep doing forgot password and it force changes your password.
This happens on non-government systems too. The only system I've experienced this has been a financial institution's system. Frustrating as it meant I had to make the trip into one of their branches to get it reset.
Apple e.g. Even when 2fa is activated, and no successful login happened, they will deactivate my account and force me to change my password :/. I had to change my email that I use to login to Apple.
Apple's system caused me more pain in under 1 second than anything I've experienced in the past. That's on me, of course, for using so much of their hardware and software. But still frustrating.
What happened? I logged into an Apple service from the browser on my work computer. I should have known better, I get captchas everywhere when coming from our corporate network, so it's clearly on someone's shitlist. Well, even though my authentication was successful, including the verify-pin-on-device-you-already-own part, Apple said "this is a suspicious connection" and immediately logged out every last device, invalidated all sessions, invalidated the password so I had to change it. I was still feeling the pain from that for a week or more afterwards.
And now I have a simpler Apple password than the XKCD-style one I had been using, because I got tired of typing it in over-and-over-and-over-and-over.
Is there no solution to this pain that is actually suggested (designed) by Apple? I would expect there is /something/ that they can do for you for a small, recurring fee.
Apple are the worst UI company in the world bar none.
Sum up the total amount of utterly needless pain and wanton destruction of the time of their customers and nothing comes close in the wide field of "computing". Yet they have the "Good ui" reputation, which is insane.
When people got shocked by this 15 years ago I used to ask them: "Do you know /anyone/ who owns an iPod? Think of them, three names. Now of those three do you know anyone who has not had their music collection deleted by apple software against their wishes? Among those three? No? Anyone at all?"
Nowadays there isn't one example that sabotaged literally every user, instead there a many and it has become which subset of the Apple customer smashes got you? Ask your friends. Note the solution to pay apple more.
Apple are the shiny, vicious trap. Google are less shiny so it is impossible to sustain the illusion that they do "good ui." Microsoft haha. And from there Apple have consistently led the way in the race to the bottom of customer abuse - you've got nowhere else to go! You can't survive the modern world without this stuff! But sure, Facebook, Microsoft, Google are really quick to match and desperate to find niches in which they can lead and Apple copy.
There's this insurance aggregator website in my country, where if you ever enter your phone number into their website, without any verification of that number, you get put on some list that elicits 5 calls a day from them trying to sell you insurance. It's crazy.
Several friends of mine had their WhatsApp completely hacked. Basically, hacker would spam recovery, which results in a phone call to the victim. If the victim doesn’t pick up the phone, the recovery code goes to voicemail. Hacker accesses voice mail (password protected yes, but for lots of people it’s a birth year, 1234, 0000, or last 4 digits of their phone), and voila they have access to your WhatsApp. They can’t see your messages but can see all the groups you’re in and message those.
Completely preventable by having WhatsApp 2FA enabled.
Had this done to me BUT luckily WhatsApp has a “pin” feature, which prevented hackers getting any further. Not as secure maybe as a 2factor but saved my day. Highly recommend.
I wonder if it would be possible for someone who is really good at getting media stories placed - buy a bunch of put options and sell just after the story breaks - could this be a profitable tradable event?
Meta is such a big company I'd be surprised if the cost of the options premiums were less than the value that could be harvested... but maybe..?
Digression, story: Years ago I worked in a place that, if you attempted and failed 3 times to login to your account, your account would be locked and you had to see the help desk in person to prove your identity to get it back. And of course somehow this kept happening to me (perhaps a vengeful or stupid coworker?). Fortunately they changed their methods when one week a whole bunch of people had to see the help desk after their accounts were mysteriously locked.
Assuming you notice it was deactivated within the short time span they give you. If you're a casual user it could get really annoying to show up and be deactivated, most likely when you have a fairly urgent need.
I live in America so I really only need to use WhatsApp when I travel to foreign places so I can contact vendors. That happens maybe once every other year. I'd be pretty upset if I fired up WhatsApp and it didn't work when I really needed to call a vendor.
Using your account for anything more humorous than amateur improv comedy, I imagine. Considering how many downvotes most jokes seem to get on HN, I can't imagine that'd be a problem with this crowd.
Hello, WhatsApp? I'd like to report a stolen phone. Please deactivate the account for ^\+?\d{1,3}[-.\s]?\(?\d{1,3}\)?[-.\s]?\d{1,4}[-.\s]?\d{1,4}[-.\s]?\d{1,9}$
I know you got downvoted but it's not that hard to find important people's phone number. The VIP is probably careful handing out that number but when it goes into other people's contact they lost control of that. All it takes is a click on a random iOS/Android app and the whole contact list is uploaded to who know where
- The inconvenience to the deactivated account is minor: one SMS verification code and the account is back, queued messages get received, etc.
- Persons who lost their phones probably don't have a good fast way of proving their identity, as their identity is tied to their phone number in WhatsApp's model.
- Needing to quickly lock out spammers, thiefs or hackers is probably far more frequent than abuse of this feature.
- If abuse of this feature becomes a recurring problem, I'd expect WhatsApp to react and adjust the flow to place more burden on its user.
The auto-delete part is slightly more worrying, but if you don't use WhatsApp during 30 days, your account and group membership probably isn't very precious. Backups are automated and separate. You can still easily re-create an account with the same number then.
The story might be "Apps should stop using SMS and phones numbers as the source of identity", and while I generally agree, most comments don't seem to be about this and WhatsApp is maybe _the_ one app whose success was based on this very idea.