Details
-
Improvement
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
3.1.2
-
None
Description
We should notify users about email/password changes on their current email address.
This helps to prevent accounts being stolen by others.
For passwords an email like the one from github could be used:
Hello xyz,
We wanted to let you know that your GitHub password was changed.
If you did not perform this action, you can recover access by entering security@phpbb.com into the form at https://github.com/password_reset.
To see this and other security events for your account, visit https://github.com/settings/security.
If you run into problems, please contact support by visiting https://github.com/contact or replying to this email.
(the named reset password action would need to be added thou).
For emails I would even require a validation of the new address (send activation link or something similar, currently you can lock yourself out of your account), before changing it and also notify the old email when the action has been performed.