Mweb - MASSIVE security concern; recycled email addresses

Zewp · Aug 11, 2013

While we're piling onto Mweb this weekend, I think this is worth pointing out as it is a massive security concern. Mweb reserves the right to recycle your email and give it to a new subscriber after you cancel your account. I'm sure anyone can see why this is a massive security concern for many users.

This comes from their email rules page:

6. Upon cancellation of your subscription you will lose and MWEB will re-claim your username and mail address.
MWEB may re-issue your username and mail address to a new subscriber 90 days after termination of your
MWEB subscription. It is your responsibility to inform everyone so that they do not inadvertently send mail
intended for you to the new subscriber.

http://www.mweb.co.za/legalpolicies/Home/ServicesMailboxrules/tabid/678/Default.aspx

This almost defies belief. How can Mweb give someone a second-hand email address and expect the old subscriber to contact 100s, possibly thousands of people/companies/subscriptions in order to inform them that your email address has changed? If you miss even a single service which might contain critical data (such as credit account information) your security can be compromised.

All I can say is, if you have an Mweb account, by all means do not use your Mweb email address.

froot · Aug 11, 2013

That's definitely dodgy.
But that's why, when you get rid of a provider, to just downgrade to the cheapest service where you can still keep your email address.

Necuno · Aug 11, 2013

Good thing my mails are suspended from my own domain...

Zewp · Aug 11, 2013

froot said:
That's definitely dodgy.
But that's why, when you get rid of a provider, to just downgrade to the cheapest service where you can still keep your email address.

The thing is, after this whole fiasco this week, I don't want to do business with Mweb at all. Not even give them R29 for a 1gb account I'll never use.

MWEBHelp · Aug 11, 2013

Zewp said:
While we're piling onto Mweb this weekend, I think this is worth pointing out as it is a massive security concern. Mweb reserves the right to recycle your email and give it to a new subscriber after you cancel your account. I'm sure anyone can see why this is a massive security concern for many users.

This comes from their email rules page:

http://www.mweb.co.za/legalpolicies/Home/ServicesMailboxrules/tabid/678/Default.aspx

This almost defies belief. How can Mweb give someone a second-hand email address and expect the old subscriber to contact 100s, possibly thousands of people/companies/subscriptions in order to inform them that your email address has changed? If you miss even a single service which might contain critical data (such as credit account information) your security can be compromised.

All I can say is, if you have an Mweb account, by all means do not use your Mweb email address.

Hi, DM me your MWEB details please

Crowley · Aug 11, 2013

You shouldn't be using you ISp supplied email address in any way. Gmail FTW!

Impregim · Aug 11, 2013

This is definitely NOT going down to well in MEDIA coming the following weeks or months to follow.. - So let's see. Either use G-Mail or Hush-mail

Zewp · Aug 11, 2013

MWEB Guy said:
Hi, DM me your MWEB details please

What for? I'm not asking for any help, I'm pointing out to the rest of your customers that one of your official company policies is a major security concern for ex-customers. That policy was pulled directly from your site and I actually can't believe that any company in their right mind would, in the year 2013, have a ridiculous policy like that in place.

Impregim said:
This is definitely NOT going down to well in MEDIA coming the following weeks or months to follow.. - So let's see. Either use G-Mail or Hush-mail

Indeed. Sadly I immediately started using my Mweb email when I got a capped account in 2010, because it meant that even if I got capped I could still access my email. I got uncapped from another provider in 2011 and kept using my Mweb email simply because so many of my services were already tied to the email address.

Lesson learnt, I guess.

Necuno · Aug 11, 2013

Lekker can of ID theft to be opened.

DominionZA · Aug 11, 2013

When I was with MWeb, I got them to make my email a forwarder to my own own email address on my own domain. That way I could still receive their abuse emails once or twice a month but retain my own personal space.
Worked well.

Zewp · Aug 11, 2013

This is Mweb Guy's official response on the matter.

I understand what you are saying.

There is a option of downgrading to the 1Gb account that will enable you to keep your MWEB email address.

In other words, for customers with security concerns over Mweb's email policies, their response is not to do anything about it, but that you should continue giving them money in order to avoid your security being compromised.

Now someone please tell me, how in the living hell has Mweb enjoyed such a good reputation these past few years?

Impregim · Aug 11, 2013

In other words, for customers with security concerns over Mweb's email policies, their response is not to do anything about it, but that you should continue giving them money in order to avoid your security being compromised.

Now someone please tell me, how in the living hell has Mweb enjoyed such a good reputation these past few years?

Good Heavens! What are they thinking/smoking?

Zewp · Aug 11, 2013

I've contacted some of the other ISPs to hear about their policies, seeing as I want to see if this policy is something only Mweb employs or something that many others employ.

So far OpenWeb has responded.

MrBEEP said:
Hi Zewp,

Yes, we do offer a complimentary mail account to all clients.

No, we do not recycle mail accounts, as we find this to be unethical practise. We instead store an ex-clients address in a suspended state in case they wish to recover their address in the future.

If we ever run out of naming convention capacity on our private domain, we will load a new domain in order to load new accounts. However, this will hardly happen as we are not as big as Gmail yet.

Keoma

So that's a thumbs-up for OW.

w1z4rd · Aug 11, 2013

This is actually common. Most free mail services will also recycle your address.

HavocXphere · Aug 11, 2013

Bought my own domain - but hosting it yourself isn't cheap either as far as I can tell. Google biz account is like 500 a year. And if you don't got for something like that then push notifications are going to be a mission I suspect.

medicnick83 · Aug 11, 2013

Never used my @mweb.co.za address. They can give it out, I couldn't care less. Just so long I don't have to be apart of them, that's good enough for me.

w1z4rd · Aug 11, 2013

I dont understand why an ISP needs to not recycle your email address?

It is YOUR responsibility to update all your contacts and logins with your new email address. I think its unreasonable to expect a host to permanently retain a username for you. If you dont want anyone else to use that email address then own it.

Its like me registering a domain, allowing it to lapse then getting upset cause they allowed someone else to register it.

koeksGHT · Aug 11, 2013

ghoti said:
I dont understand why an ISP needs to not recycle your email address?

It is YOUR responsibility to update all your contacts and logins with your new email address. I think its unreasonable to expect a host to permanently retain a username for you. If you dont want anyone else to use that email address then own it.

Its like me registering a domain, allowing it to lapse then getting upset cause they allowed someone else to register it.

Same principal as a PO box. You "rent" it

Zewp · Aug 11, 2013

Why do they need to recycle the email address? Do they have so many clients that they run out of possible email combinations to give to new clients? I find that very hard to believe. I don't expect them to retain my email address for me, but simply not assigning an address that has been used in the past does not seem to be in the realm of the impossible to me.

This is not remotely the same as recycling a domain. Your email address can be connected to subscriptions or services containing critical personal information. As MrBeep said, I think reassigning an email address is unethical, because all it takes is forgetting a single service and your security can be compromised.

And don't feed me BS about it being my responsibility to check that all my services are no longer connected to a certain email account. You go find all the websites/services/subscriptions register to your Gmail or Yahoo account and see whether you miss any.

Really, the entire thing is such a major security concern that I cannot see any reason to recycle email addresses. I can understand if Gmail recycles email addresses, but Gmail probably has new users registering in the hundreds of thousands each day. Mweb is not Gmail.

HavocXphere · Aug 11, 2013

ghoti said:
It is YOUR responsibility to update all your contacts and logins with your new email address.

Thats a big ask. e.g. Obscure people go to their outlook type in havoc & the address pops up (from past emails). There goes the email...to what is now someone else's mailbox.

Hell I couldn't locate *all* the people who have my email addr to save my life. And the thought of explaining to a bunch of relative how to purge the old email addr from outlook does not appeal either.

Mweb - MASSIVE security concern; recycled email addresses

Banned

Honorary Master

Court Jester

Banned

MWEB Representative

Executive Member

Well-Known Member

Banned

Court Jester

Executive Member

Banned

Well-Known Member

Banned

Karmic Sangoma

Honorary Master

Paramedic

Karmic Sangoma

Dealer

Banned

Honorary Master