My Heroku account was flagged automatically and locked due to suspicious activity, which is good security. I raised a ticket with Heroku at the time to unlock the account, they required some information from me, including identity verification, which I provided. Since this they have not responded to my ticket and it appears a bot has automatically closed the issue, with no resolution.
Now it asks me to log a new ticket but I can't actually log in with my account to create a ticket. So I made a new account, logged a ticket with reference to the initial ticket and have had no response. About a week later, it appears my second account must be locked as I am unable to log in with this account. Probably valid since I had to create a temporary email account to sign up so I could raise a ticket.
The Heroku help docs are pretty useless. It's essentially an endless loop of Create Ticket > Help Center > Search > Read Article > Create Ticket...repeat. Even if I get to a sign in page I can't get by it anymore due to yet another account disabled.
That account is linked to my official email address and is why I'd like either the account unlocked or the email address released. It seems as though creating a new account isn't a viable solution either, given that I have tried and that account is now locked too.
I have tried the actions described at What should I do if I can't log into my Heroku account?
There doesn't appear to be any way of getting in touch with a human short of calling an office or a sales rep for enterprise which I feel is the wrong approach. Perhaps this is where my journey ends with Heroku although that seems unfair.
So instead of creating a spamming cycle of new accounts and tickets all referencing each other, how do I go about restoring access to my main account and initial ticket?
Related
my issue is really complicated but i will try my best to explain it,
so i created a google play developer account and paid the 25 dollars but it suddenly asked me to verify my identity by uploading a government issued document of a country i don't belong to.
Turns out a long time ago i created an adsense account and payment profile in which for some reason or by mistake (I don't even remember) I selected the wrong country and that payment profile is now linked with my developer account now.
I tried closing my payment profile but it said you have active subscriptions or services, you need to close them first.
And that active service is my adsense account that i mentioned earlier.
I tried closing my adsense account but it said "Your payments are on hold (Even though i have $0 earnings) clear them first".
And on my adsense account I am also getting the same popup to verify my identity.
I have no idea what to do now i have paid the $25 fee and i can't publish any apps before clearing this issue.
I have created another payment profile with my actual country selected but i don't know how to link this correct payment profile to my developer account and unlink the old one.
there must be a way i could fix this mess...
please help me
I'm currently playing some stuffs with Near (testnet) following an example on github/Learn-NEAR/starter--near-sdk-as.
I accidentally deleted my account - quantransedev. After that I re-created with the same account name with new passphrase of course. I noticed the newly created account had everything the old one had. It seemed like a restore account.
Is this an expected behavior? it doesn't make sense to me at all in terms of security. Please advise.
https://explorer.testnet.near.org/accounts/quantransedev.testnet
https://explorer.testnet.near.org/transactions/3GTFEzvTfDiAxm8fdpZeWP7NjRFTjFJaDYQNX6ANAUns
This is expected behavior - when you delete an account it does not delete all the things this account owns or controls. That needs to be done manually before account is deleted.
Account deletion just deletes the information about this specific account state on-chain.
When you recreate the account - it will actually be back to controlling whatever was linking to it by account id.
Generally, if you delete account - that name and things it owns are up for grubs for anyone else, so account deletion should be done very careful.
Filed two issues to improve experience here:
https://github.com/near/nearcore/issues/5816
https://github.com/near/near-cli/issues/900
The account had been deleted and the remaining funds were burnt since the beneficiary account did not exist (the account got removed before the transfer was initiated). You can also confirm that the account had actually been removed by reviewing the next transactions (deletion of other accounts with beneficiary account id set to quantransedev.testnet) did not succeed to transfer the remaining tokens from the removed accounts (the tokens got burnt).
You had had to re-create the account explicitly from scratch: https://explorer.testnet.near.org/transactions/CroKF7ipwM3fDgH5ogVrnWS6JSmnhvjkaJNDqiWzjsm2 to gain control over the account id. Before that moment, the account did not exist on the chain. Explorer, however, keeps track of all the ever-existing accounts on the network, which might have confused you.
I am developing an ASP.NET Core web application with user management functionalities. My question is about the email address changing algorithm. Almost every web app I saw before have the following flow:
User authorized
User requested an email address change
User received a message on the new mailbox with the confirmation link
User clicks the link and the email address updates
But I think, this algorithm might be a bit insecure and that is what I want to discuss here.
How about this flow:
User authorized
User requested an email address change
User received a message on the old mailbox with the confirmation link
User received a message on the new mailbox with the second confirmation link
User clicks the link and the email address updates
With this additional step in the middle of the algorithm, things may be much better from the security perspective, but would it be too complex or not? How do you think what algorithm I should implement? And what would you prefer if you will be in my shoes?
The second options might sound great, and it's not too much headache to implement too. But I'll stick with the first approach due to some reason:
Common work flow pattern.
As the backend side can be wrote by many language, by various developers, so common pattern would make things more standard when we need some kind of migration, and even maintaining by new developer. If the project doesn't require ultra-secure authentication flow, the simplicity of first approach was enough.
From user convinient pespertive
Let's just imagine when changing an email address, what case the user likely want to change email address ? I was register my facebook account long ago using yahoo mail, that's no-longer active, and i need to switch to a gmail one. What's the point of sending the email back to the old one ? Cumbersome... and i can do nothing in this case except get some help from the staff.
I totally aggree with the second approach on security angle. But that's not suitable for most of the case, only implement if the project have some requirement. And even in that case, I suggest don't even do that too, build some thing like sub-admin account role and grant permission to someone have responsible. Like Google enterprise email organize some account called admin if anything wrong happen to user account. As long as it has this kind of security level requirement, it's not gonna serve massively user.
The intension of all the flow
The User got authorized first, right, that's mean we Identified what the user are, and what she capable to do. Imagine when we hide a hotel room then request to change to another due to some reason. What's the point of proving that's I booked my own room, since we all know that's the fact ? Kinda weird... right ?
To conclusion, I think we shouldn't mess with something that's become common pattern that widely acknowledged, except we have some special requirements and the project have something uniquely to satisfy, and we consider ourself, as developer that's reasonable.
The main problem with this approach is: what happens if the user no longer has access to their original email account? Perhaps it was a work/school/uni account that they no longer have, or perhaps they've just forgotten their password or otherwise lost access to it.
With your second approach, they are not going to be able to update to the new account, because they'll never receive the first confirmation link.
How about the following approach instead:
User requests an email change.
Require the user to re-authenticate with their current password (just like when they change their password).
Send a confirmation link to their new email.
Send a notification to their old email, with the details of the change, and instructions of what to do if they didn't initiate the change.
User clicks the link to update or contacts your support to say their account has been compromised.
This way you still provide them with an alert that someone is trying to change their email (and potentially a means to stop it), but a user who has lost access to their old account will still be able to update their email.
I have ran into a problematic situation, which I really hope I can get help with.
I'm working on Jive Software solutions and we have a product that integrates Google Drive and Gmail.
This integration product was once part of a startup that was acquired by Jive and as such, the Google api project we are using for the integration belongs to a Google Account of a specific person which no longer works in Jive (we do have the credentials for the account though).
The problem is, that we want this account to be ours, i.e, a Jive software one.
So, one option I have, is to create a new account and replace the api account I'm using in the code to use the new one. This is bad, as it will break all the current authenticated clients, and will force them to take the oauth process all over again.
The other option I see, is to convert the existing Google account we are using to a jivesoftware one, so it will not be associated to any specific person but it will still be the same account.
Specifically I'm interesting in changing the Name and Email of this account.
Any suggestions of how we can achieve that?
A third option could be moving the api project to owned by another google account, but I couldn't find such an option in the UI, any clue?
There is no way to change a gmail address. You can forward all email to a new address with the name and email address you would like though.
This way you access all the email from an account that is a Jive software one but it is being forwarded from the old one still. However no one directly accesses the old one.
Check out https://support.google.com/mail/answer/10957?hl=en for more info.
According to the documentation, if you use Gmail with your Google Account, it's not currently possible to change your Gmail username after you've registered. with your username being the full email address you used to create your account. You can, however, change your nick name by going to https://myaccount.google.com and clicking Personal Info.
I've got a bit of an issue. The last owner of a couple of API projects left my company and subsequently his google email account was deleted more than a month ago. This has left us in a precarious state as we are unable to gain administrative access to the API project.
The API projects themselves still seem to be somewhat active as I am able to use some of their functionality, however they are disassociated from any administrative account (as far as I can tell).
I need to either regain control of these API projects or delete them so the old API credentials for them are no longer valid.
This is the reason that for any project within a company should have more than one owner (and any employee's online accounts related to work should be looked at before the person leaves). Normally the project will get deleted after some time if the owner's account is deleted and there are no other owners.
Can you send me the client_id in those projects and the deleted owner's information, so we can have a look at the state?
You can contact me through my G+ profile.