EA forces password reset but tokens don't expire after use.

Y	Hacker News new \| ask \| show \| jobs

4 points by wwarneck 5466 days ago

In response to the LulzSec password leak, EA forces a password reset for everyone. However, the token doesn't expire after it is used.

A screenshot of the email with the token removed of course. http://min.us/mvfYihP

Sweet.

edit: updated title to reflect that they may expire after a certain time, but not after use. This also raises the question, what happens if they expire but you don't use the link before the token time expires?

1 comments

ctide 5466 days ago

Yeah, I ran into the same thing. There was no way to force it to no longer be valid, even creating a new forgot PW request left the old link active.

link