(Architect of Fastmail's login/account recovery protocols here.)
Firstly, I will say this incident was unacceptable, and we were deeply sorry about it. However, it is also the only time it has happened in our over 20 year history (to the best of our knowledge of course). We already had several projects underway to improve the security of account recovery at the time, which unfortunately hadn't quite landed yet. Since then we have introduced an automated recovery tool with a very carefully designed flow (more info: https://www.fastmail.com/blog/security-account-recovery/) that securely handles most common cases (e.g., forgotten password, or user's account stolen due to password reuse/phishing). Human support is still available, but any account recovery request can only be handled by senior support agents who have undergone rigorous training, and in the case of any doubt are escalated all the way up to our senior security engineers.
Elsewhere it's been mentioned that different people may have different priorities in balancing ensuring they don't lock themselves out, versus ensuring an attacker can never access their account. We provide some flexibility here. If a user has 2FA enabled, we must verify two separate means of verification to grant access, whether via our automated tool or support-assisted recovery. Users can also submit a support ticket to request we add a note to their account to never do human-assisted recovery.
I realise it's very hard to assess the security competence of an organisation from the outside, and for what it's worth, we think the Google security team also do an excellent job. But overall I think we do a very good job of keeping users secure while not locking them out of their own account.
> Elsewhere it's been mentioned that different people may have different priorities in balancing ensuring they don't lock themselves out, versus ensuring an attacker can never access their account
Thank you, this is the most important observation.
Service providers should be providing flexible mechanisms to meet different needs, they should absolutely not be imposing a one-size-fits-all policy. That's the fundamental wrongness with google/facebook and their ilk.
Only I know what the security levels I need for any given account I own. I must be able to configure the policy.
Sometimes, I value my access above all else. With some other account I may value preventing access to others even at the risk of losing access myself. Other variants are possible. Only I know what the correct policy is in any given case.
Firstly, I will say this incident was unacceptable, and we were deeply sorry about it. However, it is also the only time it has happened in our over 20 year history (to the best of our knowledge of course). We already had several projects underway to improve the security of account recovery at the time, which unfortunately hadn't quite landed yet. Since then we have introduced an automated recovery tool with a very carefully designed flow (more info: https://www.fastmail.com/blog/security-account-recovery/) that securely handles most common cases (e.g., forgotten password, or user's account stolen due to password reuse/phishing). Human support is still available, but any account recovery request can only be handled by senior support agents who have undergone rigorous training, and in the case of any doubt are escalated all the way up to our senior security engineers.
Elsewhere it's been mentioned that different people may have different priorities in balancing ensuring they don't lock themselves out, versus ensuring an attacker can never access their account. We provide some flexibility here. If a user has 2FA enabled, we must verify two separate means of verification to grant access, whether via our automated tool or support-assisted recovery. Users can also submit a support ticket to request we add a note to their account to never do human-assisted recovery.
I realise it's very hard to assess the security competence of an organisation from the outside, and for what it's worth, we think the Google security team also do an excellent job. But overall I think we do a very good job of keeping users secure while not locking them out of their own account.