Hello nice people,

I’ve been using NiceHash app for some time 5-6 years ago. (It was a simple app for mining cryptocurrency and you get paid in bitcoin on their wallet, then you could transfer bitcoin to another wallet.) It was working fine until they got hacked (or fooled us) and lost all crypto. Luckily I didn’t loose much like some guys did. I decided not to use the service anymore and I’m still receiving stupid e-mail newsletters. I tried to unsubscribe and It asks me for login, I know password, but don’t have 2fa anymore. Also I don’t have backup 16 words.

Now support told me that this is the only way and I feel ridiculous about taking selfie just to unsubscribe. Am I protected against this somehow? I live in Europe and I think Nicehash is located in neighbourhood.

And of course I never wanted to subscribe…and I don’t think I ever verified account with a document.

What are my options other than just filtering that shitty domain as spam?

edit: typo

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    For marketing emails I totally agree.

    For important account security and verification emails, no I don’t think that should be done without being able to log into the account.

    If somebody breaks into your email, they shouldn’t be able to compromise everything silently

    • kevincox
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      This is a good point. Maybe you could have some sort of exit plan such as 3 emails confirming that you have been unsubscribed at 1d, 30d and 365d. This way if the email takeover is temporary then the user will eventually see a warning but there is still a finite amount of emails still to be received.

      It isn’t perfect, because an attacker could set up filters or something so that these aren’t noticed. But at this point the attacker could set up a filter to hide the regular account emails so it really isn’t any worse.

      • jet@hackertalks.com
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        I think in most cases confirming you own the email should be sufficient to unsubscribe.

        In high security situations there should be a more extensive method, but it should still be possible. Perhaps the timed unsubscribe, i.e. a month of access. Or mailing a letter to the account holders address. (I.e. take 4 weeks to give the account holder time to opt out)