This feature has been designed to prioritize the security and protection of our customers whose username and password combination has been identified as compromised on hacker lists via Cloudflare WAF features. Upon detection of such a flag, we implement a stringent verification process to ensure the customer’s identity and safeguard their account. This involves sending an email to the customer, requesting them to click on a verification link, thereby confirming their authenticity (assuming the hacker does not have access to their email). As an additional security measure, we enforce a mandatory password change, effectively restoring the health and integrity of their credentials.
During the sign-up process, we prioritize providing a seamless and user-friendly experience for customers, and therefore, we do not enforce the aforementioned process. Recognizing that the initial interaction with our website is crucial in creating a positive impression, we aim to keep the sign-up process simple and hassle-free.
Level Of Impact
Medium-High
Affected Interfaces
Admin and Users
Affected Users
All
Solution
We leverage Cloudflare’s WAF feature – exposed credentials check – to protect our customers. This tool enables us to detect instances where a customer attempts to log in using a username and password that have previously been compromised. As soon as such an attempt is identified we are able to intervene in these situations to prevent unauthorised access to our customers’ accounts and sensitive data.
In the event that such compromised credentials are detected, a modal message pop-up will promptly appear, notifying you of the potential security breach. This pop-up serves as a trigger for a predefined workflow, which includes the immediate dispatch of a verification email. By clicking on the provided link within the email, you will be directed to a secure password reset page. This page facilitates the process of resetting your password, ensuring that your account remains protected against unauthorised access.
A notification will be displayed on the bottom left of the page once the new password has been saved.
Secondary Path:
In order to cater to users who are unable to access their email, we have implemented a secondary path for password reset. Admin users have the ability to initiate a password reset process for such users. In this process, a unique verification code is generated, which can be shared with the user through an alternative communication channel. This allows the user to successfully log in using the verification code, granting them temporary access to their account.
Mobile App:
This feature is also applicable to users logging in via the app.