I am unsure whether to post this as it exposes potential harm to millions of accounts...<p>Nike.com apparently lets you take over an account by calling in and verifying the email address and phone number associated with the account.<p>My account was just hacked, someone called in and used my information to change the email address to my name @outlook.com (same as my gmail account).<p>Their only solution was to delete my account. This is terrifying.
Someone did this with my Ebay account. They changed the phone number, email (same email, except it was @outlook.com), and password. Thankfully, Ebay has an account takeover department that helped me fix the issue within an hour.<p>For fun, I ended up emailing that @outlook.com email asking them why/how they did it and they just replied back "why can't you just let go of it...".
Thanks for sharing your story!<p>A decent amount of disclosure programs explicitly call out social engineering as unacceptable conduct and submissions.<p>However, social engineering is a very valid method for attackers and in many cases, offers the path of least resistance.<p>While I understand why companies don’t want good faith security research to call and try to trick the human factor, this is still a very real attack vector that needs attention and to be fixed as in what you’ve described.