If you allow your website users to delete their account and don't really delete their data, maybe don't allow a registration with the same e-mail address to inherit the old user data – *and if you do* maybe don't let them access anything before they confirm their e-mail address.

'Cause I was just shown a website that lets you access all the user data if you know the e-mail address used to register an account that was deleted in the meantime.
And we figured this out in a matter of minutes.


Corollary for users everywhere:

If you want to stop using a service, *always* invalidate every possible detail you can from your account, even if the service lets you delete the account.

Sign in to participate in the conversation

Octodon is a nice general purpose instance. more