This week I received an odd email. It was a message from Dashlane, welcoming me to their password manager service. This was odd, only because I did not open an account with Dashlane.
I contacted them through their support email explaining the situation. I requested that the account be suspended and that they contact me to discuss the implications of this. Christine from Dashlane responded quite promptly, and explained that I could delete “my” account, but she cautioned me that I would not be able to use “my” Dashlane account if I deleted it, and that I would lose all of my data. It was pretty clear that this was a canned response, or else she didn’t read very clearly.
I wrote back explaining yet again that I did not open the account and that I was concerned about how someone could create an account connected to my email address who was not me. I suggested she escalate this to someone who could understand what I was trying to explain to her.
In parallel, I tweeted @DashlaneSupport (and followed them so that they could Direct Message me). That’s when Simon stepped in. I have to say that Simon has been great. He understood my concerns, he addressed them, and he was polite and professional.
We went back and forth quite a bit over a few days and I determined that they have made a design decision with which I don’t really agree. When you create a Dashlane account, you give them your email address, and you create a master password. Once you’ve created this login, you can begin creating passwords and storing them with the Dashlane service.
You’ll notice that there’s a rather important (at least in my opinion) step missing here. Dashlane does not ask for confirmation of your email address during creation of your account. Because this step is missing from their process, someone was able to create an account using my email address.
Let me quote Simon directly:
When creating a Dashlane account, you are asked to choose your email address and a Master Password. When provided, your account is created right away – we only prompt users to enter a “security code” when signing-in to their Dashlane account from a new device in order to verify their identity – unless Two-Factor Authentication was enabled for this particular Dashlane account. You are right in saying that email addresses are not verified upon account creation – but as owner of this email address, you own the Dashlane account as well. You can delete it and re-create it, therefore our users’ security is guaranteed there.
As a company with a patented security architecture, we work hand in hand with our head of security to ensure that our users are protected at all times. I understand your concern however, and the fact that you would feel more comfortable having an email address verification process. This is not on our road-map right now, but it certainly does not mean we will not implement this process one day.
At first I was upset and concerned and after thinking it through (and making sure I wasn’t missing something by talking to Bart), I realized that this doesn’t actually cause me any harm at all. It’s not like they can use these password they create with my email address, or somehow log into any of my accounts. After I calmed a bit, I realized there is someone who could potentially be harmed, and that’s the creator of the account.
Let’s put ourselves in the shoes of the person who created this account connected to my email address. We’ll call him Wilbur. Let’s presume for sake of argument that Wilbur made a simple typo. He meant to put in [email protected]. For a few days now Wilbur has been going through all of his passwords and putting them into Dashlane, blissfully unaware that he has made a typo.
Wilbur doesn’t notice that he never received a “welcome to Dashlane” email.
Now along comes Allison, and upon the advice from Dashlane, she deletes Wilbur’s account. Wilbur will be furious, disappointed, aggravated and concerned. He will write to Dashlane (or possible slam Dashlane on Twitter and other social media platforms), accusing them of losing all of his data.
Dashlane has a free and paid tier. What if he’s a paying customer? He will write to Dashlane, but they won’t know who he is, because he doesn’t have an account with them.
Like I said, this situation creates no real threat to me personally, other than having to go delete this account. But it creates a huge problem for our little friend Wilbur and potentially will create a huge problem for Dashlane as a result.
I want to reiterate that Simon was really great, very responsive, got to the precise parts of what bothered me, and gave me the truth. I’m not sure I agree that email verification should be on a back burner, but I appreciate so much that he stuck with me till I understood exactly what was going on here. I started with huge concerns about Dashlane and ended believing that they have a really responsive support team. And remember, I was not a paying or free customer.
There’s a couple of lessons to take away from this:
- Be very careful when you enter your login information on Dashlane to make sure your email address is typed correctly. Maybe log in from another browser first thing so you get the security code sent to you. The security code thing does work – I verified when I deleted my account.
- Don’t fly off the handle right away (like I normally do), give a company a chance to explain and show whether they’re responsible and responsive (or not)
- I think that an email verification process is a pretty darn important step in a service like this.
- If it weren’t for that, I might give Dashlane a chance, based entirely off of the responsiveness of Simon
Thanks for bringing this problem to light. I have a few email addresses that are very easy to type because they happen to contain many adjacent keyboard keys. This wasn’t really a bad idea 20 years ago when a nice short username was cool! But today, someone who just wants to create a throwaway about for some reason seems to hit my email more often than could be considered funny.
This happens to me all the time. It’s actually infuriates me because it seems to show a lack of concern for the security of these companies customers. No one should ever be able to create an account using an e-mail they can’t verify.
One other problem I’ve encountered is that when I actually wanted to create an account at one of these sites, I couldn’t.
And many sites which have little regard for their users security also have the arrogance to think no one would ever want to delete one of their accounts, and provide no way to do it in their interface. So I’m stuck getting periodic emails from a site I don’t want to hear from with no way to delete the account. Sometimes, they’ll let you change the e-mail address, and when that happens, [email protected] gets those. I thought, what if it was a legit account? But my conclusion was it’s not really different since the original person can’t get at it either way, and at least I’m done with it.
Many sites have this problem. I’m getting mail from a shopping site where someone used my email address when purchasing. Obviously, there was no verification.
The emails included their name and address and what they bought. Could be a privacy issue.
Is it possible this is “marketing,” not a typo?
You’ve looked in Dashlane. I’ve looked into Dashlane. Dashlane has been publicized through your blog post in a way that’s not negative to the company since the “typo to create an account” could happen.
It could also be a prank or worse. Back in the day I knew people who would “get even” for social slights by sending in as many magazine subscription cards as they could pull from magazines at the bookstore, presenting the unfortunate recipient with lots of magazines to cancel and lots of bills to dispute.
Curious, I read through Dashlane’s privacy terms and TOS.
Interesting, for such a secure service, apparently offering the ability to directly enter credit card info from the Dashlane account, the TOS specifies that Dashlane works in conjunction with credit card companies and credit card networks to prevent fraud by sharing customer information –
Hi,
Since you own the email account you could always change the password and just delete the information within the Dashlane account. By keeping the account open the poor bloke who used the wrong address won’t be able to make the same mistake twice. Of course he could make a very similar mistake and use a different incorrect email address. Probably likely.
I couldn’t log in to change the password, because I didn’t create the password. I was able to delete the account following their directions though.
I should have looked at their process before suggesting something that doesn’t work. They do have an account reset procedure though, that will let you reset the account at that email address. That way you can still hold the account from use by others. It probably wouldn’t be much trouble either way, but it would avoid needing to repeat the deletion again should someone build a Dashlane account for your address again. If it was just someone with fat fingers, they’ll likely be irritated enough to get it right next time.
This isn’t an isolated incident for Dashlane. I had the same thing happen in mid-2016 and a quick look of their Facebook at the time revealed a number of complaints from people who were surprised to find themselves receiving email for a service they never signed up for. I complained and received a form email that they’d obviously been sending out that didn’t answer any of my specific inquiries about how my email registered for their site.
And here it is:
“Hello,
Thank you for your email. My name is Romy and I’d be more than happy to assist.
I know this must be important to you, let me help you with this.
It appears that a Dashlane activation email was sent to you by mistake. This email was not indeed intended for you, and should not have been sent to you. We are sincerely sorry for that.
You may disregard this email that you received from us. Rest assured that we did not sign you up to any Dashlane service, register a Dashlane account on your behalf, or add your email address to any mailing list.
Do not hesitate to get back to me if there is anything else I can do to help.
Kind Regards,
Romy
Dashlane Customer Support”
Interesting, Dave. At the very least, a by-product of not having email verification.