EA forces password reset but tokens don't expire after use.

4 points by wwarneck 14 years ago | 1 comment

In response to the LulzSec password leak, EA forces a password reset for everyone. However, the token doesn't expire after it is used.

A screenshot of the email with the token removed of course. http://min.us/mvfYihP

Sweet.

edit: updated title to reflect that they may expire after a certain time, but not after use. This also raises the question, what happens if they expire but you don't use the link before the token time expires?

ctide 14 years ago |

Yeah, I ran into the same thing. There was no way to force it to no longer be valid, even creating a new forgot PW request left the old link active.