search

justdeleteme / justdelete.me

A directory of direct links to delete your account from web services.
http://backgroundchecks.org/justdeleteme
MIT License
1.39k stars 435 forks source link

Koingo Software #795

Open SavannahJohnston opened 5 years ago

SavannahJohnston commented 5 years ago

(This was meant to be a short post suggesting adding Koingo Software to the website. But then I decided to be useful and test drive the deletion process, and it turns out that it's not quite as it seems, so I've added details.)

Deletion page is here. It can only be accessed from the FAQ page as far as I can tell; I couldn't find any link to it on the My Account page. It says that deleting your account deletes your license keys and purchase history, which can't be undone. You also have to make sure to cancel any recurring subscriptions before deleting your account, else a new account might be created for you when those subscriptions renew (it doesn't explain how that would work, though).

Details:

On the deletion page, you enter the e-mail address associated with your account, and they send a link which you click on to delete your account. If you no longer have access to the e-mail address associated with your account, you're meant to contact the support team. I can't comment on what that process is like.

Sounds cut and dried, right?

BUT…

I tried deleting my account on Dec 20th. I got the deletion e-mail right away, and the link opened a page which said my account had been deleted. However, when I opened the Koingo Software page in a new tab, I was still logged into my account; albeit the name had been deleted, and the e-mail address changed to "anonymous2018Dec20.0@koingosw.com". Even my order history was still there.

To my surprise, I was able to change my e-mail address and name as usual. I changed it to a different name and e-mail address than I'd previously used. I received the usual confirmation e-mail, and the changes worked. So, far from being "deleted", my account was still accessible and even modifiable as usual.

So I "deleted" my account again, and discovered that even if you log out after deleting the account, you can still log back in by using the anonymized e-mail and whatever password you were using when you deleted the account. So they really aren't deleting anything at all.

However, I did notice that if I tried to log in using e-mail addresses for other dates (e.g. "anonymous2018Dec19.0@koingosw.com"), it said there was no account using that e-mail address. Whereas when I use "anonymous2018Dec20.0@koingosw.com" with the wrong password, it just says the password doesn't match. This could mean that there's something I'm missing about the pattern of the e-mail addresses (for instance, I don't know the significance of the decimal and zero after "Dec20"); or that nobody's deleted accounts on the dates I've tried; or that the accounts do get deleted eventually and there's just a delay (though who knows how long a delay; I'm still able to log back into mine over 48 hours later). But any of these scenarios suggests that one could theoretically log into other people's deleted accounts; the only question is whether they could do so at any time, or only for a limited time frame before the account is truly deleted.

Not sure what to do at this point. I suppose I should contact Koingo to see what the deal is, but part of me wants to see if my account will be "deleted for real" if I wait long enough (like a week or something). I also assume I'm not the first person to discover this, so maybe I should see what other people on the internet are saying about it.

tupaschoal commented 4 years ago

Hello @SavannahJohnston ,

This repo is not being maintained anymore, but we've kept it alive and updated on a detached fork. If still applicable, would you kindly submit your issue there and close this one here? :)