TLDR: If I know your email address, I can see all your account names. Snip This is not confirmed -Buldath Snip
Account names in Eve are a weird thing. In order to participate in receiving a character via the Bazaar you have to give someone else 1/2 of the information they need to login to your account. I made a ticket about changing this years ago, but it fell on deaf ears.
It was a welcomed feature when CCP introduced associating multiple Eve accounts with a single email. I use it for all my accounts. However the issue with this feature is it works, even if you never verify the email for the new account.
In testing something with a new alpha account, I signed up using the same email I use for other alpha accounts. I received an email stating:
We need to verify your email address before activating your EVE account., which I never did. I then proceeded to log into the new account at https://secure.eveonline.com and out of curiosity clicked on the
Other accounts sharing: firstname.lastname@example.org and to my surprise I saw every account name.
The issue is that anyone who discovers or knows your email address you use for eve online, can sign up a new account with your email, and proceed to then see every account name you have attached to this email account. I consider this a security issue.
Account names as stated above are shared during bazaar transactions (which is terrible), but now being able to see every account name that someone has feels very wrong and opens up more accounts to possible breaches in my opinion. A lot can be discovered based off some account names, and you’re opening up players to new attack vectors.
I’ve been told in my tickets that
rest assured that this is really not a security concern as usernames and email addresses are public information. I would hope my email addresses I use for Eve are not openly shared.
The simplest fix in my opinion is to disable the
Other accounts sharing option until AFTER email verification has taken place. If I can prove I have access to this email address, then I can see all the other accounts associated with it.
The one helpful thing, as the owner of the email address you will get a notification that a new account has been created using your email. You will know that someone else is doing this with your email, however by that point, they have already seen all your account names.
Just a few interesting scenarios I thought of that bad actors could take:
- Send an email impersonating CCP to the email in question, building confidence by stating all the account names (that you thought were private) to gain the users trust.
- Attempting to impersonate the owner with CCP support saying you lost access to the email account but you know all the account names (I assume CCP has protocols to protect against this)
- Start testing accounts to see which ones have 2FA enabled and which ones don’t, to attempt more breach tactics.