
Instead of deleting account, NYT appends ‘1000’ to username and email address - DyslexicAtheist
https://twitter.com/bicycult/status/1254789591283851264
======
mistyq
How was it possible to discover it, though?

~~~
samthecoy
From the twitter comments:
[https://twitter.com/bicycult/status/1255122953798328320](https://twitter.com/bicycult/status/1255122953798328320)

They were still logged in and refreshed the page; they found out by going to
their user settings.

~~~
KeepFlying
I noticed a similar thing being done for Bird scooters a while back. I forget
the suffix but they did the same and I noticed because I was still authed on
my phone after requesting deletion. My token has expired since then though so
for all I know they have fully deleted the account since.

~~~
ashtonkem
Having known people who worked at Bird, I doubt it. They had a real culture of
“hack it up and then move on”, going back and fixing stuff like that isn’t in
their culture.

------
DevX101
Doing real deletes on user accounts is a surprisingly challenging problem and
I'd be willing to bet very few companies do real deletes where all of your
data is wiped permanently from the company. For legal and financial reasons,
companies often need to keep track of historical user activity. If a company
states in their investor quarterly report that they had 1M active users, they
better be able to prove it in an audit.

And in a naive relational database implementation, deleting a user would
cascade and delete activity associated with that user.

The easiest way around this is to do soft deletes where the data stays in the
db, but the flag deactivates the user's account. Looks like the NYT just did a
poor implementation of a soft-delete.

~~~
perl4ever
I used to work where (not a service for the general public) there was an "is
deleted" flag for everything, but every now and then a client would insist
that data be _really_ deleted, and depending on who it was and how they asked,
we might go and do it, which was a huge hassle and would cause no end of
problems down the line.

On the other hand, "is deleted" flags end up causing issues when you forget to
put "where not is_deleted" in your queries.

Lately I've faced kind of an inverse situation - I have a system that I can't
control where things are permanently deleted once in a while for multiple
reasons (rogue users, aging out of old versions) and so as I accumulate
information in a little data warehouse for reporting, I decided to implement
an "is deleted" flag there. Eventually though, deleting from the source was
turned off because it's really not necessary.

~~~
dorgo
>On the other hand, "is deleted" flags end up causing issues when you forget
to put "where not is_deleted" in your queries.

My solution would be a view for every table. Are there drawbacks? Other
solutions?

~~~
perl4ever
Eh, the situation that I've been in, if I recall correctly, is that one has
read/write access to all data for reporting, but not the ability to create
views (or stored procedures etc) to share.

Where I am now, (as far as Oracle goes) you can't even create your own tables
under your own schema. A view requires a meeting with a DBA and their manager
and really special, compelling arguments.

~~~
lilyball
Can you just have a general policy where every table that has an is_deleted
flag also automatically gets a view, and clients must use the view unless they
have a particular need to access deleted data?

------
sp332
Hah, Uber did this to me once. Someone signed up with my email and somehow the
verification failed. So they started sending me details about someone else's
trips! When I complained, instead of deactivating the account or trying to
contact the user to find out their actual email, they changed the address on
the account to the same thing but with "void" prepended. I have a gmail
account and was pretty sure that email didn't exist... Sure enough, I tried
registering the new email address with Google and got nothing but Uber spam.
Oh well at least they're not sending me trip details anymore.

------
petercooper
Note that "anonymization" has been legally found (DSB-D123.270/0009) to be
acceptable to meet GDPR "erasure" requirements. However, this requires
irrevocable overwriting of PII rather than just slapping 1000 on the end ;-)
If they'd changed the username and email address to some random string,
however, they would most likely be compliant.

~~~
isoskeles
Wouldn't they also need to replace saved billing details, like address and
full name, to anonymized garbage?

~~~
mschuster91
In Germany not; these are required by law (§147 AO, [https://www.gesetze-im-
internet.de/ao_1977/__147.html](https://www.gesetze-im-
internet.de/ao_1977/__147.html)) to be kept for ten years.

The legal base for allowing this national rule in European law is Art. 6, 1c
GDPR.

~~~
MaxBarraclough
I think something similar happens in the UK. It's generally believed here that
laws telling you to retain data take precedence over the GDPR telling you to
delete it. (I am very much not a lawyer, as you can doubtless tell.)

~~~
matthewheath
Yes. For example, HMRC requires that you keep various business records for 6
years (or longer, circumstance-specific) after the end of the company's
financial year.

Generally, the rule is "Delete the data _unless_ there's a law that requires
you not to" — and the UK's implementation of the GDPR (the Data Protection Act
2018) makes various explicit exemptions for this.

------
OutsmartDan
NYT is notoriously the worst at customer service and account handling. I tried
to get a previous invoice from them previously and after 1 week of calling
customer support and being passed around, I still wasn't able to get it.

~~~
heyoni
I had this chat with their customer service department asking to "cancel" my
account so that I don't incur any charges and they insisted that it wasn't
possible without losing immediate access and getting a pro-rated refund. I
thought that was stupid, but ok...

1 month later, still no refund. Account is still scheduled to be auto-renewed,
talk to CS and they're basically ignoring me at this point (I'm using text
messaging support on a secondary number), so I issue a chargeback with my
credit card...

1 month later, I get a refund, no email, no text message explaining the delay
and now I have to deal with that or else they'll probably put my account in
collections. /facepalm

~~~
jrockway
My credit card number changed and they sent my account to collections with no
notice. The lesson I learned was never to subscribe to something on the
company's own website; go through Apple.

------
inopinatus
I’d bet (a small amount of) money they have no ability to delete accounts at
all, and it goes all the way down to foreign key constraints introduced by a
well-meaning but inexperienced developer that unnecessarily couple the
accounts table to many other records.

~~~
emodendroket
In that case it seems simpler to introduce an IsDeleted flag than to have a
convention that 1000 goes on the end of the name.

~~~
neovive
This reminds me of a good use case for the Laravel Soft Deletes:
[https://laravel.com/docs/7.x/eloquent#soft-
deleting](https://laravel.com/docs/7.x/eloquent#soft-deleting).

~~~
marcofatica
love this feature so much

------
ShakataGaNai
A _lot_ of companies do this. My buddy found out that he had two EA accounts,
so he asked nicely for them to merge them into one and they "did". Well what
they actually did was grant the games to the new account and "delete" the old
account.

Of course "delete" meant rename it from username@custom.tld to
usernameDELETED@custom.tld. He owns the entire domain (and has catchall) so he
got the notification of the changed email to the new email address.

Now he has two EA accounts with all the games on both!

~~~
type0
> Now he has two EA accounts with all the games on both!

oh what a great service

------
gentleman11
It’s odious that it’s impossible to delete accounts except in rare
circumstances. Ever try? All anybody does is temporarily disable them unless
you go through an hour with their tech support. Dark pattern at best, holding
on to your data forever to continue selling it at worst

~~~
throwaway55554
Now a days it is a dark pattern. But in the days before "sell everything you
can about your users" became the rule, businesses optimized for the accidental
deletion by users. They could easily reinstate you and your data would still
be there. It used to be considered good customer service. Times change.

------
tobr
No information on how they found out? Did the service rep tell them?

~~~
avian
One possible way I can think of is they're hosting their own mail server and
route messages for all unknown addresses to some mailbox (not that uncommon as
far as I know - people do that to avoid bouncing mails with a typo in the
address).

With such a setup it would be possible to notice that NYT mail started coming
to foo1000@... instead of foo@... after requesting account deletion. Username
change could also be evident directly from the mail, or it was a trivial
guess.

~~~
heyoni
He’s saying they append 1000 to the user and domain.

/edit I was wrong. It’s the user and email. Your theory would work

~~~
gruez
>/edit I was wrong. It’s the user and email. Your theory would work

Why? My interpretation of "append 1000 to email" is that 1000 gets added to
the very end, not the local part.

------
ericol
They are not alone in this practice. I still receive emails from sitepoint to
my email (As recently as March 10th), and the user name finishes in _DELETED
(Not kidding).

------
ornornor
Netflix does that too. You can’t delete your account so they just append a
string like “csr_morgan” in the domain so that your account is “deleted” (you
can’t login anymore, because your email address technically doesn’t have an
account anymore) and you can re-register with your email later if you wish.

But I’d you use the altered email and the same password, everything is still
there.

Pretty sure this goes against GDPR but I was totally unsuccessful at getting
my account deleted.

~~~
thewebcount
What happens when you re-register with the same email address and then later
cancel again?

~~~
DonHopkins
WP:BEANS

[https://en.wikipedia.org/w/index.php?title=Wikipedia:BEANS](https://en.wikipedia.org/w/index.php?title=Wikipedia:BEANS)

Uh-huh

[https://en.wikipedia.org/w/index.php?title=Wikipedia:BEANS/U...](https://en.wikipedia.org/w/index.php?title=Wikipedia:BEANS/Uh-
huh)

------
a_t48
What happens if I create an account at both foo@gmail.com and
foo1000@gmail.com (or even foo+@gmail.com and foo+1000@gmail.com), and then
delete the first one?

~~~
dylz
1001

/s

------
basicplus2
"instead of actually deleting it, they simply appended '1000' to both the
username and the email address. anyone could thus create an email address with
that suffix and request a password request to access my info."

~~~
polote
not an issue as long as there is no tld which ends with 1000 though

~~~
diggan
Most likely the 1000 is appended to the local-part of the email address, not
the domain, as any tool they are using for changing details most likely
validates emails somehow.

~~~
yaur
The email address doesn’t really need to be valid though. I have an old client
that appended ‘|disabled’ after the email address (and torched the password)
when “deleting” accounts because they needed them in the DB for audit logging.

Unless someone figures out how to register a domain ending in ‘.com|disabled’
I’m not sure how someone would be able to access those accounts.

~~~
thanksforfish
Every week we see multiple articles about security researchers who abuses some
part of the tech stack to do something weird that shows the danger in this
sort of thinking.

I believe it's easy to spoof emails from the .com|disabled domain. Receiving
messages, I agree, seems harder. Maybe spoof an unencrypted DNS response at
the right moment? No need to actually register a domain when DNS is
spoofable.[1]

If you really need to use a hack like that to disable an email, consider
adding some code to your email sending logic that skips such email addresses
(and always use that logic). Otherwise clever hackers have a foothold to try
their tricks against.

[1]
[https://en.m.wikipedia.org/wiki/DNS_spoofing](https://en.m.wikipedia.org/wiki/DNS_spoofing)

~~~
waltpad
My guess would be that they don't want to have that email accidentally used,
but they would have a check in the codepath anyway, because no-one wants to
see its logs spammed with myriads DNS errors when this can be avoided. And in
fact, if a DNS error shows up in the logs, devs would know that somehow their
code path is not completely safe, so that change on the email is perhaps a way
for them to ensure that the disabled account is indeed seen as disabled by
their code in every situation.

A lot of people are complaining about NYT approach, but perhaps their only
fault - if one consider that not deleting for good an account is not an issue,
and it seems to be a common practice in the industry - is to not use a
transaction when disabling user accounts (disable email -> disable account),
which is perhaps difficult with NoSQL setups?

------
Fjolsvith
Not suprising from the Times. They don't like to publish retractions.

~~~
welcome_dragon
Bazinga

------
hinkley
Is it also possible that since they have a subscription model, they have to
build their system around people leaving and coming back?

I mean imagine if HBO had deleted accounts during GoT and Westworld instead is
suspending them. How many people had a 9 month subscription per year for years
at a time?

------
jbverschoor
Many companies do this

~~~
yepthatsreality
Yes especially in New York. I once asked the Curb cab app to delete my
account. They replied with an email that they did and I checked the app. My
session was still valid and I could see my account details. All they changed
my email address domain to @aol.com and 555’d my phone number.

------
5cott0
Gives a different meaning to _The Privacy Project_.

------
suizi
How ironic considering they were pointing their fingers at "Big Tech" for not
being "GDPR compliant".

------
bahna
XBox live used to have a similar thing, may have changed since GDPR. When I
asked for my account to be deleted they sent me instructions that said
basically unfriend everyone i know and change my name to deleted - this was
after several days of them looking into it for me :/

------
throwaway882321
Why 1000? Probably arbitrary but I can't help but wonder why 1000 instead of
the faster 1111 or 1234, perhaps someone using NumPad?

~~~
srg0
Because the change was done manually.

Their system probably doesn't implement a function to delete account, or it is
not easily discoverable in the UI, or it is known to be bugged. So the
employee who did that thought that renaming an account was a good idea to make
it appear "missing". A big numeric suffix is an obvious idea to avoid
collisions with the existing and future accounts.

But when people are asked to choose a large number, numbers around 1000 and
its multiples are chosen particularly often. So 999, 1000 and 1001 are very
likely numbers to be picked "randomly". I don't find the reference on that,
but I suppose we all have enough anecdotal evidence. Just recall what are the
common port numbers of various programs. X*1000 + Y is a very common formula,
where |Y| < 100.

~~~
isoprophlex
[https://en.m.wikipedia.org/wiki/Benford%27s_law](https://en.m.wikipedia.org/wiki/Benford%27s_law)

Maybe this is what you're looking for?

~~~
recursive
That's about numbers from "real-life" distributions, so that's a different
thing.

