

Major security threat: LinkedIn, Facebook, GitHub and secondary email addresses - andreineculau
http://blog.andreineculau.com/2015/07/13/major-security-threat-linkedin-facebook-github-etc-and-secondary-email-addresses/#content

======
NeutronBoy
The security vulnerability isn't with the websites (LinkedIn, Facebook, etc) -
it's with you (not keeping your email addresses up to date) and the
organisation that is repurposing your email address.

Having multiple email addresses associated with your account wouldn't
significantly increase the attack surface (apart from increasing attack
surface for phishing and the like).

~~~
jessaustin
I can't recall GitHub doing this, but LinkedIn definitely encourages one to
enter lots of addresses without thinking about the security implications of
losing control of one of them. They do that for cynical reasons: the more
addresses they have, the more cross-referencing they can do.

~~~
andreineculau
Indeed! I haven't seen a warning on Github, but there you yourself have more
incentive to link your commits to your account imho

------
sk5t
An impassioned article, but the ultimate takeaway is that websites that accept
ownership of an email address as some sort of identity proof do not operate
optimally when you lose control of any associated email addresses. So, stick
to one or two email addresses not generally subject to organizational
appropriation, and accept that we don't have the tools for stronger
authentication for this class of website at similar cost.

~~~
andreineculau
Too impassioned for my own taste but that's how it was in the spur of the
moment. I still cannot understand what through their mind making it so easy I
have never reset a password, only changed it on one of these services where I
have 2FA enabled and I expected them to make use of 2FA! Like it is today, it
is harder for me to change my own password (enter email and password, enter
2FA code, go to settings, enter password --- again only password ---, change
password) than to reset it (enter email, click link in my inbox, change
password)

------
vmarsy
> Chances of getting your account hacked increases not n-fold, but
> _logarithmic_ with each secondary email that you add due to poor security

To the OP: You probably mean _exponentially_ here? O(log n) would be much
better than O(n)

~~~
andreineculau
Thank you for spotting the typo. Fixed now

