EA forces password reset but tokens don't expire after use.

4 points by wwarneck ↗ HN
In response to the LulzSec password leak, EA forces a password reset for everyone. However, the token doesn't expire after it is used.

A screenshot of the email with the token removed of course. http://min.us/mvfYihP

Sweet.

edit: updated title to reflect that they may expire after a certain time, but not after use. This also raises the question, what happens if they expire but you don't use the link before the token time expires?

1 comment

[ 2.7 ms ] story [ 10.2 ms ] thread
Yeah, I ran into the same thing. There was no way to force it to no longer be valid, even creating a new forgot PW request left the old link active.