Hi!
I have had technical issues with several WD web resources, including the WD Community. I have changed my email address some time ago. I forgot about this (I actually lost my password database and was only able to recover an older version of it which included the old credentials for WD Community). That’s why I could not log onto WD Community. However, when I try to do a password reset using the link from the WD Community login page, WD sends out a reset email to my old address, i.e. the address I typed in.
I realize that WD has migrated to a anew forum platform for WD Community. But why is my old email address still registered? Shouldn’t the old email address be dissociated and purged from the system? That’s what I would have done if it were up to me.
Here are some screenshots showcasing a password reset using the old email address:
This is a security concern! Anyone who has access to my old email inbox can also change my password. Despite not having access to my current email inbox! Because you see, both the old and the new email are tied to the same account at WD Community. Once they have changed the password, they can go ahead and log in, using my new email address.
Yes, they would need to know both my email addresses. But that’s also the only thing they would need. Plus access to the old email inbox. One common reason why people change their registered email address is exactly because their old email account has been compromised.