Chat support available. Click the chat icon on the bottom right corner to start chatting with us right away!

Support mSecure

Website Feature Request: Do not confirm existence of account

I am currently in the process of upgrading from premium to family and, as part of that process, I have to cancel one subscription and then order the new subscription using the same email address.   When I attempt to subscribe to the new plan, I get the message that my account already exists and I should log into my account to manage my subscription.  


Let's look past the fact that, after logging in, I am told that I still have a subscription, which I cancel, which then starts an infinite loop.  Please, please do not confirm the existence of the account!  It's a practical invitation for bad guys to try bad things.  


Instead, I suggest an error message that an unexpected error has occurred.  Click here to contact support.  Current users click here to manage their subscription.  


In addition, notify the user when there is an attempt to create a subscription using their email address. 

Thank you again for the feedback you're providing. I do understand the idea of not wanting someone to know if you have an account or not. It's the reason why in the mSecure app we tell you that the Username and/or Password is incorrect if you try to sign in to an account and you don't have the right credentials. However, on the website, things are a bit different. You cannot view any sensitive information when you sign in to your account on the website, so in the event someone were to try to sign in, even if they did know your email address, they would still have to try to figure out your password. If they were able to figure out your password, they would not have access to any sensitive information.


If they were able to sign in, however, they could download mSecure and sign in to your account in the app. In this case, they would have to have access to your account QR code in order to be authenticated as the owner of the account, so they would not be able to sign in to your account. Also, when you sign in to your account in the app, there is a Sign In notification email that gets sent to you, so you would know someone was trying to access your account in a context where your information would be readable.


I do think it would be good to not tell the user that there is a subscription, so I'm going to add this as a feature request. However, I did want you to know that there is no way to get at your mSecure information with the system set up as it is.


Also, I'm not sure anyone would ever try to purchase a subscription for someone else's mSecure account, so I don't think that notification is necessary. We should not be telling them that you have a subscription as I said above, but as long as we're not divulging that the email address has a subscription, there's nothing to be gained from them trying to purchase one for an email address they don't know exists in the system.

Also, I forgot to address your first issue with trying to upgrade to a Family subscription. We are aware of a couple of issues that cause unnecessary friction for the user in these circumstances, and we're working on fixing them. Real quick, are you saying you were able to purchase a Family subscription or are you still needing help with that?


Connexion ou Inscription pour poster un commentaire