Have you ever lost your password or forgotten your login details for a service? Usually it’s just a matter of contacting customer service or using a password reset tool to regain access or change a password. Even with two factor authentication it’s a fairly simple process and you can get back into your account while keeping others out. Not so with Sling TV. Apparently if someone gets ahold of your Sling TV account details changing your password will do nothing. So long as a device remains logged into your Sling TV account, it will have access to your account. So this means if you change your password, Sling TV does not automatically boot all devices from your account requiring them to re-login. This is what happened to user Chris Soyars, check out his story below.
UPDATE: 1/25/16 – Chris received a new email from Sling TV and it looks like the company CAN manually intervene and has done so in this instance. Here’s Chris’s full update.
Update: Apparently they can manually intervene.
Thank you for contacting SlingTv support. Our records show your subscription will change to our basic package Best of Live TV for $19.99, please advise if that is the correct package you want. There has been a fraud claim processed for your account you will receive a email within 72 hours. In the mean time I have signed all devices out of your account you will get an error message please check your email for the password reset link. Once you log in and change your password only the device you log in will be able to have access to your account.
Sling TV is supposed to be $19.99/mo. A while back, I was billed something like $75/mo. Looking at my account, there were a BUNCH of extras added (that I did not add). Sling TV support was great and removed the extras, and issued a credit to my account.
Now the extras have reappeared (and them some) and I was just charged $136. Turns out, there is some unauthorized device logged into my account. Sling TV’s solution? Cancel the entire account and create a new one, as changing your password doesn’t invalidate any existing sessions. Holy s**t, talk about a massive security fail.
I’ll be canceling my account, and not creating a new one.
I can also tell you that Sling TV apps will remain logged in on devices until the user logs out. Even if you change the password, the account will remain signed in. If someone has gotten ahold of your account information and they are charging it, I would recommend canceling the current Sling TV account and setting up a new one, with a different email address. I want our billing department to have the record of your account and the charges on there. They will also need to have your card on the account in order to return the funds that were charged. After the issue has been resolved I would also recommend removing billing information and informing us so that we can deactivate the account.
So Sling TV believes that setting up a new account if your old one is compromised is quality security. Somehow I think most people would disagree with that. It’s admirable that Sling TV would refund Chris the charges that were not his but not having basic security measures for your users is somewhat irresponsible and dangerous.
What do you think of Chris’s story? Let us know in the comments below or on Google+, Facebook and Twitter.