How could the same user sign up for 4 accounts with the same username/ip?

[SJ77]

[Wolfie]

Assuming you are on 4.7.11 (or at least 4.7.x), that would be a display name and not a user name.  I'm a bit "out of shape" in regards to my familiarity with the community suite (been inactive), but I'm not seeing any settings for restricting how many accounts can be made from a single IP address.  Either it doesn't exist, or I'm overlooking it.  If I'm overlooking it, please direct me to where it is.

As for the display name, I ask this question (and they are likely doing this same thing)...

Of these four "Hello's," which one is spelled used two lowercase L's and no uppercase i's?

Hello HeIIo HeIlo HelIo

😉

[SeNioR-]

Hi, @SJ77. It happened to me too 🙄 This is the case when someone has slow internet, or the website is slow, registration sometimes takes a few seconds. When you click the 'Register' button several times, several of the same accounts are created.

 

Edited June 19, 2023 by SeNioR-

[SeNioR-]

3 hours ago, Wolfie said:

that would be a display name and not a user name.

False. You cannot register an account with the same display name. Each display name must be unique 👍 The username is created based on display name and cannot be changed.

Edited June 19, 2023 by SeNioR-

[Wolfie]

7 minutes ago, SeNioR- said:

False. You cannot register an account with the same display name. Each display name must be unique 👍 The username is created based on display name and cannot be changed.

Usernames are no longer a thing though, at least not in 4.7.  Your options for logging in include email address (recommended), display name, or both, at least for the built-in login method.  So when I said it is a display name and not a username, I wasn't wrong.  The four names shown are all display names, but I bet they're using a combination of lowercase L's and uppercase i's.  Notice there are only four registrations with what appear to be the same name.  That's two available letters being used twice each, so 2^2 = 4.  If they were being used 3 times each, it would be 2^3 (8) possible usernames using a combination of i's and L's.  (Imagine "softie ellla" as being the display name.)

Doing this is actually an old trick that has been used many times, and is actually a trick scammers will use in an attempt to trick people into believing that they are a well known legitimate entity.  I'm sure you can imagine some people would be disappointed to learn that it wasn't "LIONEL RICHIE" that sent them an email saying that they won tickets to see a concert of his, but rather "LIONEI RICHIE" (notice the uppercase "i" instead of an uppercase "L" in his name).

I'm pretty sure that even if someone managed to submit their registration multiple times really fast that only one would succeed.  Once one succeeds in adding the account to the database, the next attempt would find it already exists.  I'm not saying it's impossible, but it is very unlikely.  It's more likely the person did something deliberate by mixing i's and L's to make accounts with similar appearing display names.

 

 

[Marc Stridgen]

Guys guys, we are arguing about wording here. Display name and user name are essentially the same thing in version 4. We call it display name, however it could be referred to as "user name", "login name", or "This is a duck" if you really wanted.

 

13 hours ago, SJ77 said:

Do you have any external methods of registration? It shouldnt actually be possible to register more than once with the same username display name, no

[Wolfie]

29 minutes ago, Marc Stridgen said:

"This is a duck" if you really wanted.

I prefer rotisserie chickens.

 

30 minutes ago, Marc Stridgen said:

It shouldnt actually be possible to register more than once with the same username display name, no

I imagine that if the server is running slow for whatever reason that it could be possible for it to happen, but it'd still be unlikely.  It's why I think the person in question is just being a troll with how they are crafting their display name.  The real question is, are they using the same email address?

[SJ77]

Appears to all have the same email address also. So weird.

We do have Twitter sign ups turned on, but as noted in another thread, Twitter API is not working right now for us.

Doesn't appear to be a Twitter sign up.

Very confusing.

[bearback]

I have had this happen, same user name and email address. Doesn’t happen that often and have never been able to pin point why it happens. My server runs fast but may be slow connection on members side.

[Marc Stridgen]

15 hours ago, SJ77 said:

Appears to all have the same email address also. So weird.

We do have Twitter sign ups turned on, but as noted in another thread, Twitter API is not working right now for us.

Doesn't appear to be a Twitter sign up.

Very confusing.

Could you please contact the member and ask if there were any issues on signup?

[Wolfie]

On 6/20/2023 at 4:11 AM, Marc Stridgen said:

Could you please contact the member and ask if there were any issues on signup?

I'm so glad I didn't wager money on it being deliberate with using different i/L switching. 🤣

[SJ77]

On 6/20/2023 at 1:11 AM, Marc Stridgen said:

Could you please contact the member and ask if there were any issues on signup?

unfortunately they didn't respond and instead deleted their account 😞

[G17 Media]

Also seen this - it's rare enough we never reported, but certainly seems to happen.

[Miss_B]

On 6/19/2023 at 6:31 PM, SJ77 said:

Appears to all have the same email address also. So weird.

 

It's indeed weird. Email addresses should e unique. Meaning an user can't use the same email address for multiple accounts.

For future reference, if you want to limit the number of registrations from the same ip, have a look at my plugin.

 

[Wolfie]

10 hours ago, SJ77 said:

unfortunately they didn't respond and instead deleted their account 😞

Was their email address anything like their username, where there appeared to be more than one lowercase "L" in it?  Don't tell us what the email address is (or was) of course, but I'm curious if it was purely an accident or if it may have been deliberate.

[SJ77]

On 6/24/2023 at 2:38 AM, Wolfie said:

Was their email address anything like their username, where there appeared to be more than one lowercase "L" in it?  Don't tell us what the email address is (or was) of course, but I'm curious if it was purely an accident or if it may have been deliberate.

I checked the database, and as aforementioned, the account they were actually using they have since deleted; but the other 3 remaining accounts are still there.

I can see all 3 are using the same email address and registered at the exact same second. Seems more like a mistake than a deliberate attempt.

Edited June 25, 2023 by SJ77

[Wolfie]

5 hours ago, SJ77 said:

I can see all 3 are using the same email address and registered at the exact same second. Seems more like a mistake than a deliberate attempt.

Could still be deliberate but is very very unlikely.  However, with it being all the same second, it might give the devs something to work with to try to find a way to minimize it being able to happen again.  I'm just lost on how that would get accomplished, though it could involve an extra table that would be used for registrations that would get locked for the brief moment that the account creation is actually happening to the database.  Other instances of the registration would wait for the lock to be released and then take their turn (when they each own the lock on the table) and would then see that the display name/email address already exist.  But whether or not that is something that would actually work is beyond me.

But yeah, definitely looks like there was some sort of a connection issue with the site where they submitted a few times and they all hit at the exact same moment.

[Marc Stridgen]

Are these still present so we can take a look?

[wegorz23]

it can be some lags on db and connection between site and db. Had it sometimes.

 

[Randy Calvert]

One thing to consider/investigate… any chance are you using sql replication or sharding, or anything were multiple database instances are involved?

[SeNioR-]

As I wrote in the beginning, it happened to me too. I was registering the account as usual (not via the popup), and probably had to click the "Register" button twice. I was surprised too, but it's actually possible. This can be marked as a bug.

Edited June 26, 2023 by SeNioR-

[Marc Stridgen]

As Im unable to replicate this, I would need an example I can take a look at

[SJ77]

On 6/25/2023 at 11:17 PM, Marc Stridgen said:

Are these still present so we can take a look?

The user has deleted the main account but the 3 clones (out of 4 accounts) remain in my database

[SJ77]

On 6/26/2023 at 1:18 AM, Randy Calvert said:

One thing to consider/investigate… any chance are you using sql replication or sharding, or anything were multiple database instances are involved?

I do make regular database backups. Do you think this could be related? It's possible this happened during a backup.

Here are the options I use in my command

mysqldump -f -umyuser -pmypass --single-transaction --quick mydatabase | gzip > /home/myadmin/web/mysite.org/mysqlbackup.sql.gz

[Wolfie]

1 hour ago, SJ77 said:

I do make regular database backups. Do you think this could be related? It's possible this happened during a backup.

Unlikely, unless the server you're on is really slow.

 

1 hour ago, SJ77 said:

mysqldump -f -umyuser -pmypass --single-transaction --quick mydatabase

If you're on a shared server, then including your password in the command line can be a huge security risk.  Just an FYI.