Companies really need some sort of rollback to prior recovery email option. I had this happen with an old skype account I hadn’t put 2fa on.
I was able to get back into the account, but since the attacker had added their email, any changes had to be confirmed via that new email address! I re-entered a few times but eventually just gave it up to them. Microsoft was no help.
That's exactly what caught me I think! Because the user changed the email, I couldn't change it back for 30 days.
I may have been an edge case: I had no email on the skype account, only a recovery email. Eg:
Account email: null
Recovery email: myemail@example.com
The hacker changed it to:
Account email: hacker@example.com
Recovery email: null
My account was old enough they hadn't required an account email on creation.
My ownership of the old recovery email was not persuasive to microsoft. I was even telling them about it while the hack was happening. They let the hacker take over fully, send spam, and shut down the account for spam.
Basically I couldn't change the account email for 30 days, and the hacker had been able to remove the recovery email.
I don't see how you could do that without opening up another risk. Suppose your recovery email account is compromised. You don't want it as a recovery email anymore because then the attacker can use it as a foothold to get into this account. If you can roll back removal, then you can't protect against that.
The only way I can see around that is if there are conditions on rolling back. But then if you're going to require authorization to roll back, you need to authenticate that request, and the whole reason you're trying to do this is because you are trying to reestablish the ability to authorize.
I was able to get back into the account, but since the attacker had added their email, any changes had to be confirmed via that new email address! I re-entered a few times but eventually just gave it up to them. Microsoft was no help.