Effectiveness of security questions given the Skrill transaction ID policy

TL;DR I'm concerned with how much information is returned from api.mojang.com/user and api.mojang.com/user/profiles/agent/minecraft APIs to an unconfirmed login. Notably the exposure of the registerIp, registeredAt, and dateOfBirth fields. This could be unwarranted, but it's enabled me to begin the process of regaining access to a long forgotten personal account.

 

User story:

Say a malicious user gains access to a Mojang account (obtaining username/email + password combination). They begin by logging in via the my.minecraft.net/en-us/login/ URL. Once passing the login submission, they are prompted to confirm their identity via the security questions associated with the account. What seems strange is that during this time the API calls to api.mojang.com/user occur in the background and expose the registerIp (ex: ###.###.###.* range) and the registeredAt (unix timestamp of when the account was created) variables for the account. Simply knowing when the account was registered gives the malicious user a much easier time knowing if and how to obtain a transaction ID. In my instance, I discovered my account was created during the time Mojang used payment partner Skrill. To obtain my merchant transaction ID I didn't even require access to the email that issued the transaction, but simply the knowledge of it.

 

Take away:

Accounts whom purchased the game between 2011 – December 2013 do not gain any added degree of security from their security questions. If an account is compromised, even if the email account on file is not, a malicious user can go about gaining full access to the account.