WEB-2335Name Blocking and how it's used to steal usernames
Hello,
Name blocking is the method used to prevent players taking usernames. This is due to the fact that a large company (Chearful.Ninja) has competition and could occasionally be outsniped on valuable usernames. It also helps combat the fact that changing a username on a migrated account is slower than creating a brand new account with the alias.
I recently noticed that you added a captcha to the "giftcode redeem endpoint" over at account.mojang.com (POST https://account.mojang.com/redeem/createProfile), and I assume this was because of the large load of traffic you received to it occasionally. As I think you already know, this traffic is the result of people trying to "snipe" (this is a term used by people in the community and solely means to be the fastest to get a name once it becomes available), and I'm afraid this kind of traffic is not only limited to just that endpoint. The dominating "sniping service" right now is chearful.ninja, the service that is by far the biggest contributor to this traffic and load on your machines. Instead of sending giftcode redeem requests, they spam requests to the "reserve endpoint" (PUT https://api.mojang.com/user/profile/agent/minecraft/name/<nameToReserve>) from thousands of empty minecraft accounts (on their own private email server, @qwertyismy.pw & @privatemailserver.club. Do bear in mind 'domain locking' these accounts would negatively effect 100s of genuine people who paid for a username service that did not directly violate EULA, including myself.
They automatically created these using third-party software. In order to release the stress caused on your network and machines by this, I would suggest you to add a required valid Google reCAPTCHA response in the payload of the reserve endpoint (just as you did with the giftcode redeem endpoint), as this would make it immensely harder for them to send requests in a similar load as they do now. I hope this information can come to use.
There also exists a method, more prominently in the past but still existing today (though as far as I'm aware, the only person who knows the current method doesn't use it, I'll send you it when I can get it), to gain SFA access to an account from it's NFA form. (None-full Access to Semi-full Access).
This has been done on accounts like 'arson' to gain the ability to change a username then deactivate an account so that the previous owner cannot change it back. The only way to reactivate is to contact Mojang support, currently taking over the duration a username is blocked for by Mojang.
The username stealers then use the website Chearful.Ninja to pay them to transfer these usernames to fresh accounts, so that they can sell them for a lot of money.
So in short, I also suggest adding a way to reactivate an account without contacting support. This allows people with stolen usernames to reclaim them before the username is taken by another account.
This post may be a tad messy because I'm in somewhat of a rush today, but I hope it's useful all the same.
P.S I'm currently moving my girlfriend's username 'Jadey' to a new account using this service as she does not have the original information attached, it's a lot to ask but if you introduce the suggested features here you would open the possibility of somebody other than myself taking the username, and she'd be crushed.
If there's any way you can ensure that account ends up in my hands, it'd be really appreciated.
Thanks again.
