Announcement

Collapse
No announcement yet.

Insteon deleted my hub account! All settings lost!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Insteon deleted my hub account! All settings lost!

    I have been an Insteon user since 2015. I have a setup controlling lights and fan throughout my house. In 2019, my hub failed due to a known problem. Insteon had a hub migration program to address this, which I used. They made it simple to migrate by sending me a new hub with the same Insteon ID as my old hub. I plugged in the new hub and everything worked again and I was a happy Insteon customer once again. Until today.

    This afternoon I noticed that Alexa wasn't able to control my lights, which happens sometimes, but I can always control them from the Insteon app. I attempted to login to the Insteon app and it said password incorrect. I tried to reset password and it said there is no account with that email address. WTF?

    So I called Insteon and they told me that someone else registered a hub with my same Insteon ID and asked to have the account wiped clean so they can install it new. They gave me the name of the new owner of "my hub" which is someone I never heard of. They said, "well they showed us a photo of the back of the hub" so we assumed that you had sold it. Insteon never contacted me to verify, they just deleted my account and set up a new account for this "new owner." They could have also easily looked up the activity on that account and see that I was still using it as of this morning when I turned my lights on.

    Thinking back to 2019, I'm pretty sure that I put my old hub in the electronics recycling bin at work. My company had partnered with a third-party who was supposed to recover useable metals and remove any toxic parts... I don't know exactly but it was supposed to be "better" than putting those electronics into the trash. Now I figure that someone from the electronics recycling organization took my old hub and sold it, and eventually the new buyer tried to configure the hub today. I wonder if it even works because I replaced that hub because it failed...

    In any case, the Insteon support agent I spoke to today defended their policy ("but he showed us a photo of the hub with that Insteon ID") and said there's nothing he can do to recover my account. I asked to speak to a supervisor, and am still waiting for a supervisor to call me. It took me hours upon hours to configure my Insteon setup. I can't believe they expect me to do it all over again.

    #2
    Unfortunately (or fortunately depending on perspective), csc reps do not have access to customers personal information in order to make calls to verify anything. It is reasonably assumed that someone having direct access to a hub is the owner of the hub.

    Its amazing that one still has to remind others that in today's world any identifying information should be removed from devices before trashing or recycling.
    ​​​​​​
    This isn't on insteon. Just a painful lesson on how to handle recycling
    ​​​​​​

    Comment


      #3
      Originally posted by lilyoyo1 View Post
      ​​​​​​
      This isn't on insteon.
      ​​​​​​
      That's not how security works.

      Secure disposal is indeed the device owner's responsibility. That said, Insteon has an obligation to properly authenticate their users and ensure their devices and processes are secure. This is an obviously vulnerability that has led to a denial of service.

      Comment


        #4
        I finally got in touch with the supervisor late yesterday. He told me he had to check with the new owner of the (old) hub before doing anything because it might mess up his setup! He also wanted to find out where he bought it, etc. I was livid because I purchased directly from Insteon, spending many hundreds of dollars several times over the past six years. Moreover they replaced the failed hub in 2019 so they knew there were two hubs with that Insteon ID out there in the world, and I was using my (new) hub even as of the morning this happened, and they didn't give me that courtesy of contacting me first before wiping out my account. Now he wants to contact the guy who never purchased directly from Insteon, who has presented and old, presumably non-working hub (maybe someone fixed it???) bought off the grey market, to check before potentially messing up his setup.

        In retrospect, I can see now that the hub I put in the electronics recycling had the same Insteon ID as my replacement hub. It didn't have identifying information to tie it to me, and the hub didn't actually work (which is why it was being replaced) so it didn't occur to me to obscure the serial numbers etc. on the bottom of the hub.

        The supervisor said that I received an email with instructions to remove the sticker before throwing away the hub. I have gone through all my emails and re-read all the instructions I received about the hub migration and I don't see any instructions about what to do with the old hub.

        At this point, I just want them to restore my account so my system will work again. Surely they keep backups?!? In the meantime, we are literally fumbling around in the dark because our fanlinc was in the off position when we lost hub control.

        Comment


          #5
          Originally posted by ucdscott View Post

          That's not how security works.

          Secure disposal is indeed the device owner's responsibility. That said, Insteon has an obligation to properly authenticate their users and ensure their devices and processes are secure. This is an obviously vulnerability that has led to a denial of service.

          It's so easy to blame others for our failures. ​​​​​If you drop your old laptop off at Bestbuy without wiping it; is it on them if someone gets your banking information from your browser?

          Confirming that a person has a hub "in hand" isn't confirmation enough? It's not like someone simply calls in and says remove my hub here's my name.

          There's a reason why it's stated all over to factory reset and wipe out any identifying information when it comes to electronics.

          Comment


            #6
            Originally posted by kheilmann View Post
            I finally got in touch with the supervisor late yesterday. He told me he had to check with the new owner of the (old) hub before doing anything because it might mess up his setup! He also wanted to find out where he bought it, etc. I was livid because I purchased directly from Insteon, spending many hundreds of dollars several times over the past six years. Moreover they replaced the failed hub in 2019 so they knew there were two hubs with that Insteon ID out there in the world, and I was using my (new) hub even as of the morning this happened, and they didn't give me that courtesy of contacting me first before wiping out my account. Now he wants to contact the guy who never purchased directly from Insteon, who has presented and old, presumably non-working hub (maybe someone fixed it???) bought off the grey market, to check before potentially messing up his setup.

            In retrospect, I can see now that the hub I put in the electronics recycling had the same Insteon ID as my replacement hub. It didn't have identifying information to tie it to me, and the hub didn't actually work (which is why it was being replaced) so it didn't occur to me to obscure the serial numbers etc. on the bottom of the hub.

            The supervisor said that I received an email with instructions to remove the sticker before throwing away the hub. I have gone through all my emails and re-read all the instructions I received about the hub migration and I don't see any instructions about what to do with the old hub.

            At this point, I just want them to restore my account so my system will work again. Surely they keep backups?!? In the meantime, we are literally fumbling around in the dark because our fanlinc was in the off position when we lost hub control.
            You don't have your fan linked to another insteon device such as a keypadlinc? If so, it should still work via the kpl.

            Comment


              #7
              You don't have your fan linked to another insteon device such as a keypadlinc? If so, it should still work via the kpl.
              Unfortunately not. Another lesson learned. I know this one is definitely on me.

              Comment


                #8
                Talked to Insteon supervisor again today. They are going to send me a new hub which I will have to configure from scratch. Apparently they deleted my account so thoroughly that it cannot be recovered. Time to locate the tall ladder so I can reach the ceiling fan...

                Comment


                  #9
                  While it might now be ideal in regards to work involved, I'm glad to hear that they were willing to work with you to make you whole again.

                  One thing I would recommend is, writing down the device ID s of your embedded devices. This way, should you need to add it again, you can do it with the device ID vs manually. Make sure you factory reset your devices before adding them to the new hub

                  Comment


                    #10
                    Originally posted by lilyoyo1 View Post

                    It's so easy to blame others for our failures.
                    My post clearly states that both the device owner and manufacturer have responsibilities. No blame is implied one way or the other.

                    Originally posted by lilyoyo1 View Post
                    Confirming that a person has a hub "in hand" isn't confirmation enough?
                    You (and Insteon) are equating knowledge of the information on the hub's label with physical possession of the hub. If you acknowledge that there are likely dozens of ways to get the info on the hub's label without physical possession, then it's obvious a more secure authentication mechanism is necessary.

                    Comment


                      #11
                      Originally posted by ucdscott View Post

                      My post clearly states that both the device owner and manufacturer have responsibilities. No blame is implied one way or the other.



                      You (and Insteon) are equating knowledge of the information on the hub's label with physical possession of the hub. If you acknowledge that there are likely dozens of ways to get the info on the hub's label without physical possession, then it's obvious a more secure authentication mechanism is necessary.
                      Insteon requires a picture of the physical hub with it's address not simply a person saying the address (which the op clearly stated). Unless you're opening your home to just anyone, most likely a person that is able to get possession of the hub is someone who has been given access to it.. I can't speak on anyone's personal relationships, but I don't know of anyone that's welcome in my home who would have bad intentions in regards to messing with my system by going so far as to contact insteon, learn they need a photo and take the hub to send it in so the account can be deleted.

                      No, I don't acknowledge there are dozens of ways to getc the hubs address. Since YOU claim there are dozens of ways to get the hub address without a label, please name 3 ways???? I'll wait. Shoot, I'll take 2 and none can involve looking at the actual hub label. All ways to get the address requires access to your home and devices.

                      This is an unfortunate event for the op. A learning experience for everyone. When it comes to identifying information, erase it. No different than a person turning in a phone or computer without wiping it.
                      Last edited by lilyoyo1; 02-08-2021, 02:38 AM.

                      Comment


                        #12
                        Originally posted by lilyoyo1 View Post
                        While it might now be ideal in regards to work crediblebh involved, I'm glad to hear that they were willing to work with you to make you whole again.

                        One thing I would recommend is, writing down the device ID s of your embedded devices. This way, should you need to add it again, you can do it with the device ID vs manually. Make sure you factory reset your devices before adding them to the new hub
                        When deleting your Insteon account, you may encounter an alert if any Insteon devices are linked to your Hub and have not been deleted. When adding an Insteon device to your Hub, links between the Hub and the You will lose any additional configuration that was set including All rights reserved.
                        Last edited by Grant021; 02-17-2021, 03:24 AM.

                        Comment


                          #13
                          Originally posted by lilyoyo1 View Post
                          Since YOU claim there are dozens of ways to get the hub address without a label, please name 3 ways???? I'll wait. Shoot, I'll take 2 and none can involve looking at the actual hub label. All ways to get the address requires access to your home and devices.
                          Care to wager?

                          Comment


                            #14
                            Originally posted by ucdscott View Post

                            Care to wager?
                            I'm down. Name 3 ways (even though you said dozens) to get your hub Id number without having physical access to the hub at all. This includes looking at your app and asking someone to looking at the address for you (anything along those lines)

                            Comment


                              #15
                              Originally posted by ucdscott View Post

                              Care to wager?
                              No response. Guess you couldn't figure it out.

                              Comment

                              Working...
                              X