I have just found what I believe to be a serious risk for account hijacking at Dynalist:
If I want to change my login email address, there is no way to do that online within my secure browser session while I am logged in. The process is that I need to send an unprotected email to support (any hacker can easily spoof the sender address) and I simply send them the login email of the account and the new email address.
So any hacker who wants to hijack my account, with all my personal or business data, simply needs to spoof an email sender address. Then the login gets changed to their new address and finally they click on “Request password reset”. I lose access to my account and they have all of my personal data which I have stored in Dynalist.
I sent a message to the support and their reply was: “We have not experienced anyone taking our trust to their advantage yet.”
I am very concerned about this.
(I am not storing any business data in Dynalist. Running a business in the EU, this would not comply with the GDPR regulation at all.)