some suggestions I gave to stake after suffered a phising loss of 1k myself


-IP connection: if a new session starts from a different IP in a matter of minutes (or even if that IP was never used by that user) force the user to confirm it is really him (some sites do this) via email. For the record, stake does not allow user to change the email by themselves.

-I was KYC verified. Still to this day stake sends their promotional emails addressing me by the stake username and not by my real name

-claim of bonuses through email links. Instead why not credit them directly to the users account (using their vault for example?). If bonus can only be claimed within a time frame then they can simply remove it as unclaimed. Or implement a notification system in stake where bonus links would have to be clicked from within the account only. Making users to check if email is legit or not with a VIP assistant is very unpractical

-deposit and withdrawal. Don't use by default any address used in the past. Force users to input them for each transaction.

-withdrawals: make them a two step process, user requests the withdrawal but then send an email with link to confirm the withdrawal. If not clicked, nothing happens. This at least seems to be minimised with the 2fa.

-hidden stats: making users unhide their bets to be eligible to bonuses seems to be just another way of tracking them especially when their email is similar to their stake username


In my case I did not get anything back (was not expecting it honestly as it was really my mistake).
This happened in 2021 and apart from the 2fa I don't see that anything has changed