Account login security
In this article
Logging in to Gumroad is fairly straightforward, unless you are:
- A bot 🤖
- Logging in to someone else's account without their authorization
You can login to Gumroad here with an Email ID, Twitter, or Facebook account. In case you've forgotten your password, you can click on the "Forgot your password?" button on the page and we will email you instructions to reset it.
If you meet either of the above two criteria, we have measures in place to stop you.
We use Google reCAPTCHA to protect Gumroad from spam and abuse. A “CAPTCHA” is a turing test to tell human and bots apart. It is easy for humans to solve, but hard for bots and other malicious software to figure out.
In other words, it's that annoying grid of images where you are asked to identify fire hydrants, trucks, boats, traffic lights, or, you get the point...
Unfortunately, CAPTCHAs can sometimes get too clever for its own good and prevent humans from getting through too. Usually such problems are browser-specific and the following actions might help in resolving them:
- Cookies Settings — In Chrome, go to your settings, under 'Security and Privacy' click on 'Cookies and other site data,' then 'Enable cookies'. If you're on Safari, click your browser 'Preferences', then go to 'Privacy' to untick 'Block all cookies'. For any other browse, a quick Google search will tell you how to allow cookies.
- Clear browser cache — Here's how to do this in Chrome, Firefox, Safari, Edge, iOS and Android.
- Update your browser — Make sure your browser is up-to-date and running the most recent software. You can check if your browser is up-to-date here.
- Different browser — If nothing helps, just try logging in from a different browser (or device!)
Two-Factor Authentication (2FA)
2FA is switched on by default for all users. When you login to Gumroad, we will send an authentication token to your registered email. You will have to either enter that code or click the Login button in the email to log in to your account. This will help prevent hackers logging in with compromised credentials.
Once you've logged in after verifying through 2FA, we will not ask for 2FA again from that browser/IP for the next two months.
Currently, 2FA is available only in the web app and not in the mobile apps.
Not receiving your token?
There are a few reasons why you might not be getting your 2FA token in your email:
- You changed your Gumroad email ID to something else but did not confirm it. If you don't get a 2FA token in your usual email, we recommend looking for it in all your alternate mailboxes as well!
- If you don't see a token in any of your active email accounts, there might be a glitch with our email server while sending you the token. Please write to us using the 'Contact Us' form linked towards the end of this article and we can take a closer look.
2FA is considered as a hassle by some, but we highly recommend that you do not disable it.
We remember your 2FA auth status for 2 months, and will continue to remember as long as you use the app at least once in 2 months. Also, you have to do 2FA only once per IP, and we won't ask for the token from another device on the same IP as long as the previous 2FA is valid. As you can see, the number of times you have to input the 2FA code will be very less.
There's been an uptick in fraudsters logging in to creators' accounts with compromised passwords and changing their payout info. Once a payout is triggered to an unauthorized account, we cannot do much to reverse it, unfortunately. To prevent this, we decided to switch on 2FA for all users by default. We believe the minor inconvenience of 2FA is well worth the added security it provides.