My sister had her Facebook account taken over by a bot of some sort some years ago. It was odd – they changed her profile photo over time, so at first it was just the regular profile photo, then it was the regular profile photo with a little bit of a different profile photo sort of creeping in on top of it, like if they had pasted the new one into a photoshop layer. Over a few weeks the new profile photo crept up until it was the only one, and then it became a sort of "call me for hot fun" spam account.
I assume they were sidestepping some sort of detection algorithm, but it happened during a time when she was losing her mind in real life so it was a strange kind of metaphor.
I used to use an e-mail address a terrific domain name that I own. Without publicly disclosing specifics, it was like this:
<common_name>@<common_name>.com
Thousands of people with this name, who didn't want to give out their real e-mail address, used this e-mail address when signing up for things online. They probably never thought it would be someone's actual address. I finally had to quit using it because of the tremendous amount of e-mail that wasn't directed at me. Most of it looked legit enough to the spam filters to allow through.
I temporarily turned that account on about 5 years ago and it was getting about 3,000 garbage messages per day.
I thought having a cool e-mail address would be great, but not any more. I switched to an address that, while easy to say and tell people, it's very unusual and it's very unlikely someone else would ever come up with it.
There's an idiot sharing my first & last name who never remembers to put his middle initial in his email address, and as a result I see he's an alcoholic, has financial trouble, keeps applying for artist grants, has a social sciences degree of some sort, is involved in local politics, and so on.
I could also choose to pwn his online betting, games, dating, and porn accounts any moment I want. I may or may not have changed his gender preferences on a dating site...
I've got one who keeps forgetting he's got numbers on the end of his email address. He's a sheriff in a southern state. Also an idiot.
What's doubly annoying is the US gov is pretty lax at things like unsubscribe links, so I keep getting notifications about his Medicare account that I can't unsubscribe from.
How? If his email is something like johnWsmith@gmail.com and he's accidentally entering johnsmith@gmail.com (you), how is he ever able to register? If he's sending password reset requests to the wrong address (yours) - wouldn't every site in existence realize that's not the registered account and the email would never end up in your inbox?
He has john.w.smith and is repeatedly typing in john.smith, and also hands it out to humans who then want to contact me about his things.
Apparently for many sites, user retention & money are more important than verifying an email address up front. He visits the scummiest betting and dating sites, so I'm not very surprised.
I'm getting similar behavior from another user with the same pattern.
I also get their college results, government assistance, a payday loan company, pinterest and subscriptions to newsletters sent to me for them.
Ive mailed them directly, multiple times but they dont seem to care. I'm now returning the favor, signing them up for all the crappy sites when i need a throwaway.
Once you leave sites actually created by tech companies many sites don't actually verify that you own an address you just input anything you please that looks like a valid email. The extra step as it were isn't included in all online tutorials on "how to manage implement login".
To deepen the problem gmail actually ignores periods in email so even if johnsmith@gmail.com already exists its possible create accounts for both john.smith@gmail.com and j.o.h.n.s.m.i.t.h@gmail.com because although google will absolutely treat those 3 as the same thing and route all messages to any of the above to our first fellow randombob.com treats those as 3 unique email addresses.
This was actually exploited by the fellows that robbed Washington states unemployment system during the pandemic applying for unemployment for folks that didn't need it including humiliatingly enough actual workers who worked for the washington state employment security division. To make their robbery more ergonomic multiple fraudulent accounts were set up with email addresses that differed only by periods. In this instance it only worked of course because they were indeed able to verify their email accounts.
In other instances for example myFico has weak protections on signing up. You can use ANYONE's email address to sign up but strong protections on actually accessing information. This means in effect if someone signs up as you as actually happened to my wife you will never be able to get them to stop spamming you with that persons personal information nor make the person stop giving out your email.
I wasted 15 minutes of my life trying to explain that the address given actually was my wife's email address. Bitched to their credit union/other institutions about the persons financial data being leaked, created a complaint with the FCC. YADA YADA nobody cares about properly implementing email verification or leaking people's financial information.
A surprisingly large number of sites will let you register without requiring an email verification.
I continually get a lot of emails, sometimes with private information to first name.lastname@gmail.com where people with my same name just use that without caring that it is not their email address. You probably aren't getting that job offer and you probably aren't getting that bank load approved without being able to see the emails.
For a while I tried to notify the senders but they rarely reacted or even provided a way to contact them. Now I worry about it becoming a scam vector so I just delete them.
Mine is temporal at gmail. "Temporal" was my teenage gamer tag which I mostly stopped using decades ago, but it's been my gmail address for almost 20 years and changing it is not easy.
The problem is, "temporal" happens to mean "temporary" in Spanish. As soon as Gmail became popular in the Spanish-speaking world, people started using it as a placeholder address.
* Lots of people use it when creating throw-away accounts.
* Sometimes companies use it as a placeholder when they don't know a customer's address. Multiple telecom companies in various countries have done this to me, sometimes populating hundreds of customers' accounts with my email address, such that I receive all of their phone bills, sometimes even with detailed call logs.
* All kinds of students register for university classes using my address resulting in me getting tons of emails from professors. In many cases I could go drop their classes for them if I were evil enough.
* Once a Colombian school gave my address admin access on their school-wide Zoom organization. The really annoying part about this is that Zoom didn't give me any way in the UI to leave the organization, so my account was attached to this school until I complained on Twitter and someone silently fixed it.
* For the last couple months, someone has been scraping Shopify-backed web shops, entering my email address when prompted, putting things in their cart, and then abandoning it, such that I receive an email saying "Hey you left this thing in your cart! Do you still want to buy it?" The emails are always in Spanish, of course. I receive them from like 50 different web sites every day. (Luckily I was able to create a filter for certain Spanish words...)
None of this stuff gets filtered as spam because it does not look like spam to gmail's filters. I have learned it's more productive to block addresses than to mark spam, but this annoyingly takes four clicks per email. I have begged Google to give me a way to filter by language but of course no one is listening.
I know, I know, I need to change my email address and probably get off Gmail altogether. It's difficult because I have 20 years of history built around this address.
Nah, I don't think saying my address publicly has any effect. AFAICT none of the problem comes from people who are actually aware that the address has an owner.
I’ve had a gmail account since their first beta. Switching to another provider (Fastmail) took about an hour to run through so my accounts and swap emails out. There was one or two that didn’t allow changing emails (steam is one) but other than that it was much easier then I assumed.
I still check the gmail account ever so often and it still receives spam. My Fastmail account is perfect even after a year.
Way back when, I got a Yahoo email like <HN_username>@yahoo.com. My last name isn’t unique, but it’s not exactly Smith. It’s amazing how many other people have mistyped it. To this day, I still get emails meant for other people.
I keep that old account for 2 purposes:
1. It amuses me. I log in and clear it out once a year or so.
2. At various times I’ve had coworkers who didn’t believe it was common for people to enter someone else’s email address when registering for a sensitive system. When that happens, I’ve taken them to my old Yahoo webmail. Oh look, another kstrauser’s loan paperwork!
I can only imagine what that’d be like if it were at Gmail and not Yahoo.
I have a decently common first name and last name and was eventually able to snag the domain of my name (firstnameLastname.ca) and switched over most of various online accounts to use it.
I'm not a big Twitter user, and when I went to log in Twitter for the first time in probably a year or two, I forgot that it was still using my gmail account. I couldn't remember my password, so I did a password reset, received the email, and reset my password.
After looking around a bit, I realized this was not my account. It turned out the previous owner of firstnameLastname.ca also used firstname@firstnameLastname.ca
I ended up making a twitter post basically saying "Hello, I think I accidentally stole your account. If this used to be your account, email me.". A few weeks later I got an email from a fellow with the same name as me, who used to live in Canada but had moved back to England. I was able to change the email on the account and give him back access.
At least with email you can change your address. I once had a process server come to my door to serve a summons, it was my first and last name with a different middle initial. When I pointed that out to the process server, he said "close enough" and walked away.
I had never been served a summons before so I was worried about it, I called a lawyer and the lawyer said to just throw the summons in the trash.
Although apparently the guy with the same name as me was going bankrupt or something, his bad debts started showing up on my credit report and I had to mail the reporting agencies to take them off, went on for a few years.
If you are bob@gmail.com or bob@yahoo.com, I am sorry about the decades worth of product offers, porn subscription offers, forum or blog reply notifications, etc.
I use bob@smith.com for any service that insists on an email address when they have no business doing so (eg public WiFi portals). I used to use bob@example.com to avoid spamming poor Bob but many services now disallow example.com as a domain.
I usually use marketin@domain-of-the-website.tld when a website insists on an email address to let me download something. I also curse at the marketing team, just in case.
firstname.lastname@gmail.com can have similar problems. Somehow people miscommunicate or misremember their email address and I get a lot of misdirected messages.
Same thing here. The worst part is when websites don't actually require an email confirmation to keep using them. In the beginning I've tried to reach out to those companies to close the accounts without accessing them but by now I've started just resetting the password and then deleting them. It's just too difficult to do the right thing.
Welcome to the club. My gmail address is lastname.firstname@gmail.com and I keep receiving occasional emails for firstname.lastname@gmail.com who is actually some kind of a senior manager in one of the major TV stations. It works the other way around as well (he receives my emails - extremely rarely, but still). We simply agreed to forward them to the right person and delete afterwards so there is no issue per se, but it's still kind of funny.
Also, my daughter has firstname.lastname@gmail.com and there is another lady with the address firstnname.lastname@gmail.com (yes, a typo in her first name, duplicating one of the letters) and of course she keep receiving her emails and vice versa. Same solution - they mutually agreed to forward messages to the right person and delete them afterwards.
I have firstinitiallastname@gmail.com and I get a lot of stuff meant for other people. Someone even used it to sign up for their bank, and said bank apparently didn't require verifying the email address. I don't even have that common of a name.
I'm in the firstname.lastname@gmail.com club too (common first name and very common surname) and I receive so many mistaken emails that I like to collate them to guess which homonyms are the same person.
I often see repeated attempts to create accounts without reconsidering the email address, and sometimes they succeed (I received repeated invoices for Sky and for an insurance, not to mention occasional ones).
Same, I get a lot of sensitive correspondence, things like divorce settlements from lawyers, mortgage applications, correspondence with doctors with a lot of personal details (that the person cc’ed me on), airline reservations, etc.
Usually I’ll reply to the sender and tell them they have the wrong email address, some don’t believe me, sometimes they ask me if I know the person (out of a billion gmail users), some complain that I took to long to tell them about the wrong address, and sometimes a lawyer will direct me to delete all copies of the errant email…
I always reply back to tell them that the email lands on multiple devices and is downloaded and backed up automatically and to see if they want to pay me on a time and materials basis or if they want a project based fee. None have been willing to pay me to cleanup their mistake.
Way back when I signed up with gmail, I was happy to get a first-initial.lastname@gmail.com address, now I wish I’d gone with something more obscure.
Same situation here! My HN Username @gmail and my last name is a very common last name in India.
I’ve received people’s tax returns (including their SSN), airline tickets and hotel reservations, matrimonial proposals, photographs, etc.
I often used to email back and let people know about the mistake, but rarely do it now unless there is sensitive/urgent information.
To deal with some of the repeated unwanted emails, I have rules created to label those emails with a specific label. I use Google scripts to auto-delete all emails from that label which are older than 365 days. It cleans up repeated transaction emails from Indian banks/credit cards, newsletters, etc. but also gives me a year to retrieve the email if it was actually meant for me.
I took was an early adopter of gmail and I imagine a person could guess what my email address is, especially if I said I keep forgetting my HN passwords.
Misplaced periods give me all sorts of other people's emails - new cars, new mortgages, new bank accounts, new home purchases that are not in my name or identity (based on the names I understand the confusion) - all sorts of things that I'm not doing IRL. Sometimes I try to reach out to the sender and get them to correct the email address, sometimes I just unsubscribe
My email is <first initial><last name>. I also have the same first initial as my father, sometimes I get email intended for him. Fortunately our last name is unusual so that's about the extent of it.
My Gmail account is the same way. I constantly get people using it as a throwaway email address for various dating sites, commerce sites, and porn sites. After enough annoying emails, I’ll typically change the account’s password or delete it if I can. (These sites usually aren’t the most reputable, so often times about the most I can do is change the password to lock them out.)
I don’t get why people do this. It’s not like it’s difficult to get a throwaway email account.
You don’t need a custom domain, a gmail address is enough.
I have surname.name@gmail.com and I routinely used to receive emails for surnamename@gmail.com, because of some moron at google that though it was a good idea to ignore dots.
I haven’t checked that gmail account in a while (gmail is just trash at this point, beyond salvage) but I might still be receiving this guy’s loans solicitation or his car insurance certificates. Who knows.
I get the same with <common_name>@outlook.com ; managed to sign up right as the service was launched and thought I scored :)
After a couple of years gave up on that address as it was getting dozens of messages a day (a lot of them legit email, sent to the wrong address - including bank statements, shipping orders, etc.)
While not entirely on topic, I am implying that the person who is getting the unremitting password reset requests may have an e-mail address with a similar problem.
My <common-name>@<common-name>.com address gets incessant password reset requests for every major online site in existence. (I should have been clearer about this; sorry.)
I am suggesting that, by having strange or very unique e-mail address, you can fairly effectively mitigate this phenomenon.
I was a PM at instagram in 2016 when we got a lot of these complaints from celebrities and short usernames.
Some users were getting hundreds of reset emails/day triggered by random people in the world trying to reset their password.
It's a really hard problem to solve because if these users actually forgot their password someday, they would really want those emails. We ended up creating a snooze for 30 days button at the bottom of the email as an imperfect solution to balance short-term spam and long-term lockout (with an override if the device id requesting the reset had recently been logged-in to the account).
Idk if that still exists on IG but doubt it was ever ported to FB.
If websites made a concerted effort to train their users to not "remember passwords", this could eventually be solved.
Human brains are not designed to remember:
* Passwords that aren't reused across the many dozens/hundreds of logins a person typically has
* Passwords that aren't easily guessed phrases including substrings of personal information (birthdays, children's names, etc)
* Long and strongly random
Yet good passwords need to be all of those. Christ, if websites just included a little "have you considered using a password manager?" link on the registration page. Tragedy of the commons I guess... everyone wants other companies to do the hard work of convincing a few percent per year to use them. We'll still be dicking around with this bullshit 30 years from now though.
The problem is easy. The work of implementing it is difficult and slow. Let someone else do it.
It might have been a convenience thing back when there were only a few sites on the Internet but it's unreasonable, and just not practical to expect users to memorize several hundred, good, unique passwords for all the websites and apps they'll use in their modern digital life. Login with Google/Facebook/Apple/auth0 help mitigate the number of passwords to remember, but then you are beholden to that company.
Not all single points of failure are made equal, and password reuse is a much bigger problem than the possibility of your password manager getting hacked, assuming you choose a good one.
My bigger worry is less getting hacked and more losing access to the password manager: If I use an online one, I'm once again dependant on a third party that can change their terms (or have an outage or get hacked) tomorrow; if I use an offline one, I have to manage a password database which has to be backed up, synchronized across devices, etc.
If I use a new device, I cannot log into any account if I don't have an old device at hand from which to copy the password file.
All that seems a lot more risk and hassle than choosing 2 or 3 good passwords (correct horse etc), then making variants that you can remember for each site.
If I were nefarious I would attempt to login to websites with variations of pwned passwords and you would be one pwned trivial bullshit site away from having your entire digital life pwned. This form of security is worse than nothing because it gives a false assurance of security AND a false concept of ergonomics in one go.
99.9% of people are going to be unable to remember a reasonable number of variants that aren't trivially deterministic and once things are very similar to another its increasingly easy to confuse them.
You can sync your encrypted password vault between local devices and a remote resource which has access to the vault but not the key for same. At that point is very very hard to get pwned or lose access to anything. This was a solved problem 20 years ago.
For practical purposes if you tell people to forgo password managers you are just implicitly suggesting they pick bad passwords or write them down or constantly harass support when they forget for the 10th time. Don't let perfect be the enemy of good.
The points of failure are either a single person manually remembering unsecure passwords or a password manager storing highly secure passwords in encrypted storage with multiple factors of authentication. There is no increase or decrease in points of failure, and in both cases, the password reset mechanism still exists.
I also feel like this about them, but I don't really have much knowledge on the subject. Do you have any experience or references that this might be the case?
The concept of requiring a special string to gain access to an account is massively dated, whether that string is something a human has memorised or random output from a password manager. Either the database of special strings lives in your brain, a notebook, a bit of paper, or encrypted on disk somewhere, but it's still a database of special strings.
Public key crypto never took off for account management and neither did Persona, but the current iteration with passkeys/Webauthn should hopefully be a fresh step in the right direction there.
> The concept of requiring a special string to gain access to an account is massively dated, whether that string is something a human has memorised or random output from a password manager.
I disagree.
Any system, whether computerised or not, needs to pieces of information to authenticate a person - something the person has (identification), and something the person knows (authentication).
You cannot simply rely on something the person has; that thing can be stolen and used by someone else.
If you have a reasonable replacement for "something the person knows", I'd love to hear it.
I don't think they actually have to come up with a replacement for "something the person knows," they just need to prove it's already not there to be replaced. With password managers, the password becomes more like something the person has anyway.
> I don't think they actually have to come up with a replacement for "something the person knows," they just need to prove it's already not there to be replaced.
I don't know what this means.
Once you've identified a person, you still have to authenticate that they aren't masquerading as someone else. The replacement I asked for is not "how do I identify who I am talking to", it's for "Right, now that I've identified them, how do I verify that it really is* them."*
If you want to do away with passwords, tokens are no replacement.
> With password managers, the password becomes more like something the person has anyway.
Maybe. The user still has to both identify and authenticate themselves to the password manager anyway, so you can give access to the password manager as a "something they know" anyway.
You responded to this after your second quotation, I effectively said the same thing twice in different ways to make my point. Hopefully you understand it now. To be fair, it's a somewhat complicated sentence, took me a while to put that thought into words.
> so you can give access to the password manager as a "something they know" anyway.
Mostly true. Ignoring password manager breaches, as that hurts your argument a little. Security researchers are currently of the opinion that the last LastPass security breach leaked people's encrypted password vaults, which people have somehow managed to decrypt since then. In that case, the password was something the attacker had, not something they had to know. But I think I mostly agree that access to the password manager can at least (mostly) be seen as something they know.
The association is email address to user, so some services don't even use passwords anymore. Create the user session for that current browser, and then email a time-limited login link to login.
You can choose to substitute length for randomness. A long enough random sentence works quite well.
The hard bit is generating random sentences. I suppose you could use GPT to generate a sensible but random sentence, or just go old school and pick words from a large list and make a sentence with them.
Dictionary attacks? I know any two words isn't strong enough. Four seems little better.
Besides, this only gives you one good password anyway. You won't remember five unique password constructed that way, and if you have fewer than 80 passwords that you need to all be unique, I'd be shocked. Even AOL grandmas have several dozen accounts somewhere.
It's just bad advice, no matter how much of an xkcd fetish you have.
Set a limit, you get one password reset email per day/successful password reset. If you try to do it again you are instructed to look for the email that had already been sent.
Greylisting is really a rare configuration choice in modern times and has always been a "results may vary" sort of deal. Personally I wouldn't factor those users into my considerations.
I do password resets for clients fairly routinely. I run into greylisting behavior about 2 doz times a year. Often happens in spurts.
Just last week I ran into greylisting a bunch of times, while testing a new mail server against gmail accounts. Same thing two weeks prior for a diff server. This is with SPF, DKIM and DMARC setup. Corp and personal gmail accounts - no rhyme or reason to when it happens.
That might not be greylisting like I'm thinking of, Gmail has its own secret process but in my experience they accept the message and decide if they want to deliver it or not later.
If you don't have a ton of users you don't have the "celebrities getting hit thousands of times with password reset requests" problem and if you do have tons of users, your higher volume of transitional emails makes Gmail trust you more so your issue is much less likely to happen.
Maybe unrelated, but I think some people do this to check (at least partially) what email is tied to an account. E.g. if you suspect an anonymous instagram user to be your friend Bob, you can invoke the reset email procedure to see
Folks in the thread noted that the recovery code sent was the same each time, which leads me to think it might have been a phishing attack. Send email that looks like FB recovery, but have the links go to some domain you own and snarf up creds, including MFA etc.
Not in my case; I've had two password reset emails in the past 3 days (having had none since February) and both have gone simultaneously to the different email addresses I have on the account, with different codes on all the emails (even the ones sent at the same time), and the click-through URL is certainly on the legit Facebook domain.
A variant I've seen was "We've sent you a recovery code to your email at gmail.com". I think it's useful for login name based authentication, since people will have multiple email addresses and may forget which one they used for that account.
(we have a 15 year old who's made at least four, probably more different gmail addresses for different purposes. Ironically, the one he used to sign up for porn includes his real first/lastname)
Best practice would be to display this message no matter whether the email address is correct or not, to avoid leaking information. Many sites do this.
The GP is talking about a situation where you are not asked for an email address. You ask for a password reset for the username @coolanonguy. The website tells you that the reset email was sent to an obscured email address. The obscured email allows you to confirm (with high likelihood) or deny (with certainty) that @coolanonguy is your friend whose email address you know.
on the systems where i had to do this for my account i usually get a message like: "an email has been sent to the address registered with this account"
The benefit is that people often don't remember which email they used for a service. They check their "main" email inbox but don't remember that they used their student email address 8 years ago when they signed up. By providing a hint they know which inbox to check and don't get frustrated because the email isn't coming.
So it is a privacy tradeoff for better UX. If it is a good tradeoff will depend on how much you value each.
I have many email addresses. I don't necessarily know which email address is associated with my account. Therefore, the user benefits from knowing which email inbox they should check.
That said, it could be that the security risk outweighs that convenience.
That is the security researcher perspective, but it’s a UX nightmare resulting in a lot of confusion for normal users, because they don’t get any info if they even have an account or are trying to use the correct email address.
I used to think info about whether an account exists should not be leaked in the password reset flow, and I designed sites this way, but then someone pointed out that in practice a hacker would then just move to the account sign up flow to check for the existence of an account. (If account exists, you cannot make another with that email on most sites.) I never had a good response for that. I now lean toward the idea that not providing info is just not worth the bad UX.
> If account exists, you cannot make another with that email on most sites.
Many sites require you to verify your email before you can use your account. If you wanted to avoid leaking whether an account existed, you could show them a message like "if this account doesn't already exist, a message has been sent to your email asking you to verify it". If the account did exist, you might send an email like "someone tried to create an account with your email".
Ah, sorry, I see now, but the underlying point is the same. You should not reveal any information. A "We have sent an email to the address associated with the account" would be sufficient.
The amount of disclosed information, and it's utility, is non-zero, but simply weighs less than the amount of damage from not hinting which account to check.
Accounts can grow to be 20 years old and even a "normal" person who is not actively using lots of addresses for security, will still end up having used several in the fullness of time and completely forgotten about some, yet, may still have or can regain access to them if only they knew to go look.
You don't see how that can happen or really be a problem? Oh well, consider yourself informed that it does happen and is a problem.
Not if you have multiple email accounts. Many times these codes reset in just a few minutes, you should try to avoid forcing users to spend time logging into every single email they can remember just to wait for an email to pop into one of them. You can show a few characters of an email or the first character of the domain to give a lot of info out in relative safety.
Everything is about tradeoffs, and the only objectively wrong answer is this dogmatic "never do $X" nonsense.
Well.. I have a theory. Maybe the threat actors are sending the recovery email with the hopes that the target does not engage. Then, the threat actor can indicate that they "no longer have access to this email address" to force recovery to an alternate address. Then, perhaps they have gained access to some people's old alternate email addresses either through credential stuffing or recreating deleted email accounts. If so, the TA can finish the reset and take over the account.
I actually lost my Instagram account because, I believe, it filled in my email field with a dummy one, user@example.com and then when I had to do verification, I could never recover the account. I believe it was in the very early days of Instagram although it's possible there was user error on my part in this case.
It is too bad because for symmetry I used the same use name in a number of places (not the one I have here).
I lost a yahoo account because I put in incorrect information (I claimed to be 99 year old female or some such thing) and then forgot the password. I never really did anything with my yahoo account though, so it doesn't matter other than I couldn't unsubscribe to some mailing list.
Lost my Yahoo account because it forwarded mail to another account and so I never logged in to it. Then Yahoo deleted it for inactivity ... No warning issued, just gone one day. So now I'm locked out of my YouTube account because it wants to send a verification code to the Yahoo address.
Yeah - and what is crazy is when you think about it - Microsoft generates a 6 digit code.
So it is a "one in a million" to randomly guess what the code is on any given login.
But it is "one in a million" for each Microsoft account you know about - and if they have millions of email addresses, and automate it each day (I also get attempts 1-2 times per day).
Yes - the odds are small - but there is a greater than 0% chance someone can randomly get into your Microsoft account - and there is no way to stop it - even with 2FA etc - this bypasses all of that!!!
I'm a little confused. Does the code get generated on any attempt to log in, or only those that have the password and MFA is activated? Or when someone attempts password recovery?
Because I'm a bit concerned if Microsoft passwords are leaking.
When attempting to login to your Microsoft account, instead of typing your password you can do an optional "one time password" generation thing from Microsoft. So instead of typing your password +2FA - they email you a 6 digit "one time password" that you can use instead.
You cant disable this.
So all Microsoft accounts could have a daily 1 in 1 million chance of been overtaken.
Odds are low - but if you then spam this across thousands of attempts per day - they would statisically "get lucky" from time to time...
One would think Microsoft wouldn't be stupid enough to provide endless amounts of one time codes for a single account. I would guess they provide 5-10 codes before escalating the login.
It's like the google 2FA where you can accept the login on ANY android device where you are logged in.
and you can't disable the feature and the only way to remove the option from a device is to logout your account on the device...
I have an tabled and an phone which is used by other people in my family and I definitely don't want the 2FA requests on these devices...
I thought this was the Passwordless account they implemented (EDIT: didn't realize you weren't talking about the Authenticator app), but I had it turned off. I somehow managed to make it stop by re-enabling/re-disabling both Passwordless and 2FA. So now they always ask me for a password and then I get the challenge.
To this day, I can't comprehend how this is supposed to be safe. So someone can just type in my username and wait until i eventually misclick in the Authenticator app? If it was from a browser I have used before at least, but I was getting these challenges from around the globe.
Have you got an exchange email or Teams set up on a mobile device? These will generate 2FA requests (but not make any kind of notification on the device).
I own the domain of my last name. Several family members use (firstname@lastname.com).
I once went to get a new phone at Best Buy, and the employee needed my email address. I gave it to here (firstname@lastname.com) and she insisted that it was NOT my email address. She insisted that it MUST end in @gmail.com or @yahoo.com, something like that.
We frequently sign up for stuff online, and when we enter our email address it won't let us sign up... we figured it is because the email address is too similar to our actual name, the name we've entered in the 'first name' and 'last name' fields (it happens to both me and my wife at least 2-3 times a year).
I have the same, firstname@lastname.com/uk/.co.uk/etc; my family name alone is an absolute pain in the arse for most British English speakers to spell when given it verbally; to make matters worse, when I give people my email, over the phone for example, I get the combination of "what's it @?" and then when they finally get there, that my last name is after the @, another 5 minutes to get them to spell it correctly; Some, despite this dance still end up never getting it right.
My wife constantly (half-jokingly) reminds me of how much of an PITA I've caused her with my name (that she took), when her maiden name was so sophisticated and easy compared to my weird, unidentifiable, "foreign" (I'm British/English) one.
EDIT to add: I don't often have issues with forms, but I reserve that particular address for "important" family related things, the sort of account where I _know_ if I receive an email to it, I need to read it. Everything else I use a gmail for (as does my wife).
Whereas I made the opposite mistake of having firstname@outlook.com
I get ungodly amounts of spam, relentlessly, from everyone. Because anyone over the age of 50 seems to give it as their email to companies like Target.
Yeah, I've had issues with firstname@lastname.name, but only with terrible regex validation logic that thinks a TLD can't be 4 characters long. And some quizzical replies from people: "dot name? Is that new?" Yeah, I say. Its pretty new.
Happened the other way to me once. When I made my Gmail account I had a . in it. Emails sent from me go from this email address.
My Facebook email for ages was my school email (as is tradition, right?) and one day someone registered as my actual email around the time I was doing a bunch of address consolidation because my school was moving all historical accounts to a separate subdomain.
I clicked to confirm foolishly (should not have done that) and it became associated with someone else's Facebook account.
Facebook has a process for this. You request an email to your address and it sends you one and you reply and it removes the email from the other guy.
Well, I did that except he set it without the '.' and when I replied from mine it wouldn't accept it. I tried again as it was and only realized after three tries what the problem was. Facebook's difference in verification processes (click to confirm / reply to dissociate) meant that I was not doing the right thing.
Repeating the action means I looked like a fraudster so that must have been why even though I added the dot version as an email to send as it would no longer accept me.
To make matters worse, I decided I'd just fix it by resetting my password and logging in and removing my email.
Well, I succeeded in the password reset but Facebook protects you here by requiring friends to verify it's you. Well, I didn't know his friends so I just let it go: he could no longer log in except via phone number (I hope, or he was locked out) and I couldn't associate my email correctly.
I was early enough to get my first name on Twitter and didn't, but did get it on Instagram.
The @tommy on Twitter was a dev at Gameloft who gets constantly harassed in his mentions to give it up. I had a similar problem on Instagram. I've mostly stopped using it, but when I did post and had an open profile I constantly got comments offering money for my username.
Eventually someone set up a follower bot on my account and I was getting hundreds of new followers a day. I made my profile private and don't post anymore, but it's still hundreds of new follower requests per day.
Several years ago I was getting multiple password reset attempts per day from my bank because I picked an easy username to remember 20 years ago. Luckily my bank allowed me to change my user name so I used my password manager to generate a password and used that as my username.
One trick I've applied with a wordpress environment is to change the default 'admin' password to something longer / more complicated, change the default location of the admin panel to something else (only works if the admin environment is set up for that), and change the default SSH port. This already defeats 99% of 'low hanging fruit' attempted login attempts.
I had a six character username at Fidelity. Every few weeks I'd get a few password reset emails (or something similar, it was a while ago) and my account would get locked. It was a real pain to deal with but I didn't have a choice, such is the suck of a 401k.
Eventually I went with a much longer username and the problem went away.
I don't know if this is related (probably not), but fun fact: Fidelity lets you log in to your account over the phone using numbers[0] -- one per character. Yep, passwords too.
> Use your telephone keypad to convert the letters to numbers. There is no case sensitivity. Substitute an asterisk (*) for all special characters. Here's an example:
> To enter a username, e.g., Smith123, press or say 7-6-4-8-4-1-2-3
> To enter a password, e.g., Lucky1$23, press or say 5-8-2-5-9-1-*-2-3
My 6 letter username mapped to numbers that corresponded to up to 4^6 accounts. That's really bad but not nearly as bad as what they're doing to passwords.
The longer username is both worse and better. Worse because it matches way way more possible accounts and better because (I presume) it matches fewer actual accounts so it gets fewer failed attempts. That's my guess, anyway.
Edit: it is possible that they only allow one account per "folded" username. That increasing the username length resolved the problem immediately suggests otherwise, but like I said, I dunno. I have no insight into their systems.
I’ve accumulated, what, 3 Facebook accounts over the years? Many mornings I wake up to see that recovery codes have been requested for all of them, at a similar time. Surely this is enough of a signal to act on!? It really speaks to the fact that Meta really just doesn’t give a rats.
I mean a single attempt is always possible, even a number of attempts. But consistent attempts affecting what is probably millions of users over the span of years is a Facebook problem, clearly any measures they have to avoid repeated login attempts aren't working.
I would believe it. I recently logged out of facebook on each device and took a month long timeout. After a couple of weeks, I started getting facebook email notifications of things they figured I'd want to see. With the impossible to remove/hide facebook reels nonsense they force on users, I'm about to take a much longer facebook timeout.
Our company owns a one letter domain (e.g. "x.tld"), that follows a quite common sequence. A few months ago we've enabled receiving e-mails for all local parts on that domain.
We've received hundreds of notification mails, newsletter subscriptions, alerts (from internal systems disclosing details about infrastructure of giant corporations), etc.
It was quite fun, but became annoying quickly. We've then reduced reception to the common hostmaster@, ... mailboxes and for all other mailboxes we are now rejecting the mails with a nice reminder message in our Sieve filters.
That's exactly the one we picked. I've even commented it in our Sieve script. Funnily enough some spammers have picked up on this and send their spam even to those mailboxes.
I'm close with someone whose FB account was compromised due to a shared password, and then didn't see the 'an email has been added/removed from your account' emails until after the revert link expired a few weeks later.
The recovery process is totally broken for them now. We eventually managed to revert back to the original email address by visiting facebook.com/hacked (not without the help of a weird youtube video to make sure we were selecting the right options, though), and we lost a ton of time on a weird issue where emails or recovery options were deeplinking to the app, which was opening but didn't know what to show us. After deleting the app, we managed to start generating 2-factor email codes, but the same prompts that generate them don't accept them. And the 'send in an ID to verify your identity' feature just doesn't load at all. I'm chipping away at it when I see them, but I give recovery a low probability of success.
Understandable that this is probably not very fair to those who can't afford it, but I wish there was a 'pay $100 to speak with a rep who can fix this now' feature.
I suspect someone might have noticed a flaw and is trying to take advantage of it. I've seen two reset emails this past week - one on Sunday and one on Tuesday, and they both had the same recovery code. Others in the Reddit thread noticed the same thing, so it's possible that someone is trying to exploit this some way.
Noticed this as well. You can report the attempt to fb with a link in the e-mail and then the next recovery code is different. However, I hope they have some brute-force protection in place for the codes.
My assumption is that it is engagement juicing. These seem to go out to seldom/casual users a lot of the time, and people respond by logging in and checking things out. Easy way to pump the MAUs
Yeah, this is not far fetched as I noticed this only on an account I haven't been using for a long time, and in the past FB engaged in a ton of scummy tactics to force me to log in again.
It's not that they don't have enough, it's that they try to always get more. If they no longer have anything to engage you with as you turned it all off, you will get a notification for some random post "we thought this might be interesting to you". And even if you always manually disable all possible options related to this particular notification, they will always find a way to nag you more.
I got one of these "someone request a password reset" mails from Facebook yesterday. I don't think I've had one before, and my email on its own domain I've had for ~20 years doesn't seem to be one people type by mistake.
I thought it was probably phishing, yet the links all looked legitimate, including the one for password reset and the one to tell Facebook I didn't request the reset.
So I thought it might be a homoglyph attack (a URL that looks legitimate but isn't because it's using alternate characters that look the same or similar), and rather than click the link saying I didn't request the password reset, I logged into Facebook hoping to find a notification or something in the account settings logging that it was a genuine request.
I was surprised to see no notifcation, nor anything in the account settings and security area.
I was also surprised to see I needed to login again, as I thought Facebook kept a long term session open for longer than the 2 weeks since I'd visited it previously.
If it was a tricky method to get me to login to Facebook again, it worked! But I didn't stay long after I didn't find what I was looking for.
This was exactly my experience yesterday— on a firstnamelastname.tld email address for the first time, sort of phishing looking but with legitimate-looking URLs.
Even the email headers looked legit but there was something so weird feeling about it I figured it was a sophisticated phishing attempt.
I also found it odd there was no notification or anything inside Facebook.
Every week or so they lock my account due to "suspicious activity" even though I haven't used my account.
I have all the security features and such turned on like MFA and a strong password (that I have to change like every week after every time my account gets locked).
There is no useful info in the security logs. I have no idea what to do to stop this from happening.
I have an alias that is a vaguely common name, which is firstname.lastname@gmail.com
Once a year or so somebody tries to get into that gmail or associated social media account with a bunch of password-reset emails. I'm pretty sure it's someone with a similar name who is slightly misspelling their email, messing up the dot (gmail ignores dots but other systems don't), etc.
The ones that get me are the recovery login emails for services I never used. Some of them might be shotgun phishing attempts but some look like they actually were allowed to sign up without ever verifying their email.
When you have ${firstName}${middileInitial}${lastName}@${popularProvider}.com, you end up learning there are a LOT of people with your name who: 1) either themselves don't remember their ${hadToSettleFor} email address, i.e I get their billing reminders and medical statement emails, or 2) their loved ones/close friends don't, ie. I get party invites and group emails, etc.
Separately, but related, I remember getting a spam email back in the late 90's where the spammer CC'd instead BCC'd, and it was sent to over 100 addresses who were all clearly variations of my first and last name ... It was a fun when there were multiple reply-alls with "Are we ALL $firstName $lastNames's on this list?" --- Surreal
I've been getting a couple of these each day for the past few days. It's always a bit entertaining. Partly because my email address is my name (so I know it's not likely a typo when folks enter the email address). Partly because I leverage GPG from the Facebook side so the messages are encrypted.
Meaning, even if they somehow had access to my email (they don't - strong, unique password and separate MFA) they wouldn't be able to get the reset code as it's encrypted by a key stored in secure physical hardware.
Still, kudos to the hackers for trying. Getting these emails means _someone_ cares enough about my account to want access. Even if I rarely use it for anything other than checking in on distant relatives ...
Same thing happening to me with my microsoft account. I get several one time code requests per day. I can log in and toggle some setting that disables this for a couple weeks, but then it's back again. Been going on for almost a year.
I use a <firstinitial><secondinitial><surname>@gmail.com and have been getting Facebook resets every week or two for years. But I know at least two people in two countries with a similar name keep giving out the wrong address from all the crap I get confirming their hair appointments and organising their BBQs, so it seems benign rather than a hacking attempt.
I take it as karma for all the junk <verycommonname@>hotmail.com must get whenever I use a public wifi network. Sorry verycommonname!
I got one for an email that I didn't think had a FB account, and when I tried to reset the password I get:
You’re Temporarily Blocked
It looks like you were misusing this feature by going too fast. You’ve been
temporarily blocked from using it.
If you think this doesn't go against our Community Standards let us know.
Got that on the first time I tried it. What a joke.
Because of the username. Many people forget their own username, for example: my username is pineapple and someone else's is pineapple2. And they end up using their username to recover their password. If your username is a common namesake, word or homonym, this makes the situation worse.
I have a friend with a firstname.lastname@gmail.com account.
Someone out there apparently doesn’t realize that address doesn’t belong to them, because for 10 years he has been getting signup confirmations, appointment reminders, and very personal correspondence meant for the confused individual.
Over the years I have and continue to receive emails destined for other people. After years of trying to help people realize the errors of their ways (sometimes you just can't find the destined people).
Some of my favourites are the tax information (and other common business related correspondence) on their Disney songwriting royalties (I make more before my first coffee break than they do all year on streaming revenue, but they've got a fair number of songs), there is also a bank account tied it in Peru (CFO doesn't care but I'm not locking her out - I do have some compassion.. not much but it's there), but OTOH I've permanently locked people out of their brand new iPhones because they all choose to use my email address, or the person on the other end types it in wrong for them. I also think people don't read what their browser saves and later populates for them.
People will also just randomly give out fake addresses (that are real) when signing up to just to get a discount.
It's a single word that was popularized through pop culture years after I created it, and one letter away from being a traditional western name (and also one character toggled from a popular Hispanic one).
Also a very wealthy PTA mom in Mountain View uses my email address all the time. Our children are doing very well.
Sites should always confirm an address by having you authenticate a link before permanently using it in perpetuity. It would stop a lot of bad actions.
I mark as spam all emails coming from companies that don't have a link to remove the email from the account that triggered it because someone added it by mistake or maliciously.
I'm afraid this won't help. My closed FB account hits all three of these (unguessable local part, obscure domain, no other attached metadata) and I still get these reset emails. Seems like there's been an account-data leak.
Another theory is they have an efficient way and or bypass facebook ratelimit to bruteforce reset victim's password token ... regardless, i would make sure 2fa is enabled for extra precaution... or maybe just take a break from facebook :)
I get shipping and delivery notifications from Zara because someone (accidentally I believe) entered my number when ordering. It’s sort of creepy because it shows me their address and I see a photo of the package on their doorstep.
It’s a satiation attack (my term). The hope is you’ll get so frustrated at the frequency of the emails that you’ll eventually just press yes or ok or whatever it is that allows the reset.
This is how I'm going to describe that attack where you get a zillion authenticator push notifications because Microsoft has designed the damn thing to authenticate you to them but not them to you. Like, how freaking difficult would it be to put a transaction code in there like Apple so that you can match the notification on your phone with the session you're starting on some other device or service?!
I thought they already have that? When trying to sign in to a Microsoft service it displays a number which I have to type in to the Microsoft Authenticator before I am able to confirm the sign in attempt.
You only get the push notification, no session binding, when using Microsoft Authenticator in other scenarios. That's if you get the push notification. It's variable in my experience. (I use it as a backup MFA method when I don't have my badge reader handy.)
It shows you a code when the initiator is an unfamiliar device, but doesn't show you the code when the initiator is a familiar device. You can reproduce this fairly easily - open a private tab and try to login - you'll see the code in your app. Then logout and login again without closing the tab - you won't see the code.
Which actually makes sense, if not well-explained to users.
I just wish Microsoft would let me use any other authenticator app instead of their garbage one. So now I've got one from Google with 99% of my accounts on it, one for Microsoft for one of 4 MS accounts, and one for the USG for IRS/etc. Waste of space and poorly-duplicated functionality.
The funny thing is I have other MS accounts in my Google authenticator, but for one of my accounts specifically (maybe because it's the only one with Azure spend every month?) even though I have it in Google, I kept getting told on login I needed to set up MS Authenticator or SMS - no options for a different Auth app.
I'd attribute this to MS flakiness, or possibly AD policies. I've got work MS accounts, each connected to a multi-million dollar azure account, and each connected to a non-MS authenticator.
They will just wait for you to get used to this, then stop triggering Facebook to send you legitimate emails and start sending you similarly-looking phishing emails similarly often. It may happen to be enough to view a phishing email, let alone click anything in it to get pwned.
What if they send you dozens of these, then one that actually looks legitimate, saying something like "We have detected 24 login attempts to your account in the past 30 days coming from this location, click here to see additional details and / or improve your account security", containing a phisher's login form.
Very questionable. Some people will come to completely ingoring them (which isn't good either), some will click anything out of being too annoyed. Whatever, people can be manipulated into doing some statistically predictable actions with decreased awareness this way and this is a vulnerability.
I keep getting password reset emails from Spotify, from 0 to 10 times a day. Having a two character username seemed like a good idea when signing up..
Really annoying.
Security is the reason all my personal info on social media is lies. They take your account, and can now use it to unlock other accounts, like at your bank, etc.
a while ago I was messaged on Facebook by a nice Russian fellow who wanted me to _give_ him my Facebook username and domain name because he owns a dog wash in Moscow called dogself.
He seemed to imply that if I was located in Russia I would not refuse him "for reasons". He didn't really strike me as being connected, but maybe he washes Putin's dog..
Anyway I got a lot of password reset emails too until I set up 2fa with a yubikey.
I really need to remember to put something on dogself.com that will piss off the .ru but I haven't thought of anything good and legal (or at least ethical).
I think the better question is why facebook sends mails from facebookmail.com and metamail.com? Any sensible person would expect those to be scams, but they are real.
Common tactic to make sure that delivery of notifications is isolated in reputation from the main domains. That way, if notifications are be reported as spam and thus land in a number of distributed blacklists, at least corporate communication still works.
Why don't they use a more obscure domain for internal corporate communication and keep the widely recognized one for messages to end users? Is it just the vanity that people who work there like to be mark.zuckerberg@facebook.com?
If you ask a Meta employee this you’ll no doubt get some internal structural / political justification, and they’ll say it to you with a straight face.
Let’s also all think back to 2011 or so when Facebook thought it’d be a good idea to try to vacuum up all its users’ emails by giving us all @facebook.com email addresses, buying fb.com in the process. As I recall they killed it after a couple few years.
Why does any company needs more than one 2nd level domain?
Microsoft, I'm looking at you (https://learn.microsoft.com/en-us/microsoft-365/enterprise/u...). It nerve-wrecking trying to figure out if some login box or link is legit. They claim to be transitioning to cloud.microsoft, but if you go there, you are redirected to yet another new domain (microsoft365.com) which looks like a scam site, which doesn't render properly in Firefox.
Domains used for bulk outbound email are typically separated from the normal corporate email domain to prevent employee emails getting blocked at customer mail gateways by anti-spam heuristics. Practically every large org gets burnt by this once, learns their lesson, and then splits their domains.
Microsoft has something like a hundred domains, including purposefully misspelled ones like "microsft.com", which is real, owned by them, and regularly used to bypass "security filtering" by paranoid admins.
> Microsoft has something like a hundred domains, including purposefully misspelled ones like "microsft.com", which is real, owned by them, and regularly used to bypass "security filtering" by paranoid admins.
You are off by orders of magnitude there on that number.
> Why does any company needs more than one 2nd level domain?
Re: the first part of your comment, the most common reason I've seen is companies using 2nd domains to send emails that are at higher risk of bouncing or being marked spam (newsletters, cold outreach, etc). And using your primary domain to send "more important" emails from.
I assume they were sidestepping some sort of detection algorithm, but it happened during a time when she was losing her mind in real life so it was a strange kind of metaphor.