Someone is trying to reset my email password for live.com. I keep getting 7 digit 2FA code in my other email (4 times in last 10 days). Is there anything I can do to protect my account? Thanks
Same with me, I have an old @hotmail.com email address. I changed my password to a random generated one, and I have 2FA. Other than this, I don’t know what else I could do. But I think my account is safe as long as there are no vulnerabilities on the site, which it is highly unlikely there are.
That’s funny, I’ve been getting Hotmail reset codes too. I actually requested one a long time ago but never got it, I thought it was just some queue that finally cleared itself.
Its upsetting email providers still dont provide soft ip lock, at least for settings, that if you dont access from ip you really need to go more complex recovery options, considering infrastructure cost they could even charge for it.
The IP address is far from a reliable signal for identification, and shouldn't be used like that. Many (most?) ISPs around the world use dynamic IPs, and then there are mobile phone networks.
One possible explanation is that someone thinks it's their email address, they've forgotten the password and are annoyed that they're not getting the 2FA code on their phone..
There was a thread about HNers having a common name and firstname.lastname email addresses and getting random emails not for them..
There's not much that you would want to do in this situation. The system is working as designed.
You should change your password to something you don't use elsewhere just to be sure they aren't attempting to log in with your actual password.
4 emails in 10 days is not excessive.
If the e-mails bother you and your account is secure, then you can just filter them into a folder and then go looking for them when you actually need to reset your password.
I’m being driven crazy by this sort of thing. Password resets for my Facebook account etc. But the worst ones I get are someone signing up for a service using my email address where the service doesn’t verify the email address. The cherry on top is when this is done in language that I don’t understand.
I was getting Netflix account information and Uber trip receipt emails in Spanish for a while with no option to say “this is not me”.
For cases like that, if it doesn't seem like an accidental screw-up on their part and actually some attempt at impersonating you, an option might be to reset their password and close the account.
Actually, even if it's accidental, if you do it close to when they've opened the account (when you started receiving the mails), they wouldn't lose much if any data.
Of course, that's assuming that you have no way to contact them. If you can, that might be better.
EDIT: Changed "their account" for "the account" since it could be said to be yours too since it's your email. They effectively signed you up.
Yes, I’ve done a few things like that. I even cancelled a haircut. A lot of services can’t be cancelled and require a phone call. I was on the phone with Netflix for over an hour trying to cancel a service - they initially didn’t believe me that google allow emailaddress@gmail.com and email.address@gmail.com to go to the same account. I had to set up the alias in gmail to allow me to send mail as email.address@gmail.com and email the technician from that address.
Hours of my time wasted because a company doesn’t verify emails.
I’ve had some password reset mechanisms send me codes without the attacker needing to know much. I believe this has happened with facebook before; my password there is unique and random, and even after changing my password to another random one, I still got a couple of occasional 2FA codes. Not sure if they’ve changed anything there to combat this, but just my 2¢.
15 comments
[ 3.7 ms ] story [ 37.2 ms ] threadCheck yourself on Have I Been Pwned, and if you see your information have been breached, reset all your passwords.
There was a thread about HNers having a common name and firstname.lastname email addresses and getting random emails not for them..
You should change your password to something you don't use elsewhere just to be sure they aren't attempting to log in with your actual password.
4 emails in 10 days is not excessive.
If the e-mails bother you and your account is secure, then you can just filter them into a folder and then go looking for them when you actually need to reset your password.
I was getting Netflix account information and Uber trip receipt emails in Spanish for a while with no option to say “this is not me”.
Actually, even if it's accidental, if you do it close to when they've opened the account (when you started receiving the mails), they wouldn't lose much if any data.
Of course, that's assuming that you have no way to contact them. If you can, that might be better.
EDIT: Changed "their account" for "the account" since it could be said to be yours too since it's your email. They effectively signed you up.
Hours of my time wasted because a company doesn’t verify emails.
So you can start by changing your password maybe?