Ask HN: What to do when a botnet is requesting password resets?
Hey there HN, I'm currently having an issue on one of my accounts where, what seems like a botnet, is constantly sending password reset requests on it. This has been going for more than a week now.
I have contacted the service in particular (part of GAFAM) and their account security department told me there is nothing that can be done in this case and I should just disregard the emails.
I now ask you, HN, what can _we_ as developers, do to prevent this from happening on our services? Limit the amount of password reset requests for an account? (still doesn't solve the issue), etc.. As I, genuinely, have not managed to come up with a solution.
5 comments
[ 0.25 ms ] story [ 20.7 ms ] threadThat's what developers can do. What developers should do is consider what prevents their customer support funnel from getting overloaded.
I think letting users define restrictions on their accounts would help too, like a firewall for which countries or cities etc can access their account, schedules for when signing in can occur or when it is disabled etc. Most people could just select their city and waking hours.