
Ask HN: Someone is trying to reset my email password - tw600040
Someone is trying to reset my email password for live.com. I keep getting 7 digit 2FA code in my other email (4 times in last 10 days). Is there anything I can do to protect my account? Thanks
======
Ayesh
It's possible that someone obtained a password dump and are trying to see if
it works on your email account.

Check yourself on Have I Been Pwned, and if you see your information have been
breached, reset all your passwords.

------
tamask
Same with me, I have an old @hotmail.com email address. I changed my password
to a random generated one, and I have 2FA. Other than this, I don’t know what
else I could do. But I think my account is safe as long as there are no
vulnerabilities on the site, which it is highly unlikely there are.

~~~
joezydeco
That’s funny, I’ve been getting Hotmail reset codes too. I actually requested
one a long time ago but never got it, I thought it was just some queue that
finally cleared itself.

------
netsharc
One possible explanation is that someone thinks it's their email address,
they've forgotten the password and are annoyed that they're not getting the
2FA code on their phone..

There was a thread about HNers having a common name and firstname.lastname
email addresses and getting random emails not for them..

------
alex_duf
Usually companies send the 2FA token once the password has been entered. So
someone has your password and you're only saved by 2FA.

So you can start by changing your password maybe?

~~~
tw600040
Thanks. just did

------
scjosh
I’ve had some password reset mechanisms send me codes without the attacker
needing to know much. I believe this has happened with facebook before; my
password there is unique and random, and even after changing my password to
another random one, I still got a couple of occasional 2FA codes. Not sure if
they’ve changed anything there to combat this, but just my 2¢.

------
thebruce87m
I’m being driven crazy by this sort of thing. Password resets for my Facebook
account etc. But the worst ones I get are someone signing up for a service
using my email address where the service doesn’t verify the email address. The
cherry on top is when this is done in language that I don’t understand.

I was getting Netflix account information and Uber trip receipt emails in
Spanish for a while with no option to say “this is not me”.

~~~
jolmg
For cases like that, if it doesn't seem like an accidental screw-up on their
part and actually some attempt at impersonating you, an option might be to
reset their password and close the account.

Actually, even if it's accidental, if you do it close to when they've opened
the account (when you started receiving the mails), they wouldn't lose much if
any data.

Of course, that's assuming that you have no way to contact them. If you can,
that might be better.

EDIT: Changed "their account" for "the account" since it could be said to be
yours too since it's your email. They effectively signed you up.

~~~
thebruce87m
Yes, I’ve done a few things like that. I even cancelled a haircut. A lot of
services can’t be cancelled and require a phone call. I was on the phone with
Netflix for over an hour trying to cancel a service - they initially didn’t
believe me that google allow emailaddress@gmail.com and
email.address@gmail.com to go to the same account. I had to set up the alias
in gmail to allow me to send mail as email.address@gmail.com and email the
technician from that address.

Hours of my time wasted because a company doesn’t verify emails.

------
kjaftaedi
There's not much that you would want to do in this situation. The system is
working as designed.

You should change your password to something you don't use elsewhere just to
be sure they aren't attempting to log in with your actual password.

4 emails in 10 days is not excessive.

If the e-mails bother you and your account is secure, then you can just filter
them into a folder and then go looking for them when you actually need to
reset your password.

------
cpach
Maybe get in touch with the support? Perhaps they can add some protection to
the account.

------
hrgiger
Its upsetting email providers still dont provide soft ip lock, at least for
settings, that if you dont access from ip you really need to go more complex
recovery options, considering infrastructure cost they could even charge for
it.

~~~
bobsoap
The IP address is far from a reliable signal for identification, and shouldn't
be used like that. Many (most?) ISPs around the world use dynamic IPs, and
then there are mobile phone networks.

------
Ladyady
Same!

