Maybe unrelated, but I think some people do this to check (at least partially) what email is tied to an account. E.g. if you suspect an anonymous instagram user to be your friend Bob, you can invoke the reset email procedure to see
Folks in the thread noted that the recovery code sent was the same each time, which leads me to think it might have been a phishing attack. Send email that looks like FB recovery, but have the links go to some domain you own and snarf up creds, including MFA etc.
Not in my case; I've had two password reset emails in the past 3 days (having had none since February) and both have gone simultaneously to the different email addresses I have on the account, with different codes on all the emails (even the ones sent at the same time), and the click-through URL is certainly on the legit Facebook domain.
A variant I've seen was "We've sent you a recovery code to your email at gmail.com". I think it's useful for login name based authentication, since people will have multiple email addresses and may forget which one they used for that account.
(we have a 15 year old who's made at least four, probably more different gmail addresses for different purposes. Ironically, the one he used to sign up for porn includes his real first/lastname)
Best practice would be to display this message no matter whether the email address is correct or not, to avoid leaking information. Many sites do this.
The GP is talking about a situation where you are not asked for an email address. You ask for a password reset for the username @coolanonguy. The website tells you that the reset email was sent to an obscured email address. The obscured email allows you to confirm (with high likelihood) or deny (with certainty) that @coolanonguy is your friend whose email address you know.
That is the security researcher perspective, but it’s a UX nightmare resulting in a lot of confusion for normal users, because they don’t get any info if they even have an account or are trying to use the correct email address.
Well.. I have a theory. Maybe the threat actors are sending the recovery email with the hopes that the target does not engage. Then, the threat actor can indicate that they "no longer have access to this email address" to force recovery to an alternate address. Then, perhaps they have gained access to some people's old alternate email addresses either through credential stuffing or recreating deleted email accounts. If so, the TA can finish the reset and take over the account.
I actually lost my Instagram account because, I believe, it filled in my email field with a dummy one, user@example.com and then when I had to do verification, I could never recover the account. I believe it was in the very early days of Instagram although it's possible there was user error on my part in this case.
It is too bad because for symmetry I used the same use name in a number of places (not the one I have here).
luma|2 years ago
tomhoward|2 years ago
tonyedgecombe|2 years ago
Cthulhu_|2 years ago
(we have a 15 year old who's made at least four, probably more different gmail addresses for different purposes. Ironically, the one he used to sign up for porn includes his real first/lastname)
larschdk|2 years ago
hathchip|2 years ago
WA|2 years ago
bananapub|2 years ago
dist-epoch|2 years ago
batch12|2 years ago
sammy2255|2 years ago
Kiro|2 years ago
glenstein|2 years ago
It is too bad because for symmetry I used the same use name in a number of places (not the one I have here).
aaron695|2 years ago
[deleted]