from Hacker News

Someone keeps trying to reset my Facebook password

by babuskov on 9/7/23, 9:04 AM with 238 comments

• by hairofadog on 9/7/23, 1:28 PM

  My sister had her Facebook account taken over by a bot of some sort some years ago. It was odd – they changed her profile photo over time, so at first it was just the regular profile photo, then it was the regular profile photo with a little bit of a different profile photo sort of creeping in on top of it, like if they had pasted the new one into a photoshop layer. Over a few weeks the new profile photo crept up until it was the only one, and then it became a sort of "call me for hot fun" spam account.

  I assume they were sidestepping some sort of detection algorithm, but it happened during a time when she was losing her mind in real life so it was a strange kind of metaphor.

• by chriscjcj on 9/7/23, 1:58 PM

  I used to use an e-mail address a terrific domain name that I own. Without publicly disclosing specifics, it was like this:

  <common_name>@<common_name>.com

  Thousands of people with this name, who didn't want to give out their real e-mail address, used this e-mail address when signing up for things online. They probably never thought it would be someone's actual address. I finally had to quit using it because of the tremendous amount of e-mail that wasn't directed at me. Most of it looked legit enough to the spam filters to allow through.

  I temporarily turned that account on about 5 years ago and it was getting about 3,000 garbage messages per day.

  I thought having a cool e-mail address would be great, but not any more. I switched to an address that, while easy to say and tell people, it's very unusual and it's very unlikely someone else would ever come up with it.

• by obblekk on 9/7/23, 3:14 PM

  I was a PM at instagram in 2016 when we got a lot of these complaints from celebrities and short usernames.

  Some users were getting hundreds of reset emails/day triggered by random people in the world trying to reset their password.

  It's a really hard problem to solve because if these users actually forgot their password someday, they would really want those emails. We ended up creating a snooze for 30 days button at the bottom of the email as an imperfect solution to balance short-term spam and long-term lockout (with an override if the device id requesting the reset had recently been logged-in to the account).

  Idk if that still exists on IG but doubt it was ever ported to FB.

• by jackbrookes on 9/7/23, 10:30 AM

  Maybe unrelated, but I think some people do this to check (at least partially) what email is tied to an account. E.g. if you suspect an anonymous instagram user to be your friend Bob, you can invoke the reset email procedure to see

      We sent an email to bo****@gm***.com
  

  Which gives you a hint

• by johngladtj on 9/7/23, 9:46 AM

  Funny I keep getting login codes for my Microsoft account. Also there is seemingly no way to figure out who is doing it or how to stop it.

  I wish I could just disable that form of login, I have a very safe password so the login via email isn't necessary.

• by bhartzer on 9/7/23, 3:05 PM

  I own the domain of my last name. Several family members use (firstname@lastname.com).

  I once went to get a new phone at Best Buy, and the employee needed my email address. I gave it to here (firstname@lastname.com) and she insisted that it was NOT my email address. She insisted that it MUST end in @gmail.com or @yahoo.com, something like that.

  We frequently sign up for stuff online, and when we enter our email address it won't let us sign up... we figured it is because the email address is too similar to our actual name, the name we've entered in the 'first name' and 'last name' fields (it happens to both me and my wife at least 2-3 times a year).

• by renewiltord on 9/7/23, 10:23 AM

  Happened the other way to me once. When I made my Gmail account I had a . in it. Emails sent from me go from this email address.

  My Facebook email for ages was my school email (as is tradition, right?) and one day someone registered as my actual email around the time I was doing a bunch of address consolidation because my school was moving all historical accounts to a separate subdomain.

  I clicked to confirm foolishly (should not have done that) and it became associated with someone else's Facebook account.

  Facebook has a process for this. You request an email to your address and it sends you one and you reply and it removes the email from the other guy.

  Well, I did that except he set it without the '.' and when I replied from mine it wouldn't accept it. I tried again as it was and only realized after three tries what the problem was. Facebook's difference in verification processes (click to confirm / reply to dissociate) meant that I was not doing the right thing.

  Repeating the action means I looked like a fraudster so that must have been why even though I added the dot version as an email to send as it would no longer accept me.

  To make matters worse, I decided I'd just fix it by resetting my password and logging in and removing my email.

  Well, I succeeded in the password reset but Facebook protects you here by requiring friends to verify it's you. Well, I didn't know his friends so I just let it go: he could no longer log in except via phone number (I hope, or he was locked out) and I couldn't associate my email correctly.

  Then one random day I tried again and it worked.

• by kmfrk on 9/7/23, 12:46 PM

  This is very common with short or otherwise valuable usernames on social media platforms. Initials and so on.

  That's what 2FA is there for, but you still get the annoying e-mail notifications for attempted sign-ins.

  Make sure to weigh the pros and cons when you pick your username on the internet.

  A dedicated e-mail filter to limit the mental attrition might not be the worst idea.

• by tmpX7dMeXU on 9/7/23, 10:20 AM

  I’ve accumulated, what, 3 Facebook accounts over the years? Many mornings I wake up to see that recovery codes have been requested for all of them, at a similar time. Surely this is enough of a signal to act on!? It really speaks to the fact that Meta really just doesn’t give a rats.

• by trevyn on 9/7/23, 10:03 AM

  At this point, I would not be at all surprised if this is a guerrilla tactic for accounts that have not logged in in a while to create engagement/MAU.

• by thunfisch on 9/7/23, 2:19 PM

  Our company owns a one letter domain (e.g. "x.tld"), that follows a quite common sequence. A few months ago we've enabled receiving e-mails for all local parts on that domain.

  We've received hundreds of notification mails, newsletter subscriptions, alerts (from internal systems disclosing details about infrastructure of giant corporations), etc.

  It was quite fun, but became annoying quickly. We've then reduced reception to the common hostmaster@, ... mailboxes and for all other mailboxes we are now rejecting the mails with a nice reminder message in our Sieve filters.

• by mkmk on 9/7/23, 1:12 PM

  I'm close with someone whose FB account was compromised due to a shared password, and then didn't see the 'an email has been added/removed from your account' emails until after the revert link expired a few weeks later.

  The recovery process is totally broken for them now. We eventually managed to revert back to the original email address by visiting facebook.com/hacked (not without the help of a weird youtube video to make sure we were selecting the right options, though), and we lost a ton of time on a weird issue where emails or recovery options were deeplinking to the app, which was opening but didn't know what to show us. After deleting the app, we managed to start generating 2-factor email codes, but the same prompts that generate them don't accept them. And the 'send in an ID to verify your identity' feature just doesn't load at all. I'm chipping away at it when I see them, but I give recovery a low probability of success.

  Understandable that this is probably not very fair to those who can't afford it, but I wish there was a 'pay $100 to speak with a rep who can fix this now' feature.

• by tallanvor on 9/7/23, 11:20 AM

  I suspect someone might have noticed a flaw and is trying to take advantage of it. I've seen two reset emails this past week - one on Sunday and one on Tuesday, and they both had the same recovery code. Others in the Reddit thread noticed the same thing, so it's possible that someone is trying to exploit this some way.

• by owlboy on 9/7/23, 10:06 AM

  I just assumed someone was going through a database of known FB accounts and triggering the reset looking for people who accept.

  It is strange that they appear to be able to avoid being blocked for bulk/frequent requests though. Seems like a big flaw.

• by jlokier on 9/7/23, 3:22 PM

  I got one of these "someone request a password reset" mails from Facebook yesterday. I don't think I've had one before, and my email on its own domain I've had for ~20 years doesn't seem to be one people type by mistake.

  I thought it was probably phishing, yet the links all looked legitimate, including the one for password reset and the one to tell Facebook I didn't request the reset.

  So I thought it might be a homoglyph attack (a URL that looks legitimate but isn't because it's using alternate characters that look the same or similar), and rather than click the link saying I didn't request the password reset, I logged into Facebook hoping to find a notification or something in the account settings logging that it was a genuine request.

  I was surprised to see no notifcation, nor anything in the account settings and security area.

  I was also surprised to see I needed to login again, as I thought Facebook kept a long term session open for longer than the 2 weeks since I'd visited it previously.

  If it was a tricky method to get me to login to Facebook again, it worked! But I didn't stay long after I didn't find what I was looking for.

• by SirMaster on 9/7/23, 1:50 PM

  Facebook is almost un-usable for me.

  Every week or so they lock my account due to "suspicious activity" even though I haven't used my account.

  I have all the security features and such turned on like MFA and a strong password (that I have to change like every week after every time my account gets locked).

  There is no useful info in the security logs. I have no idea what to do to stop this from happening.

• by unsupp0rted on 9/7/23, 11:38 AM

  I have an alias that is a vaguely common name, which is firstname.lastname@gmail.com

  Once a year or so somebody tries to get into that gmail or associated social media account with a bunch of password-reset emails. I'm pretty sure it's someone with a similar name who is slightly misspelling their email, messing up the dot (gmail ignores dots but other systems don't), etc.

• by davidpfarrell on 9/8/23, 10:58 PM

  When you have ${firstName}${middileInitial}${lastName}@${popularProvider}.com, you end up learning there are a LOT of people with your name who: 1) either themselves don't remember their ${hadToSettleFor} email address, i.e I get their billing reminders and medical statement emails, or 2) their loved ones/close friends don't, ie. I get party invites and group emails, etc.

  Separately, but related, I remember getting a spam email back in the late 90's where the spammer CC'd instead BCC'd, and it was sent to over 100 addresses who were all clearly variations of my first and last name ... It was a fun when there were multiple reply-alls with "Are we ALL $firstName $lastNames's on this list?" --- Surreal

• by eamann on 9/7/23, 3:13 PM

  I've been getting a couple of these each day for the past few days. It's always a bit entertaining. Partly because my email address is my name (so I know it's not likely a typo when folks enter the email address). Partly because I leverage GPG from the Facebook side so the messages are encrypted.

  Meaning, even if they somehow had access to my email (they don't - strong, unique password and separate MFA) they wouldn't be able to get the reset code as it's encrypted by a key stored in secure physical hardware.

  Still, kudos to the hackers for trying. Getting these emails means _someone_ cares enough about my account to want access. Even if I rarely use it for anything other than checking in on distant relatives ...

• by jcomis on 9/7/23, 3:09 PM

  Same thing happening to me with my microsoft account. I get several one time code requests per day. I can log in and toggle some setting that disables this for a couple weeks, but then it's back again. Been going on for almost a year.

• by misterben on 9/7/23, 8:47 PM

  I use a <firstinitial><secondinitial><surname>@gmail.com and have been getting Facebook resets every week or two for years. But I know at least two people in two countries with a similar name keep giving out the wrong address from all the crap I get confirming their hair appointments and organising their BBQs, so it seems benign rather than a hacking attempt.

  I take it as karma for all the junk <verycommonname@>hotmail.com must get whenever I use a public wifi network. Sorry verycommonname!

• by e40 on 9/7/23, 3:25 PM

  I got one for an email that I didn't think had a FB account, and when I tried to reset the password I get:

    You’re Temporarily Blocked
    
    It looks like you were misusing this feature by going too fast. You’ve been 
    temporarily blocked from using it.
    If you think this doesn't go against our Community Standards let us know.
  
  

  Got that on the first time I tried it. What a joke.

• by aendruk on 9/9/23, 2:05 PM

  I also received several of these emails over the last few days, but I closed my Facebook account years ago.

  Fortunately they include a feedback mechanism for this situation:

    If you didn't request a new password, [let us know](https://www.facebook.com/login/recover/cancel/…).

• by felipemaciel on 9/7/23, 11:17 AM

  Because of the username. Many people forget their own username, for example: my username is pineapple and someone else's is pineapple2. And they end up using their username to recover their password. If your username is a common namesake, word or homonym, this makes the situation worse.

• by joshka on 9/7/23, 1:35 PM

  fairly simply fixed by making publicly available information (email address) not part of the process:

  - create an email address alias (random, unguessable)

  - change your login to use that email address

  - remove your phone number from Facebook

  There are many ways to do this (plus addressing, apple hide my email, account aliases, etc.) Pick your own approach.

• by ebfe1 on 9/7/23, 11:18 AM

  Another theory is they have an efficient way and or bypass facebook ratelimit to bruteforce reset victim's password token ... regardless, i would make sure 2fa is enabled for extra precaution... or maybe just take a break from facebook :)

• by bluepod4 on 9/7/23, 8:33 PM

  I get shipping and delivery notifications from Zara because someone (accidentally I believe) entered my number when ordering. It’s sort of creepy because it shows me their address and I see a photo of the package on their doorstep.

• by borbulon on 9/7/23, 10:55 AM

  It’s a satiation attack (my term). The hope is you’ll get so frustrated at the frequency of the emails that you’ll eventually just press yes or ok or whatever it is that allows the reset.

• by grecy on 9/7/23, 2:18 PM

  My FB username is not common, my email is not common.

  I run an FB page with ~60k followers.

  Since about a month now, I'm getting these password reset emails in batches.. some day none, other days 10-20.

• by framtidsljus on 9/7/23, 2:13 PM

  I keep getting password reset emails from Spotify, from 0 to 10 times a day. Having a two character username seemed like a good idea when signing up.. Really annoying.

• by Etrnl_President on 9/7/23, 1:59 PM

  Security is the reason all my personal info on social media is lies. They take your account, and can now use it to unlock other accounts, like at your bank, etc.

• by codaphiliac on 9/7/23, 10:54 AM

  Email security scanner following links?

• by vdfs on 9/7/23, 12:48 PM

  I'm more impressed by the fact that HN didn't convert this linked to old.reddit.com

• by nkotov on 9/7/23, 1:54 PM

  Been getting these on two of my accounts for the last couple of weeks.

• by siwakotisaurav on 9/7/23, 10:04 AM

  Getting this on my second fb account, good to know it’s not just me

• by stillbourne on 9/7/23, 9:37 PM

  not only that but fb wont reset my password unless i upload a pic of my face

• by mkoryak on 9/8/23, 6:19 AM

  a while ago I was messaged on Facebook by a nice Russian fellow who wanted me to _give_ him my Facebook username and domain name because he owns a dog wash in Moscow called dogself.

  He seemed to imply that if I was located in Russia I would not refuse him "for reasons". He didn't really strike me as being connected, but maybe he washes Putin's dog..

  Anyway I got a lot of password reset emails too until I set up 2fa with a yubikey.

  I really need to remember to put something on dogself.com that will piss off the .ru but I haven't thought of anything good and legal (or at least ethical).

• by Kalanos on 9/7/23, 12:59 PM

  maybe they are just trolling you.

• by Traubenfuchs on 9/7/23, 10:09 AM

  I think the better question is why facebook sends mails from facebookmail.com and metamail.com? Any sensible person would expect those to be scams, but they are real.

  https://www.facebook.com/help/1634546593478660