Auth0 password and/or email silently changed

LudvigO · September 20, 2018, 6:37am

I’ve been using auth0 since Aug 6. Today when I tried to log into auth0.com, I was apparently recognized (or just my Gravatar was fetched correctly), but got an error that my email or password were incorrect:

I have not changed either of those, but I went ahead and used the “Forgot password option”, several times within the past 12 hours. I haven’t received any password reset email. I’ve checked the spam folder, and double-checked the welcome email from Aug 6 listing my email address; also Chrome’s password manager had stored the password I remembered.

I don’t see an outage on the status page, but my problem sounds close to this one.

Anyway, I am locked out of my account. How could this happen, and what can I do?

If somehow I got hacked (highly doubt it, I’m security conscious, not an interesting target, and have never been hacked in ~20 years online), shouldn’t auth0 send a confirmation email that my password was changed, or that a new email replaced my existing one?

To rule out email delivery problems, I’ve just signed up for this community, and I did receive the confirmation email to my Protonmail address from the auth0.com domain.

luke.oliff · September 21, 2018, 11:26am

Hi @LudvigO, I’m going to look into this for you now.

Can you confirm you signed up by email and not by using a social identity provider?

LudvigO · September 21, 2018, 11:32am

Definitely email. My browser’s password manager has an entry for auth0, with that email from the screenshot. Thanks for looking into this.

luke.oliff · September 24, 2018, 5:53pm

Hi @LudvigO, I’ve just had someone check on this and they see your user is connected through GitHub. Can you try and let me know?

LudvigO · September 24, 2018, 7:37pm

That’s it - I had logged in through another GitHub account. Not sure why Chrome’s password manager also has a stored email/password combo though, and why I’ve never received a password reset link.

Is it possible that that email is actually not in the system, and auth0 doesn’t say it’s invalid for some added security?

luke.oliff · September 24, 2018, 7:42pm

It might be for added security, but I’ll ask just in case. The Gravitar is loaded as you type a valid email, so that might also be confusing the situation.

system · October 24, 2018, 7:42pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.