Auth0 Home Blog Docs

Auth0 password and/or email silently changed



I’ve been using auth0 since Aug 6. Today when I tried to log into, I was apparently recognized (or just my Gravatar was fetched correctly), but got an error that my email or password were incorrect:

I have not changed either of those, but I went ahead and used the “Forgot password option”, several times within the past 12 hours. I haven’t received any password reset email. I’ve checked the spam folder, and double-checked the welcome email from Aug 6 listing my email address; also Chrome’s password manager had stored the password I remembered.

I don’t see an outage on the status page, but my problem sounds close to this one.

Anyway, I am locked out of my account. How could this happen, and what can I do?

If somehow I got hacked (highly doubt it, I’m security conscious, not an interesting target, and have never been hacked in ~20 years online), shouldn’t auth0 send a confirmation email that my password was changed, or that a new email replaced my existing one?

To rule out email delivery problems, I’ve just signed up for this community, and I did receive the confirmation email to my Protonmail address from the domain.


Hi @LudvigO, I’m going to look into this for you now.

Can you confirm you signed up by email and not by using a social identity provider?


Definitely email. My browser’s password manager has an entry for auth0, with that email from the screenshot. Thanks for looking into this.


Hi @LudvigO, I’ve just had someone check on this and they see your user is connected through GitHub. Can you try and let me know?


That’s it - I had logged in through another GitHub account. Not sure why Chrome’s password manager also has a stored email/password combo though, and why I’ve never received a password reset link.

Is it possible that that email is actually not in the system, and auth0 doesn’t say it’s invalid for some added security?


It might be for added security, but I’ll ask just in case. The Gravitar is loaded as you type a valid email, so that might also be confusing the situation.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.