Auth0 password and/or email silently changed

LudvigO · September 20, 2018, 6:37am

I’ve been using auth0 since Aug 6. Today when I tried to log into auth0.com, I was apparently recognized (or just my Gravatar was fetched correctly), but got an error that my email or password were incorrect:

I have not changed either of those, but I went ahead and used the “Forgot password option”, several times within the past 12 hours. I haven’t received any password reset email. I’ve checked the spam folder, and double-checked the welcome email from Aug 6 listing my email address; also Chrome’s password manager had stored the password I remembered.

I don’t see an outage on the status page, but my problem sounds close to this one.

Anyway, I am locked out of my account. How could this happen, and what can I do?

If somehow I got hacked (highly doubt it, I’m security conscious, not an interesting target, and have never been hacked in ~20 years online), shouldn’t auth0 send a confirmation email that my password was changed, or that a new email replaced my existing one?

To rule out email delivery problems, I’ve just signed up for this community, and I did receive the confirmation email to my Protonmail address from the auth0.com domain.

luke.oliff · September 21, 2018, 11:26am

Hi @LudvigO, I’m going to look into this for you now.

Can you confirm you signed up by email and not by using a social identity provider?

LudvigO · September 21, 2018, 11:32am

Definitely email. My browser’s password manager has an entry for auth0, with that email from the screenshot. Thanks for looking into this.

luke.oliff · September 24, 2018, 5:53pm

Hi @LudvigO, I’ve just had someone check on this and they see your user is connected through GitHub. Can you try and let me know?

LudvigO · September 24, 2018, 7:37pm

That’s it - I had logged in through another GitHub account. Not sure why Chrome’s password manager also has a stored email/password combo though, and why I’ve never received a password reset link.

Is it possible that that email is actually not in the system, and auth0 doesn’t say it’s invalid for some added security?

luke.oliff · September 24, 2018, 7:42pm

It might be for added security, but I’ll ask just in case. The Gravitar is loaded as you type a valid email, so that might also be confusing the situation.

system · October 24, 2018, 7:42pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cannot reset my auth0 password, email doesn't arrive Help	4	2185	January 18, 2021
Don’t receive reset link for auth0 Help auth0 , password-reset , password , login , reset-password	3	2329	December 26, 2021
Don't receive reset link for auth0 admin dashboard Help lock , auth0 , login	3	2170	March 16, 2021
Chrome reports data breach and ask for password change Help auth0	7	3716	August 3, 2020
Reset password email not received Help forgot-password	3	3062	December 26, 2022

Auth0 password and/or email silently changed

Related Topics