Bad practices used in the email "Use of breached password detected"

Feature: Use best security practices with the alert email “Use of breached password detected”

Description: The breaches password detection is useful but please consider that:

  1. email was not from (which is suspicious).
  2. All email links were to a third party domain(sendgrid), obscuring the actual link location (more suspicious).
  3. Multiple emails in the “to:” field (the best practice is one email for each user).
  4. A call to action based on the links in the email (the best practice is not to include links but include instructions).

All of them aren’t security’s best practices.
We hope you can fix these mistakes soon.

Use-case: When a breached password is detected and you send the alert email related

Hi @francisco.cabezas,

Welcome to the Auth0 Community!

Thanks for the feature request. Make sure to click the “vote” button.