Problem statement
We found an issue when testing the breached password alert email. Here are the detailed steps and observations:
- Created an account with a good password.
- Click on forgot password and change the password to a breached one as from the official page.
- Login with the changed password.
- Received the alert email
- Change back to a good password from the link on the alert email.
- Click on forgot password again and change it to the previous breached one.
- Login again
- Login is blocked, but there is NO MORE breached alert email received.
Solution
We apply a rate limit on sending breach password emails. Currently, this limit is set to one email per hour per user.
If you wait more than an hour, we should send a new email in the next attempt while using a breached password.