No Breached Password Alert Email received

Problem statement

We found an issue when testing the breached password alert email. Here are the detailed steps and observations:

  1. Created an account with a good password.
  2. Click on forgot password and change the password to a breached one as from the official page.
  3. Login with the changed password.
  4. Received the alert email
  5. Change back to a good password from the link on the alert email.
  6. Click on forgot password again and change it to the previous breached one.
  7. Login again
  8. Login is blocked, but there is NO MORE breached alert email received.


We apply a rate limit on sending breach password emails. Currently, this limit is set to one email per hour per user.

If you wait more than an hour, we should send a new email in the next attempt while using a breached password.