Phantom users in Auth0 database


I am seeing a problem where accounts long deleted (the connection is an Auth0-provided database) seem to still have some presence, such that when I try to login (using the PHP SDK), my credentials are rejected multiple times, ending up with a notification that the account has been disabled:

Your account has been blocked after multiple consecutive login attempts. We've sent you an email with instructions on how to unblock it.

This happens with accounts that have a login containing dashes -

Hi @argo ! Thank you for posting at Auth0 community!

That error seems to indicate that you are running into Brute Force Protection, described here:

For example, if a user attempts to sign in from IP1 and consecutively fails to log in 10 times, then future login attempts for the user from IP1 will be blocked. Other users attempting to log in from IP1 will not be blocked.

Can you also please clarify, are you trying to login with a user email that was deleted a while back? If so, are you also seeing an error “User already exists” for these users? If so, this post might be relevant: "User already exists" error when trying to create a user

Please let me know if that helps. Looking forward to your response!

1 Like

Dear @ruchi , unfortunately this seems somewhat orthogonal to the issue we encounter, so let me try to better describe the steps we take.

We are using the Resource Owner Password Flow to establish a long-lasting connection, on the back-end, between an identity on our own CMS, and an identity on Auth0.

As such, we try to match user management operations, ie. create an account on Auth0 when one is created on our CMS, update on Auth0 when an account is updated on our CMS, delete an account on Auth0 when an account is deleted on our CMS.

What we are doing, exactly, in php:

On create:

return $this->management_client->users()->create($this->realm, $arg);

With a payload like:

        'email'             => $userdata['email'],
        'email_verified'    => true,
        'app_metadata' => [
        'given_name'        => $userdata['first_name'],
        'family_name'       => $userdata['last_name'],
        'name'              => $userdata['display_name'],
        'nickname'          => $userdata['login'],
        'password'          => $userdata['password'],
        'verify_email'      => false,
        'username'          => $userdata['login'],

Then, login:

return $this->authentication_client->login(
        ['scope' => 'openid profile email offline_access', 'audience' => $this->audience],

Username now is the email address, and the password is the password used upon creation.

If the email address contains dashes, this never goes through. The account isn’t so much as created in Auth0.

In fairness: as part of tests some of these accounts had been created, deleted, then re-created. And for a while this worked fine. But recently it has stopped working.

As far as more recent tests, if I create a brand new account with an email containing dashes, creation fails, and the subsequent login of course fails.

I also got confused when receiving the error message above. There isn’t a matching account in Auth0, it’s not being created anymore. Hence the initial question about “phantom accounts” but I think it’s more than that.

Please advise.

Hi @ruchi .

Unfortunately, we are now seeing the same issue on a different tenant. I don’t think it’s related to the password.

The issue appears if we have a dash in the username that we use to login to Auth0. Please advise, as this is urgent.