Unknown Password Reset Notification email?

Hi, two of our users received the “You have submitted a password change request!” email which they never ask for a password reset.

I don’t understand how that can happen?

Any idea why and how to avoid that?


Hey there!

Would love to help you find out more about that but definitely don’t have enough context but at the same time trying to think where we should start as it’s the first time I’ve heard of something like that.

Anybody can enter any email into the password forgotten field on the login page, or invoke the API endpoint at https://auth0.com/docs/api/authentication#change-password - not really a way to verify whether one is actually the email address owner before he’s actually authenticated.
Don’t see a way to avoid it, unless you hide away the password reset/forgotten function from the UI (and hope nobody finds it).


Thanks for sharing that knowledge @mathiasconradt :heart: