Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Question

Someone requested a password reset to my online retail acct

Aug 5, 2016 11:03AM PDT

A little while ago I received a legit e-mail from one of the major online retailers. It gave me the passcode code to enter my account, because apparently someone requested a reset of my password. I didn't click on any e-mail links, but instead I went directly to the retail website. Sure enough, that passcode gave me access to my online retail account. I changed my password.

Next, I looked at what might have happened. Apparently, anyone can type in an e-mail address to request the password be reset. If the e-mail address is recognized, it tells you an e-mail has been sent to that account with the new passcode. If an e-mail address is not recognized, then feedback is given to re-enter the e-mail address. (Other retailers use the phrase "if that account is in our records then we will send a temporary password." That way a potential thief wouldn't ever know if the e-mail address is the login or not).

This has happened before on different online websites (major retailers). Is it usually a person typing in the e-mail addressed into the "Request Password Reset". Or is it a "bot"?

Discussion is locked

- Collapse -
Answer
update
Aug 5, 2016 11:08AM PDT

I also changed the e-mail account login to a different address, so they won't try again.

- Collapse -
That's probably the best course of action on your part.
Aug 5, 2016 3:44PM PDT

I'm guessing that it's a bot/script that is doing this to find and collect valid emails to spam. It's not good on the site's part that they aren't giving the generic messaging as you mentioned--it will give these hackers validation as to which email addresses are legit or not. Sad

Cheers,
-Lee

Post was last edited on August 5, 2016 3:48 PM PDT

- Collapse -
So glad I'm not an investor in this retail company....
Aug 5, 2016 9:51PM PDT

My e-mail address is fairly long, something like ben2010.sportz@(domain).com
So, I don't think a bot successfully tried to generate it. I think my e-mail was taken from some actual list (I get one or two spam e-mails per month) and the bot was trying to find out which e-mails are used to access certain online retailers.

If it wasn't a bot, then it could have been someone I know. I'm on some group e-mail lists. Maybe someone was bored and tried to see where I do my online shopping at? Also could be an administrator/moderator of discussion forums. I have posted some sale prices and items in threads, so maybe a bored moderator decided to mess with me by resetting my password (knowing that I'd be instantly alerted by e-mail).

I called the company's customer service line to try to explain how it's not smart for the password reset to confirm an e-mail address as being valid. The customer rep person (no foreign accent) didn't understand my concern. I tried telling that even his e-mail could be used to reset his password. He played dumb. (I honestly believe he was lazy and just didn't want to write it up the issue to pass on to their technology security department).

I then asked to speak to someone else like a supervisor and the rep gladly transferred me. This customer service rep was obviously the one trained for "difficult" customers. Agreed with everything I said. Said she would resolve it and have someone follow up with me. A few hours later I got an e-mail with a link to the site directions on how to request a new password. Shaking My Head!

- Collapse -
if you explained to them
Aug 5, 2016 10:06PM PDT

if you explained to them the way you are trying to tell us, I can understand why the customer service rep was confused. I am still trying to figure out what your problem is. I do not see one.

Your account did exactly what it was supposed to do when someone requested a password change. Unless the person who is trying to access your account has access to your email account, there is absolutely no way they can verify the password change and your account is secured.

- Collapse -
Getting their attention
Aug 6, 2016 2:51PM PDT
Unless the person who is trying to access your account has access to your email account, there is absolutely no way they can verify the password change and your account is secured.
The other person doesn't need access to the email account. They simply reset the password. The new password sent out in the e-mail is much simpler than a personalized password with capital letters, numbers, and symbols.

I am still trying to figure out what your problem is. I do not see one.
Once a thief knows that an e-mail address is the login (verified by the website), they can then use a sequential generator to eventually crack the password reset.

I succeeded in getting their attention. I called the customer service again. Asked if that person had an online account with their own company (of course). I had that customer service rep enter their email into the "I've Forgotten My Password" section. Password is reset, old password no longer works. She checked her email and saw the reset was a very basic password. That got her attention. She gave me the technology security person for me to contact directly. I called, but no one picked up (probably off for the weekend).
- Collapse -
you just dont get it
Aug 6, 2016 8:06PM PDT

a password is normally not reset UNLESS the owner of the account verifies that it was them who requested the change. basically it works as follows if the user selects email for verifications.

1. request is made
2. they will email the owner of the account using the email address on file to verify they requested the change. sometimes when requesting a password, you can enter any email address BUT the verification is only sent the address in the account.
3. the owner of the account clicks on a link in the email to say it was ok and it will also say to ignore the email if they did not request the change
4 once it was verified then the password is reset.
5. once you access the account, it is up to you to change that password to a more secure one. If you are the one who is asking for the reset, you will be sitting there and will immediately change the password if you dont like the one given. Nobody will have time to try to crack that password.

Nobody can go to someone elses account and change a password just because they know the name on the account. NOBODY!!!

most likely you were given a number to call to shut you up and get someone else to deal with you.