Spyware, Viruses, & Security forum

Question

Someone requested a password reset to my online retail acct

A little while ago I received a legit e-mail from one of the major online retailers. It gave me the passcode code to enter my account, because apparently someone requested a reset of my password. I didn't click on any e-mail links, but instead I went directly to the retail website. Sure enough, that passcode gave me access to my online retail account. I changed my password.

Next, I looked at what might have happened. Apparently, anyone can type in an e-mail address to request the password be reset. If the e-mail address is recognized, it tells you an e-mail has been sent to that account with the new passcode. If an e-mail address is not recognized, then feedback is given to re-enter the e-mail address. (Other retailers use the phrase "if that account is in our records then we will send a temporary password." That way a potential thief wouldn't ever know if the e-mail address is the login or not).

This has happened before on different online websites (major retailers). Is it usually a person typing in the e-mail addressed into the "Request Password Reset". Or is it a "bot"?

Discussion is locked
You are posting a reply to: Someone requested a password reset to my online retail acct
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Someone requested a password reset to my online retail acct
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

All Answers

Collapse -
Answer
update

In reply to: Someone requested a password reset to my online retail acct

I also changed the e-mail account login to a different address, so they won't try again.

Collapse -
That's probably the best course of action on your part.

In reply to: update

I'm guessing that it's a bot/script that is doing this to find and collect valid emails to spam. It's not good on the site's part that they aren't giving the generic messaging as you mentioned--it will give these hackers validation as to which email addresses are legit or not. Sad

Cheers,
-Lee

Post was last edited on August 5, 2016 3:48 PM PDT

Collapse -
So glad I'm not an investor in this retail company....

In reply to: That's probably the best course of action on your part.

My e-mail address is fairly long, something like ben2010.sportz@(domain).com
So, I don't think a bot successfully tried to generate it. I think my e-mail was taken from some actual list (I get one or two spam e-mails per month) and the bot was trying to find out which e-mails are used to access certain online retailers.

If it wasn't a bot, then it could have been someone I know. I'm on some group e-mail lists. Maybe someone was bored and tried to see where I do my online shopping at? Also could be an administrator/moderator of discussion forums. I have posted some sale prices and items in threads, so maybe a bored moderator decided to mess with me by resetting my password (knowing that I'd be instantly alerted by e-mail).

I called the company's customer service line to try to explain how it's not smart for the password reset to confirm an e-mail address as being valid. The customer rep person (no foreign accent) didn't understand my concern. I tried telling that even his e-mail could be used to reset his password. He played dumb. (I honestly believe he was lazy and just didn't want to write it up the issue to pass on to their technology security department).

I then asked to speak to someone else like a supervisor and the rep gladly transferred me. This customer service rep was obviously the one trained for "difficult" customers. Agreed with everything I said. Said she would resolve it and have someone follow up with me. A few hours later I got an e-mail with a link to the site directions on how to request a new password. Shaking My Head!

Collapse -
if you explained to them

In reply to: So glad I'm not an investor in this retail company....

if you explained to them the way you are trying to tell us, I can understand why the customer service rep was confused. I am still trying to figure out what your problem is. I do not see one.

Your account did exactly what it was supposed to do when someone requested a password change. Unless the person who is trying to access your account has access to your email account, there is absolutely no way they can verify the password change and your account is secured.

Collapse -
Getting their attention

In reply to: if you explained to them

Unless the person who is trying to access your account has access to your email account, there is absolutely no way they can verify the password change and your account is secured.
The other person doesn't need access to the email account. They simply reset the password. The new password sent out in the e-mail is much simpler than a personalized password with capital letters, numbers, and symbols.

I am still trying to figure out what your problem is. I do not see one.
Once a thief knows that an e-mail address is the login (verified by the website), they can then use a sequential generator to eventually crack the password reset.

I succeeded in getting their attention. I called the customer service again. Asked if that person had an online account with their own company (of course). I had that customer service rep enter their email into the "I've Forgotten My Password" section. Password is reset, old password no longer works. She checked her email and saw the reset was a very basic password. That got her attention. She gave me the technology security person for me to contact directly. I called, but no one picked up (probably off for the weekend).
Collapse -
you just dont get it

In reply to: Getting their attention

a password is normally not reset UNLESS the owner of the account verifies that it was them who requested the change. basically it works as follows if the user selects email for verifications.

1. request is made
2. they will email the owner of the account using the email address on file to verify they requested the change. sometimes when requesting a password, you can enter any email address BUT the verification is only sent the address in the account.
3. the owner of the account clicks on a link in the email to say it was ok and it will also say to ignore the email if they did not request the change
4 once it was verified then the password is reset.
5. once you access the account, it is up to you to change that password to a more secure one. If you are the one who is asking for the reset, you will be sitting there and will immediately change the password if you dont like the one given. Nobody will have time to try to crack that password.

Nobody can go to someone elses account and change a password just because they know the name on the account. NOBODY!!!

most likely you were given a number to call to shut you up and get someone else to deal with you.

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

REVIEW

Sublime suburban chariot

High on style and technology, the 2019 Volvo XC90 is an incredibly satisfying everyday crossover.