Mailboxes are currently flooded by password reset, newsletter or account confirmation mails – it's an attack

Sicherheit (Pexels, allgemeine Nutzung)[German]A German blog reader contacted me this week and reported a worrying observation made by one of his customers. The customer is receiving a flood of requests to reset his passwords, to confirm a newsletter or a now user account. The messages really do come from the services in question. At the moment, it is still somewhat unclear what exactly is behind this. But my suspicion is, that this email flood shall hide a breach of an account.


It's suspected, that attacks on various content management systems (CMS) and websites  are made, where password resets are triggered automatically. Or bots created newsletters and new accounts on different services in behalf of a victim. It is possible that something is triggered in brute force attack attempts on these systems in terms of password resets. However, I have a case in mind from 2020 where a PayPal account hack was to be concealed by something like this. Here is, what I know so far.

A note from a reader

The information is currently still a little vague. Tobias B. runs a computer service and has just sent me an e-mail in which he describes the situation. One of his customers has just noticed an unpleasant phenomenon. The customer is currently receiving thousands of "password reset" e-mails from various websites at his T-Online e-mail address. Tobias has looked into this and writes that the mails actually seem to originate from the systems of the website operators. The senders and links are not fakes.

The purpose of the whole thing is unclear. He suspects that there may be an attack on certain CMS systems or user databases in which new users are automatically created. The reset emails would then be triggered and sent (several times) in order to obtain valid and frequently used email/password combinations from the recipients …

If this is the case, thousands of website operators would probably have to block and revise their systems, writes Tobias. It is currently unclear to him whether it is a larger issue or "just" an individual problem. What is striking in his eyes (which speaks against a fake) is that the emails are all formatted similarly. To him, it looks like the same CMS/server management system is being used. Here are some screenshots of such mails.



In the screenshot above, a password reset is requested. However, I have received other emails – one variant requests confirmation of a newsletter registration. The following screenshots state that an account has been created and that this should be confirmed.



The reader says: "If you've heard anything similar, perhaps I'll be able to read about it soon." I haven't come across anything like this at the moment – but I immediately had a suspicion. It could simply be a cover-up.

A guess from me

I discussed this approach in 2020 in the blog post Mass newsletter spam and the Paypal account hack. There, too, the operator of an IT service had come across such a phenomenon with a customer. At the time, bots triggered thousands of newsletter registrations in order to conceal a PayPal account hack. The purpose of the mass spam was to make the PayPal notification about the account hack disappear in the flight of emails. Question: Has anyone else observed this?

There are other articles

After I drew Tobias' attention to my article and my suspicions, he pointed me to a post My inbox is being flooded by password reset emails! with a similar problem. Google also has a support post on the topic. Something similar is also happening with Amazon account hacks, as outlined in this post.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *