Pertaining to unsolicited password reset emails

Posted 4 months, 2 days ago by admin

Hi, apologies for the delayed news post about this, I'm still trying to get through the tickets currently, so this is just a provisional statement - please let me update this thread with further information as it becomes available.

This is pertaining to a large volume of unsolicited password reset emails outgoing from TH, May 5 2024.

Issue:

  • Previously, our password reset form required only providing an account username to issue a password reset request; this has been taken advantage of today to spam TH users with password reset requests.
  • We don't have any reason to believe that these emails can be used to breach an account, nor do these emails indicate that your account has been breached. These can be safely ignored. Please do not click any links in these emails unless you yourself have issued a request for a password reset.

Current status:

  • The password reset and username reminder forms have now both been updated to require the account email address to be provided, rather than the account username. This should prevent continued emails (assuming that your email address has not been made public).
  • However, due to the unexpected volume of mails outgoing from TH, we have been rate-limited by some mail providers; this means that some outgoing mails are bouncing and will be delayed. This means two things -
    • You may continue receiving delayed, unsolicited password reset emails as they trickle out
    • Any legitimate password reset or email reset requests that you make may be delayed
  • I apologize that I don't know how long we will be rate limited for; I'm trying currently to communicate with our mail service to see if we can ease this in anyway, either by expediting or by cancelling all current outgoing mail to reset the queue of outgoing mail
  • We have also added recaptcha protection to the password reset and username reminder forms, which should protect against bots; apologies for the oversight here, this is something that should have been added a lot earlier
  • Future action -
    • I'll be working on adding captchas to to the login and registration forms also
    • It is very likely that we will be removing the perma-link for user ticket reports, as this makes it too easy to scrape the site for usernames

Recommended action:

  • We do not have any reason to believe your password or account has been compromised as a result of these emails, but as a basic security precaution, please do regularly update your TH password. If you have not updated your TH password recently, this may be good timing to do so.
  • If you have received an unsolicited email from TH, I apologize for the inconvenience; please ignore this.
  • If you are waiting on an email for a password or email reset, I apologize I'm unable to tell when the rate limit on our outgoing mails will be released; this is something I am currently trying to communicate with our mail provider for. If you require urgent assistance, please open a ticket at the HelpDesk and I'll see if I can help manually process your request. 
  • Please consider enabling 2FA if you are able to do so. This will protect your TH account even if your password is compromised.
  • Otherwise, if you observe any other unusual behaviour around the site, or run into any reason to believe your account has been breached, please open a ticket at the HelpDesk or contact [email protected]
admin

Thanks everyone for your patience; here is a status update on this current situation - 

  • Invisible captchas have been added to the login & registration forms; these are handled by Google and will check the likelihood of your device being a bot. 
    • We are currently observing the audit logs for these and will be adjusting the settings; we apologise for any users who are getting falsely blocked while we are tweaking this. 
    • In the meanwhile, if you find you are being flagged -  
      • We have received reports of users getting flagged when rapidly logging in and out from multiple accounts, so if this is the case, please try waiting a bit between logins
      • Please double-check that you have JavaScript enabled and Adblock disabled
  • I apologise that we are still observing outgoing spam mails - 
    • For reference, there were 100k mails sent out on May 5, and only 50k have been delivered, so there are still a large number which are due to be sent. 
    • We have been informed these mails will automatically be canceled after 72 hours, so we expect this problem to persist until around tomorrow evening at the latest (around the end of May 7). 
    • During this time, spam mails may continue to be sent, and legitimate outgoing mail may be delayed.
    • I understand this is frustrating and apologise for the confusion and inconvenience. We are still communicating with our providers to see if this can be expedited. 
4 months, 22 hours ago Edited 6:48 pm
admin

We have managed to get our outgoing mail queue cleared by our mail service now, so any remaining outgoing spam should now no longer be delivered 🎉

We are still rate limited, so legitimate outgoing mail will still be delayed. This is on the individual mail provider's end (in this case, mostly Gmail), so we don't have control over this, but we anticipate our mail services should start working as expected again over the next day or two. Thank you again for your patience.

4 months, 21 hours ago
Back to Top
3756 Users Online 5:12 pm © cyancrows 2017
About FAQ Rules TOS