[Nextgrid]

This would detect a large-scale attack, but wouldn't detect small-scale, targeted attacks as they would just get lost in the noise of legitimate password resets.

Furthermore, for dormant accounts (where the user is no longer using the app - potentially because they are now in a relationship) the user will not notice anything either, and the notification email is likely to get lost in the endless newsletter spam the non-technical majority has in their inbox.

[godelski]

I think this is a good point. I'll admit that I'm naive about web and security (not my area). Are multiple password resets within a small time frame common? I would not expect this to be common, but user behavior has often defied my expectation. If it is uncommon I think you could create a correlation and get an estimate, if it is common then I completely agree that it would be lost in the noise.

And yeah I agree that this type of analysis wouldn't help with dormant accounts and also does require them to log the user out on their phone (otherwise why issue another reset?). But both these could be captured. This is probably way too much analysis for such an attack and over engineering the issue, but hey that's what we all do, right? haha

[laurent92]

> Are multiple password resets common within a small timeframe?

Yes. When you reset your password once, probability is high to reset it many times. It is often because you don’t remember it, and the new one isn’t fixated in your memory. Or because I’ve changed devices, but my computer kept my old password, so I reset it too, and back and forth on each device until I have time to bring the two devices together and type in the same password. Basically password resets happen rarely, except when they happen, they happen in a salve.

That is the exact opposite scenario of when London hired statisticians during the Battle of England because they were surprised how all German bombs fell on specific buildings, and were wondering why Germans would target those, only to discover that randomness meant bombs would randomly fall in clusters for no reason at all.

[daniellarusso]

We see this with password email reset requests that have deliverability delays.

If the user does not receive the reset email within a few seconds, they submit more reset requests.

Also, there have been several Windows updates that cleared the saved password login info in the browser, and get a flurry of reset requests.

[godelski]

This makes a lot of sense about why my priors were wrong. Thanks! (always gotta check your priors)

[Nextgrid]

Increased volume of password resets would indeed suggest an attack, though it can also be explained by benign reasons (redesign of the app, marketing campaign prompting previous users to log back in, news exposure, the pandemic increasing loneliness and making more people use dating apps, etc).

However the biggest risk here is that small, targeted attacks distributed over time (where a single attacker only targets a handful of accounts) wouldn't stand out in the overall statistics.

In case of this incident, small-scale attacks (where a single person targets a single account of someone they don't like) are actually more likely which is why them saying they do not believe this was exploited while being completely unable to detect these attacks is so misleading and lures people into a false sense of security.

[rainbowzootsuit]

I've at times done a string of password resets when unusually designed sign up pages cause a password not to be captured by my password manager.

This seems to happen most when it's a multi page setup process. I often use a plain text scratchpad document to prevent the loss of data but sometimes circumstances happen.

I'm using LastPass for what it's worth. If anyone has better experiences with competitive products I'd be happy to hear about it.