We had about 30 users write in today that they received password reset email notifications, but didn't request them.

Is anybody aware of an exploit that might make use of this? We did block a connection that appears to have been either scraping the site, looking for a user list to possibly perform these password resets, or doing something else nefarious.

We did have an issue with the mail queue growing quite large, larger than what our mail queue batch setting could keep up with.

I'm betting the mail queue issue is related to these password reset email notifications going out. I've reviewed the notifications received, and they look correct. No bad URLs or missing usernames.

Has anybody experiencing something similar to this?

Thanks!

WWB

Anyone can request those emails to be sent from login.php?do=lostpw.
Or is that not what you're talking about?

No, you're correct. We have that page. But you need to specify an email address and complete recaptcha v2.

These users did not request the password reset. So somebody else did.

So that somebody would have to know the email addresses, correct? Maybe a bot guessing email addresses, or using their own list against our website?

Again, I'm more trying to determine that if it was somebody with malicious intent, what could they gain going this route. It only makes sense to me if they have access to the email account in question, and then even in that scenario, they'd have to figure out admin account email addresses. Again, if they're after access.

There's also the possibility that this was a DOS attack, or attack on VB's mail queue. Our mail queue, around the same time these support requests came in, swelled to 7000 msgs, which the mail queue process scheduled task couldn't keep up with based on our settings.

Or maybe this was just a site scraper.

I doubt it will do any harm besides filling up your mail queue. There's not a whole lot to do against it since it's just a public page.

Have you checked the access logs for GET/POST requests sent to login.php?do=lostpw? Maybe you can get some more information regarding who did it by looking at the access logs.

Thanks for the suggestion, Dave. I check the logs and report back.