Why it happens and what to do.
I just happened to check my emails and noticed that I had an email telling me that I had asked for my outlook.com account password to be reset. I had not done this, so I followed the link that confirmed that this was not me. About two minutes later, I received an email from Facebook stating that I had attempted to change my password and was this me? I immediately clicked on the link to report that it wasn’t the case. What I’m wondering is if there’s any way of finding out how this happened, who’s trying to change my password, and the location of who and what was behind this? I checked my session data in Facebook and there were no strange locations there, but then they had failed to log in, so I suppose there wouldn’t be. Is anything else of mine at risk? I’ve checked my bank statement tonight and I am a little worried.
To answer your question, no.
If no one has actually logged into your account, you can’t get the information that you’re looking for, at least not without a warrant. But I do want to talk about what may have happened in order for you to get that “password has been reset” email. I also want you to do something different in the future.
Become a Patron of Ask Leo! and go ad-free!
Unexpected reset attempts
Unexpected “password reset” emails can be caused by many things, ranging from honest mistakes to intentional hack attempts. You should ignore those you did not initiate yourself. Keeping your account secure with a strong password, up-to-date recovery information, and two-factor authentication is the best approach to keeping it secure. In any case, the information about who’s trying to change your password is not available.
Unexpected password resets
A password reset email means someone entered your ID into a login page and clicked the “I forgot my password” link or equivalent.
So if you didn’t ask for a password reset, ignore the message. And that includes not doing one thing you did: do not click on links in the email, since the email might be fake.1
Since you’re seeing this happen first on one account and then on another in fairly quick succession, it appears that someone is targeting your user ID. They’re trying to see if your security is lax and if they can break in. Perhaps they’re looking to see, for example, if you have weak, easy-to-guess answers to security questions.
Outlook.com and Facebook are doing the right thing by using the information already in your account — like your alternate email address or associated phone number — to send you a message needing you to confirm before they do anything. It’s that message that you’re seeing.
In theory, there’s no way randomly asking for password resets like this could actually allow hackers into your account. I say “in theory” because your security relies on both you and the service provider doing the right thing. What is “the right thing”? For you, that means:
- A strong password.
- Secret questions and answers nobody could ever guess. Fortunately, these are falling out of favor and being used less frequently.
- Making sure you have an alternate email address on record — one you always have access to.
- Setting up a mobile or other phone number to which text or perhaps voice messages can be sent.
- Providing whatever other kinds of backup information that service uses to help protect your account.
- Using two-factor authentication where it’s available.
Not only does having those things set up help prevent hackers from gaining access in the first place, they are also the basis for account recovery should you ever lose your account.
Finding out who
You and I aren’t able to get information about who might be trying to break into our accounts. There are a number of reasons for this, including protecting the privacy of an individual making an honest mistake. Perhaps it’s a typo that resulted in your email address when they honestly intended to enter their own. This happens to me often.
If your account is actually hacked, the information is still not available to us. If the situation is important enough to warrant law enforcement involvement, the service providers could make it available in response to a court order.
But a court order is probably the only way.
Hopefully, this article gave you a little peace of mind. If so, I’m pretty sure you’ll love Confident Computing! My weekly email newsletter is full of articles helping you solve problems, stay safe, and increase your confidence with technology.
Subscribe now and I’ll see you there soon,
Footnotes & References
1: OK, if you’re savvy enough to feel very, very confident that the mail is legitimate, you may click the link. It’s what I do when I’m certain.