Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Why did I get a password reminder I didn't ask for?

Question:

On my Hotmail account I received an email from AOL stating "here is your
password you have requested" and it gave me the correct password to an old
email account that I have not used in years. No one from my household requested
a forgotten password. Why would I receive this email? Is this something a virus
could do or an outside source? I am concerned someone out there is trying to
gain access to my computer.

It's kinda spooky when that happens, but happen it does. It's particularly
unnerving when the password reminder is "correct" - meaning that it's reminding
you of your correct password. That tells us something, but for the most part
what to do next is usually the same regardless.

Become a Patron of Ask Leo! and go ad-free!

Since the reminder included your actual password, you know it's real. In
your case, it's a real password reminder generated from AOL in response to
someone asking for it. Had it not had your correct password, I would have
immediately assumed it was nothing more than a phishing attempt.

I can think of several ways this might happen:

  • Someone entered your email address on an AOL password reminder form. I'm not
    really sure why they would do this intentionally, unless they thought that the
    password would be displayed instead of emailed. Password reminders are safe
    explicitly because they're emailed to the account owner - only someone with
    access to the account would be able to get the reminder. More likely is that
    someone mistyped their own email address, and entered yours by mistake.

  • If you've registered on a bulletin board, mailing list or a discussion
    group, you'll usually need to provide a valid email address for activation.
    That same email address is used to send you your password reminder should you
    ask for it. Same scenario as above, most likely someone might mistype their
    registration name, typing yours instead, and any password reminder would get
    sent to you instead of them.

  • "My money is on someone mistyping or misremembering
    their own account or email name, and entering yours by mistake."

    Some mailing list software, a package called "mailman" in particular, is
    configured to send out monthly password reminders by default. If you're on a
    mailman-hosted mailing list, this might be the cause.

  • There's a small possibility that a web crawler or spider is hitting all
    links on various web pages, and one of those happened to be a password reminder
    link with your account. Conceivable, but highly unlikely.

My money is on someone mistyping or misremembering their own account or
email name, and entering yours by mistake.

Real or phishing, the next step for you to take is actually quite
simple.

Delete the mail.

Don't click on any links in it, don't act on it, just delete it. Whoever
requested your password - regardless of their intention - did not get it. You
did.

If you are particularly concerned, you might consider changing the password
on that account as a precautionary measure.

And finally, let's be clear: this isn't about getting access to your
computer, this is about your email or other account on-line. Passwords on and
to your computer are not dealt with via email.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

3 comments on “Why did I get a password reminder I didn't ask for?”

  1. Check the headers, another possibility is that that email was “lost in the ether” for years (e.g. that a server had it queued up, was taken offline for some period of time, brought back online, and emptied its queue… bingo, you get your old email ;-)… its a stretch, but stranger things have happened (I’ve seen this with emails on the order of a month old ;-).

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.