I got that for Snap! as well, just one email, not a pile. I changed the password from inside Snap! since I happened to be working in an editor window logged-in.
Correction, I now have 3 of those emails
If you get a password-change email you didn't request:
1. Don't panic!
2. Delete the email.
3. No need to change your password.
We've had this sort of attack befpre, and we'll have them again, but they're ultimately harmless. See step 1 above.
Happening again. (with netsblox)
So, I can tell the spammer is reading the forum, because I just got hundreds of temp passwords for netsblox. I know that they're reading the forum because I doubt they could've known I had an account without reading this post
I just got these.
I wouldn't change your password if I were you
Hi @joecooldoo! Just wanted to let you (or anyone else looking for information about the password reset emails in NetsBlox) know that I just made an announcement in the NetsBlox forum! (Excessive Password Reset Emails | NetsBlox). (I am trying not to hijack the thread )
I am having problems logging in...
Then dm him
I did change my password, figured either if a hacker reset my password (even though I didn't approve in the email), I reset it again and locked him out -- either that or Snap! is trying to get everybody to reset their passwords.
I'm a bit late, but someone attacked my netsblox account as well, and I cannot log in at all.
It does not recognize my password, probably changed.
are you sure you're typing in the right password? I was able to log into my account after it was attacked with the password reset spam (using my password, not any that was in the emails)
As far as I'm aware, I'm typing it 100% correctly, no mistakes, I tried several times and I never got in.
well, then you can try resetting your password by clicking forgot password, then log in with the temporary password it sends you, it might work. If it doesn't, email brian.
To help people understand the issue, the way every system with passwords deals with the situation in which you've forgotten your password is to send an email (which is why you have to supply an email address when you sign up) that contains a unique, time-limited URL that allows you to enter a new password. (Very long ago, when dinosaurs walked the earth, it used to be that a sysadmin could just look up your password and tell it to you, but that was very insecure because it left unencrypted passwords on the net for bad guys to steal, so now passwords are stored encrypted and nobody can find out your password. Thus, since they can't tell you your password, they have to have a way to let you pick a new one.)
The crucial point is that the password reset URL is emailed to you, so unless your email account is insecure, it doesn't matter how many of those reset emails you get; you can just ignore them and keep using your existing password.
Everyone is saying not to change your password for two reasons. First, just because you got that email doesn't mean the bad guy can read it. In fact, getting a lot of such emails should make you less worried, not more, because it means that the bad guy is just sending them to everyone, rather than targeting you in particular.
Second, if it is just you getting them, then there is a small but nonzero chance that the bad guy has figured out a way to redirect URLs that you enter into your browser so they go to his computer instead of your service provider's computer. In that case, if you click on the reset link, the bad guy will have the URL and can use it to change your password.