I randomly received a mail from discourse stating that somebody asked to reset my password. I was watching movie when that mail came, it was scary. I right away changed my password and authentication key.
Can somebody please look into this? I am scared.
There is probably nothing to worry about. Discourse will send that message to a user’s email address if someone clicks the “I forgot my password” link on the signup login form and enters the user’s email address into the form:
There is nothing preventing anyone from entering any email address into the form. This is standard practice for handling forgotten passwords on the web. The security feature that is built into this is that the password reset email is only sent to the email address that is entered into the form, so unless the person who triggered the email also has access to the email’s inbox, they will not be able to gain access to the site.
You might consider enabling second factor authentication on your Discourse account though. That will give you an added layer of security on the off chance that someone had access to your email account. You can enable two factor authentication from your Discourse account’s Security page. If you have any trouble setting it up, you can get some help with that on here.
It is unlikely you need to contact HackerOne about the issue. HackerOne is intended for people who have discovered a repeatable exploit in Discourse. I think what you are dealing with is the expected functionality of the “I forgot my password” form.
Edit: are you an admin on the site? If so, it’s possible that your email address is set in the site contact username setting. That email address is displayed on the site’s About page. It would be easy for someone to pull it from there. Ideally, all site staff will enable two factor authentication on their Discourse accounts.
Thank you for the prompt reply and I think you are right!
I dont have any sign up, only login page. Just above the login page there is a short message showing my email address to contact me and I think someone must have just used that email address to create forgot password link. That’s clever! I have changed the Email address and it’s not connected to any account now.
Thank you so much! When this happened, in a split section, I saw so many variations, trying to work on all possible outcomes.
Two factor authentication is on from the start.
Well it was a false alarm, which I am glad to say and bottom of my heart, I would like to appreciate the amazing platform Discourse have made. I am very happy to use it!! 
Those kinds of emails always freak me out a bit, so I get it.
There was actually a typo in my reply. The “forgot password” link is on the login modal, not the signup modal, so it’s likely that all they did is click that link and access the form.
That’s great!
Technically I don’t believe someone needs to know the e-mail for an account to request password reset, just the username.
If the username is public, anyone could type that in forgot password form and an e-mail like this would be sent.
No security risk as long as e-mail inboxes are secure.
I understand for someone this could be life saving but at the same time could give heart attack as well.
If there a way to disable it for username?
Also are there any steps you would recommend for that?
Don’t use free and shady email services, excluding Gmail and Hotmail, but including mail.ru, alibaba etc. And use strong passwords plus VPN when used free or otherwise unreliable wifi. Normal security measurements.
But this has nothing to do with Discourse, though.
I am an apple user and I am subscribed to iCloud plus, which offers private relay (basically VPN).
Yes I am using extremely strong and long password suggested and kept in keychains of iCloud.
Would that be enough?
You can use the hide email address taken admin setting, which would then require the full email for password reset requests:
Advice on creating a password for your email account would be out of scope for this forum, though I’m sure you’ll find some good resources offered by your email provider for that. 
As Jakke mentioned it depends on your mail service, iCloud is probably fairly secure but I am no expert about that.
Often there is an option for two factor authentication, which means you need both a password and a physical security key to login, or authentication code generated by an authentication app.
I believe the message says that if your didn’t request the message there is nothing to worry about. Right?
For password reset here at Meta, e-mail reads:
“Somebody asked to reset your password. If it was not you, you can safely ignore this email.”
Probably this can be customized to say something different for different sites.
With the password reset option it also says to contact discourse staff if someone has lost e-mail access, don’t know what their process is for that.
Admin can change (almost) every texts here. Just go to admin > customize > text.
Even that text is quite general one it works for (almost) every forums — just because things are so, requesting new password is not anykind security risk. It can be a bit annoying, if it happends quite often (as happened on Instagram a while ago).
This was helpful, Thank you!!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
