14 emails requesting password change. Never requested.

Doesn’t it worry you that someone has obviously requested a password change using your address, not just once, but incessantly? I would definitely get to the bottom of that. First, make sure you change your password into a very difficult one (I suggest a password manager). Also, you may want to change your email address on file with Koodo so that scammers don’t know what your actual email is.

In summary, if I were you, I’d worry just a little and do more than just using the spam folder to make it look like the problem has gone away.

I’ve gotten 2 emails so far. I tried calling the number in the email, but it tells me to use Koodo Assist, but I can’t seem to schedule a callback on there. I tried contacting Koodo via Twitter. This was their explanation: “There was some work done by our web developers on the self-serve platform, so the email may be an error on our end and if that's the case, we apologies”. I was then advised to call them to make sure there’s nothing wrong with my account. So I’m going around in circles...

Have you tried typing in “schedule a callback” on Koodo Assist? It will then give you a few time slots to choose from. You can try again in the morning. https://Koo.do/Chat 

 I have been having the exact same problem.  Their system just puts you into an endless loop, with no where to request a call back.

I tried to do it on Koodo Assist and it worked for me. Did you sign in to your Self-Serve account, give them your phone number, name, and describe the issue you are experiencing?

This reply is basically to everyone on this thread.

You cannot “get to the bottom of that” without information.  All that person knows is that the Koodo system has sent out the email for a password reset request.   The first thing to know would be all of the possible things that could trigger this message.

There is no advantage to a hacker to get you to reset your password, unless the hacker is expecting you to reset it to a previously known or guessable password.  If the message is triggered automatically every X password guess failures, then if you know how many guesses they get per message you can figure out the number of guesses over what time interval and how long it would take them, on average, to crack your password, which would likely be a very long time unless you stick to certain password formats (e.g.”FuzzyBunny#29”, “FuzzyBunny#30”, etc.) and if the attacker has enough samples (usually outdated ones on cracked websites) to know your pattern.  There is also no reason to assume that Patty’s current password is not a sufficiently difficult one. 

If a user’s recovery email address is known by hackers, the only way that can be resolved is by creating a new one and a new password and moving recovery on all of the sites that used that email as your recovery email to the new one, and hoping that none of those sites are compromised or you’ve wasted your time.

There is also no reason to assume that it’s due to an attack.  If that alert can be triggered due to password failures, it could be triggered by faulty, misconfigured, partially-configured, or non-configured apps.  If the alert is an attempt by Koodo itself to say “your password is stale or weak; please change it” then this is confusing customers by telling them a password reset was requested when in fact it was not.

Does anyone have the answers to my questions:  1) What is a complete list of things that can trigger these emails?  2) If on bad password, how many login failures does it take to generate a message?  3)  Can the Koodo website itself send this message without external input/request?  If so, in what instances?

I also think that Koodo needs to 1) rewrite the message to indicate what caused the password request (reset submission or failed logins or system or whatnot), 2) eliminate the pointless request in the message to call Koodo and instead direct customers to a more appropriate help page or system, and 3) create some self-help articles on this email, such as when you should get worried if you keep receiving it, and what to do about it once you should get worried.

Thanks.

My point was that if I received an email from a company informing me that someone or something has entered MY email address 14 times to request a password reset, I wouldn’t chuck those emails in spam. At the very least, I’d call the company and ask them what’s going on. Basically, to ask your three questions.

I would definitely NOT treat the event as a nuisance and try to ignore it by placing those emails in spam, even huffily asking the company to stop sending me those important messages.

Changing a password to a very difficult one (randomly generated 20+ character) would be my first step, just to make sure at least my end is safe.

My problem with this is that there are far too many things that don’t make sense.  If an attacker had the reset email, they should have spent at most a few shots at the Koodo account and then concentrated their efforts on the higher value reset email account, unless they had some idea as to what the Koodo password would be.  If they don’t have this info and are just causing a system message due to failed logins, then the system message is doubly misleading.  Also, we don’t know if there’s even an attack.  I’d expect at least some form of automatic detection and flagging of an account under attack and an email more informative than “If it wasn’t you requesting a password reset by typing in your email address, please call us at a phone number that we no longer use”.

The reason I’m chatting here is that I received a few of these messages, generally a few days or weeks apart.  At first I thought it might be a misconfigured app or bad setting that was automatically executing at cell phone reboot or on particular screens.

I also went to my challenge question and changed it, whereupon it took me to a success screen which wouldn’t load, making me doubt its success, and then I got 2 success emails, so now I’m not sure if it was changed, and if so, whether it was changed properly.

In your case, I would suggest you follow the advice of the email and contact Koodo. If they are sending those emails in error they'd want to know about it, and hopefully find the rogue program or routine that caused it.

A previous set of posts 3 months ago indicates that a person received several of these emails and Koodo said they weren’t from the system.  If it’s from a scammer, I don’t see the purpose, as the email address and links appear to be legit, pointing back at the Koodo website.

This is happening to me constantly - I’ve received one of these email notifications about every 2 or 3 days for the past two weeks. I’ve changed my password twice, to auto-generated ones. I did call Koodo once (it takes forever, and I simply don’t have time to do that every time I get an email). The assistant told me that the emails are likley sent in error, and to ignore them.

This is mind-boggling on several levels. Many other login systems use the reverse logic - “If this was NOT you, ignore this email, your account is still safe.”  Why does Koodo insist on having us call them?

Why does Koodo not have a two-step verification setup? They could block all login attempts that do not enter an auto-generated code sent by text, just like Telus does.

I agree that Koodo should probably have worded the email “If this was not you, ignore this email; your account is still safe”, and that probably cost them a LOT of person-hours of support.

The only ones you would need to actually take action on would be if an email was added or removed, or a password was actually changed, or your account was locked out.