HI, Im running Meteor 1.2.1
Hi, i have serious issue i need help with.
Users have confirmed password reset emails sent to them and their passwords were changed. I just noticed because I also got an email about password reset. I did not click it, it was unopened, my email did not get compromised and also not the other users but their password got changed, also mine.
I can see the emails in the mandrill backend. They have not ben clicked or opened (mandrill tracks this)
This happened to 5 users, i also do not know how someone knew their emails or mine (it was my private email),
(Bruteforce email addresses?)
I did not change any code for a long time! So I am concerned this might happen again, is there maybe any Token entropy issue in older meteor 1.2.1 ???
- My emails and other users emails were send through mandrill, i changed mandrill API keys just to be sure. this is somehow the only vector i can really be unsure about.
- I checked my login method everything works as it should, i need the token to change the password and login
- access to my email and all other users email i think is rather impossable. this happened in a 2 minute window
- It needs the correct token for changing someones password. How could someone get access to the token without access to their email???
ANY IDEA WOULD HELP ME GREATLY