What to do when a botnet is requesting password resets?

Question

Hey there HN, I'm currently having an issue on one of my accounts where, what seems like a botnet, is constantly sending password reset requests on it. This has been going for more than a week now.I have contacted the service in particular (part of GAFAM) and their account security department told me there is nothing that can be done in this case and I should just disregard the emails.I now ask you, HN, what can _we_ as developers, do to prevent this from happening on our services? Limit the amount of password reset requests for an account? (still doesn't solve the issue), etc.. As I, genuinely, have not managed to come up with a solution.

some_furry · Accepted Answer

Adding a rate limit to the number of password reset emails in a given day or hour is trivial.

    SELECT count(*) FROM account_reset_tokens WHERE accountid = ? AND (NOW() - created) < '1 hour'::interval
    
    if ($count > 3)
      throw new RateLimitException();

You could also restrict based on IP, but that doesn't specifically help with the botnet.

That's what developers can do. What developers should do is consider what prevents their customer support funnel from getting overloaded.

benologist · Answer

I think we need to make it more obvious when account-access occurs for users. If they can see their request logs they can investigate themselves, maybe even identify the cause or instigator.I think letting users define restrictions on their accounts would help too, like a firewall for which countries or cities etc can access their account, schedules for when signing in can occur or when it is disabled etc. Most people could just select their city and waking hours.

atrilumen · Answer

Stop implementing them, and move to key & pin. Use backup keys instead of resets. Stop depending on email and SMS.