We got a report from a constituent that says they received an unsolicited password reset email. Why did this happen and is there anything we should be doing about this?
The first thing that you should verify is whether the constituent was newly registered before receiving the email. If someone is registered in such a way where they do not get to set their password, (such as through a survey or donation form) then they will generally get a welcome email with a link to set their password and their email address will be used as their username by default. The link in the welcome email triggers a password reset email for them to set a password. If this doesn't apply to your constituent, then be advised that this does not imply that there is any sort of security threat to the constituent or your organization.
If you can determine that the constituent took no actions prior to the email that could have triggered a password reset, then it may have been the result of a third-party operating a Web Bot. The people who operate these bots will often obtain a large number of email addresses as potential targets for scams. Erroneous password reset emails are sent most often to constituents who have a username that is the same as their email address. There are bots constantly prowling the Internet to test information that they have obtained through various sources. If a Web Bot knows the constituent's email address and if it was programmed to test username fields with their email address, then in this case, it would have guessed correctly. Fortunately, nothing more can be done with this information since they most likely do not have access to the constituent's email account to reset the password. Just for good measure, we should advise the constituent to change their username and password for Luminate.
Note: The security and compliance of Luminate Online adheres to industry standards and the kind of behavior described here can occur in any electronic form or password recovery page.