NEWYou can now listen to Fox News articles!
You’re checking your inbox or scrolling through your phone when something catches your attention. It’s a message about a password reset, but you never asked for one.Â
It might have arrived by email, text message or even through an authenticator app. It looks legitimate, and it could be from a service you actually use. Still, something feels off.
Unrequested password reset messages are often an early warning sign that someone may be trying to access your account. In some cases, the alert is real. In others, it’s a fake message designed to trick you into clicking a malicious link. Either way, it means your personal information may be at risk, and it’s important to act quickly.
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join.
10 SIGNS YOUR PERSONAL DATA IS BEING SOLD ONLINE
Password spelled out on blocks   (Kurt “CyberGuy” Knutsson)
Why you’re receiving password reset emails you didn’t request
There are a few reasons this might happen:
- Someone is attempting unauthorized access: Hackers often test stolen credentials from data breaches to see where they still work. If they find an account tied to your email, triggering a password reset is one way they try to gain control.
- You are being targeted through phishing: Scammers send fake password reset emails or texts that look official. These often link to fake websites that steal your login credentials or install malware.
- You are experiencing a credential stuffing attack: This is when attackers use bots to flood login pages with known usernames and passwords. If anything matches, they will try to reset the password and lock you out.
- Your two-factor authentication is blocking the login: If you receive a prompt from your authenticator app but did not attempt to log in, it means someone has your correct password and is trying to break through your second layer of protection.
- You may be facing a SIM swap attempt: SMS-based two-factor authentication is vulnerable if someone hijacks your phone number. If you suddenly stop receiving texts or see password resets tied to SMS, contact your mobile provider immediately.
WHAT IS ARTIFICIAL INTELLIGENCE (AI)?
In some cases, the message is legitimate, as seen in the email below, but the request didn’t come from you. That is often a sign your login details are already in someone else’s hands.
Legit Microsoft password reset email (Kurt “CyberGuy” Knutsson)
HOW SIM SWAPPING LED TO A $1.8M CYBER FRAUD CASE
How to identify suspicious password reset attempts
Unsolicited password reset alerts can take several forms, each with signs of potential fraud or hacking:
- Email: Most services will send a password reset link to your inbox. If you didn’t request it, that is a red flag.
- Text message: You might receive a verification code or reset link via SMS. While many companies use text-based verification, scammers also send fake messages that mimic real ones.
- Authenticator app requests: This is often the clearest sign that someone already has your password. If you get a 2FA prompt you didn’t trigger, someone is trying to log in right now and needs your approval to finish the process.
No matter how the alert appears, the goal is the same. Either someone is trying to trick you into handing over your credentials, or they already have your password and are trying to finish the job.
Legit Microsoft sign-in request  (Kurt “CyberGuy” Knutsson)
1.7 BILLION PASSWORDS LEAKED ON DARK WEB AND WHY YOURS IS AT RISK
What to do if you receive an unrequested password reset
If you receive a password reset alert you didn’t request, treat it as a warning. Whether the message is legitimate or not, acting quickly can help prevent unauthorized access and stop an attack in progress. Here are the steps you should take right away.
1. Don’t click on anything in the message: If the alert came through email or text, avoid clicking any links. Instead, go directly to the official site or app to check your account. If the request was real, there will usually be a notification inside your account.
2. Check for suspicious login activity: Most accounts have a way to view your recent logins. Look for suspicious activity like unfamiliar devices, strange locations or logins you don’t recognize. A login from a location you have never been to could be a sign of a breach.
- Google accounts: Go to myaccount.google.com and open the Security tab to see recent devices and activity
- Apple ID: On your iPhone, iPad or Mac, open Settings (or System Settings on Mac), tap your name at the top, scroll down to view your list of signed-in devices and tap any unfamiliar one to select Remove from Account.
- Microsoft accounts: Visit account.microsoft.com, sign in, then go to Security > Sign-in activity to view recent access attempts
- Banking and social media platforms: Look under your profile or settings for login history or device management
3. Change your password: Even if nothing looks wrong, it’s a good idea to reset your password. Choose one that is long, complex and unique. Avoid reusing passwords across different accounts. Consider using a password manager to generate and store complex passwords. Get more details about my best expert-reviewed Password Managers of 2025 here.
4. Scan your device for threats: If someone got access to your password, there is a chance your device is compromised. Use strong antivirus software to scan for keyloggers or spyware.
5. Report the incident: If the alert came from a suspicious message, report it. In Gmail, tap the three-dot menu and select Report phishing. For other services, use the official website to flag unauthorized activity. You can also file a report at the FBI’s Internet Crime Complaint Center if you suspect a scam.
A woman working on her laptop (Kurt “CyberGuy” Knutsson)
Steps you can take to eliminate password reset emails
You can take a few steps to try to reduce the number of emails you receive requesting a password reset.
1. Double-check your username and password. When accessing your account, you may have a typo in your login information. Should you repeatedly attempt to access your account with this error, the company that holds the account may believe a hacking attempt is occurring, triggering an automatic reset. If your web browser automatically populates your username and password for you, make sure this information is free of typos.
2. Remove unauthorized devices. Some accounts maintain a list of devices authorized to use your account. If a hacker manages to gain some of your personal information, it may be able to add one of his devices to your authorized list, triggering account login errors as he tries to hack your password. Check the list of authorized devices and remove any items you don’t recognize.Â
The process varies, depending on the type of account. We’ll cover steps for Microsoft, Gmail, Yahoo and AOL.
Microsoft
- Sign in to your Microsoft account at account.microsoft.com.
- Click your profile icon at the top right and select My Microsoft Account.
- Scroll down to find the Devices section and click View all devices.
- You’ll see a list of devices associated with your account. Click Show details for each one to review activity.
- If you see a device you don’t recognize or no longer use, click Remove device.
Steps to remove unauthorized devices from your Microsoft account. (Kurt “CyberGuy” Knutsson)
Gmail:
- Sign in at myaccount.google.com.
- Go to the Security tab in the left sidebar.
- Scroll down to the Your devices section and click Manage all devices.
- Review the list of signed-in devices. If you see any you don’t recognize, click the device and select Sign out.
Yahoo:
- Go to the Yahoo Account security page at help.yahoo.com/kb/account.
- Click on Recent activity.
- Review the list of devices and locations that have accessed your account.
- If you notice any unfamiliar activity, click Remove or Sign out next to the suspicious device.
AOL:
- Sign in to your AOL account and go to the Recent Activity page.
- Review the sections for Recent activity, Apps connected to your account and Recent account changes.
- If you find any activity or devices that you don’t recognize, click Sign out or Remove next to it.
Remember to regularly check your account settings and authorized devices to ensure the security of your accounts. If you suspect any unauthorized access, it’s also a good idea to change your passwords and review your account recovery options.
3. Sort such messages to spam. If you’d prefer to simply not see these kinds of email messages, set up your email client to sort messages like this to a spam folder. (Because many of them are spam, some email clients do this automatically.) Should you ever legitimately request a password reset, though, you’ll need to remember to look in the spam folder for the message.
4. Use a static IP address. Some accounts attempt to recognize your device through your IP address. If you have a dynamic IP address, your IP address changes constantly, meaning the account may not recognize your device, triggering the reset message. This often occurs because you are using a VPN. See if your VPN allows you to use a static IP address.
HOW SECURE IS MY PASSWORD? USE THIS TEST TO FIND OUTÂ
How to protect your accounts from future password attacks
Even if this was a one-time scare, it is important to tighten your overall security. Here are a few simple habits that go a long way:
1. Use strong and unique passwords: Use a password manager to create secure, one-of-a-kind passwords for each account. Get more details about my best expert-reviewed Password Managers of 2025 here.
2. Consider using a personal data removal service:Â If you’re receiving password reset emails from accounts you don’t remember signing up for, or from multiple services, there’s a good chance your personal information is exposed on data broker sites. These companies collect and sell your data, including your email, phone number, home address and even login information from old accounts. Using a reputable data removal service can help you automatically identify and request the removal of your personal data from these sites. This reduces your risk of identity theft, credential stuffing, phishing and spam.
While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap — and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you. Check out my top picks for data removal services here.Â
Get a free scan to find out if your personal information is already out on the web
3. Turn on two-factor authentication (2FA): Enabling 2FA is one of the most effective ways to stop unauthorized access, even if someone has your password. When 2FA is active, anyone trying to log in must also complete a second verification step, usually through an app on your phone. If an attacker triggers a login attempt, you will receive a prompt to approve or deny it. This gives you the power to block the attempt in real time and confirms that 2FA is working as intended.
4. Install strong antivirus software: Install strong antivirus software to catch malware before it causes harm. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices.
5. Review your account settings: Make sure your recovery phone number and email are current. Remove any outdated or unused backup methods.
6. Keep your software up to date: Keep your device software and apps up to date to patch security vulnerabilities that attackers often exploit.
7. Use a VPN to protect your online activity: Avoid public Wi-Fi or use a VPN to protect your information when browsing on unsecured networks. Consider using a VPN to protect against hackers snooping on your device as well. VPNs will protect you from those who want to track and identify your potential location and the websites that you visit. For best VPN software, see my expert review of the best VPNs for browsing the web privately on your Windows, Mac, Android and iOS devices
Kurt’s key takeaways
It’s easy to brush off an unexpected password reset message, especially if nothing else seems out of place. But these alerts are often the digital equivalent of a knock at the door when you weren’t expecting anyone. Whether it’s a hacker probing for a way in or a scammer trying to bait you, the smartest move is to treat every unexpected security message as a wake-up call. Taking just a few minutes to check your login history, secure your accounts and update your passwords can make all the difference. Cybersecurity isn’t just for experts anymore. It’s an integral part of everyday life. And the more proactive you are now, the less likely you’ll be dealing with damage control later.
CLICK HERE TO GET THE FOX NEWS APP
Are tech companies doing enough to protect users from password threats, or are they putting too much responsibility on individuals? Let us know by writing to us at Cyberguy.com/Contact.Â
For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/NewsletterÂ
Ask Kurt a question or let us know what stories you’d like us to cover
Follow Kurt on his social channels
Answers to the most asked CyberGuy questions:
New from Kurt:
Copyright 2025 CyberGuy.com. All rights reserved. Â
Kurt “CyberGuy” Knutsson is an award-winning tech journalist who has a deep love of technology, gear and gadgets that make life better with his contributions for Fox News & FOX Business beginning mornings on “FOX & Friends.” Got a tech question? Get Kurt’s free CyberGuy Newsletter, share your voice, a story idea or comment at CyberGuy.com.
