Hi Folks,
Apologies for some delay in actually addressing this, I've been away for a long weekend and haven't had time before now to look into this issue, much less put something in place to mitigate it.
We've been made aware that some users that appear to have signed up for accounts in some other communities where the e-mail address is the same as the one with the forums here have been targeted with password reset spam from our forum software.
Unfortunately Flarum does not natively support any sort of rate limiting / cool-downs when it comes to these password resets, while this is concerning and somewhat unfortunate it does mean this isn't a simple fix.
As a temporary tactical solution to ensure users are not able to be targeted further with such spam, we've made configuration changes to our server, and are actively preventing password resets from being triggered. Users will temporarily see something similar to this screen-shot if they attempt a password reset:
We are going to be flagging this back to Flarum's developers to see if there is a recommended solution in this case, as it's clearly been abused by hostile actors and there is frankly no reason any legitimate user would need to trigger a password reset 100+ times in under 60 seconds…
As we're all aware though, Flarum haven't historically been great at remedying these sorts of issues, so we're going to be looking at making some further server configuration changes to our Flarum instance, in the hopes that we can "Patch" the problem and mandate some form of rate limiting that will at the very least make it harder to abuse this issue in the future.
The root cause of the issue appears to be users signing up with the same e-mail, as a recommendation I would suggest if you're signing up for new websites / services, you should consider "Alias" e-mails, Goole have a few ways to do this on GMail, the most common being the "+" symbol in e-mail addresses (In the screen shot it could have been ryan+totalfreedomforums@gmail.com) and that way these sorts of attacks can be mitigated (Plus if you suddenly find accounts "Compromised" but you're not sure where from, the e-mail address will be a dead give-away!)
ProtonMail have something similar, and allows you to reply to e-mails you receive from that e-mail: https://protonmail.com/support/knowle…es-and-aliases/
Outlook.com also appears to have something similar, but I unfortunately can't find a direct source, so your milage may vary - https://www.ghacks.net/2013/09/17/can…es-outlook-com/