Unrequested password reset messages

ProtonMail allows you to request a password reset if you forget your password. Here you can find instructions to reset your password.

However, if you receive an email from ProtonMail to reset your password which you did not request, this indicates that someone has correctly filled in the combination of your ProtonMail username and recovery email address, possibly by accident. This password reset email does not mean that your account has been compromised, and it is not an indicator of a data breach or leak. Additionally, this does not pose a security issue provided your recovery email account is not accessible to the person trying to reset your password.

If you did not request a password reset, you can ignore the message. If this happens repeatedly, you may want to consider changing your recovery email, especially if your ProtonMail username is the same as on your recovery email. This can be guessed by random people as well as by people who may want to deliberately spam you. 

How to prevent unsolicited password reset emails

If your recovery email is a Gmail address, you can try changing your recovery address to use a “+” alias to make it harder for an attacker to guess. For example, if your recovery email is example@gmail.com, you can change it to example+protonmail@gmail.com or example+recovery@gmail.com.

To further secure your email accounts, we recommend activating two-factor authentication (2FA) if you have not done so already.

We will also be implementing additional measures to make it harder for the password reset feature to be abused in the future.

If you have any further concerns regarding reset emails, please contact us at support@protonmail.ch.