I just received an email from 'accountverification@hubitat.com' giving me back my user name.
Has this happened to anyone else? Has there been a security breach on my network? Any advice as I'm worried about security now...
SMTP is pretty easy to spoof. Examine the raw SMTP headers to look at the path to you, see if it’s genuine.
It seems like it came from the Hubitat username recovery servers but what do I know about reading the RAW format. Here's what I see and perhaps a more knowledgeable person can say whether its been spoofed?
Well, good news is that it came from an Amazon SES server that Hubitat.com’s DNS SPF record denotes as ok to send email for Hubitat.com, and there weren’t any intervening SMTP relays to your gmail.com email destination server, so the originating “Received:” header isn’t spoofed in the SMTP headers, nor is the SPF validation header. And, it’s known that Hubitat’s Remote Admin service uses Amazon AWS, so it’s probably genuine.
copy/paste the raw headers into here and have it be analyzed. used to do this back in my datacenter days
Just received this as you did.
I did no deliberate steps to cause it that I know of. Even tho my phone does tend to butt call...I didn't butt call for my username.
Would appreciate some thoughts from Support @bobbyD
User Name:XXXXXXXXXXXX If you need any further help, you can e-mail us at support@hubitat.com (To maintain security of your account, please correspond with us only from your registered email address). Sincerely, Hubitat team
Received: (qmail 6513 invoked by uid 30297); 12 Jul 2022 12:11:26 -0000
Received: from unknown (HELO p3plibsmtp02-14.prod.phx3.secureserver.net) ([68.178.213.14])
(envelope-sender 01010181f252403c-7a7e57ca-68af-4ba7-aeed-4ce05e7b8fe4-000000@us-west-2.amazonses.com)
by p3plsmtp26-01-26.prod.phx3.secureserver.net (qmail-1.03) with SMTP
for XXXXXXXXXXXXX; 12 Jul 2022 12:11:26 -0000
Received: from a27-56.smtp-out.us-west-2.amazonses.com ([54.240.27.56])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits)
(Client did not present a certificate)
by CMGW with ESMTP
id BEjeoN0rxoYg0BEjeokTKq; Tue, 12 Jul 2022 05:11:26 -0700
We use AWS services for user verification so as @672southmain mentioned last year, these emails come directly from AWS. I could escalate this case with Amazon, if you'd like to find out what triggered the account verification email. Send me a PM if you'd like us to dig into it.
Well, let me ask if it surprises/worries you?
If I would receive a similar email, I would probably be at least intrigued by what triggered it. Not so much worried, but I would also likely change my password as result 
Thanks, I'll give this some time to see if anyone else pops up with a case of it happening.
2 Likes
I had changed my password and monitored for anymore emails. Nothing came of it so I assumed someone was trying to use some published email/password combos that are often available on the web.
My email addr for my hubs are unique. If one of those addresses is out in the wild I'd love to know how.
Here's what I THINK may have happened..... because....I did something similar to prompt it last night...and out of that I suggest a change.
On the Mobile App I either was going down the path of the "Connect to Hub" or the "Find Hubs" on the Tools page.
Therein you end up on a HE login screen with the Username/Password and two links, Forgot Username and Forgot Password.
Well, if one unintentionally fumble fingers either one of those in the middle of the night on a small phone screen in the process of inputting login info or just zipping back and forth between windows with clumsy fingers.....presto, you get that email sent!
I for one wouldn't mind an interim step on a new screen prompting another button press to actually prompt that email.
Thanks for offering to follow up on this but having it happen a second time again last night...I'm pretty sure this is how I ended up with the "hack concerning" email.
1 Like
