Comment by rolls
20 hours ago
This happened to my account today. My sessions were revoked and password changed with no email, text, or push notification. Email and text codes weren’t being sent to my phone. I went through several cycles of resetting my password then getting hijacked again.
My account was also stolen but my username wasn't changed. I had TFA enabled which likely saved me, but I'm hearing that can be bypassed too. I guess I was just lucky. The attackers rate limited my account so I couldn't send any password reset emails, but I went through the hacked account recovery flow which allowed me to receive a code and log back in just fine. I received about 100 password reset emails throughout this ordeal.
I didn't see it in the original post, but is there any way to turn this off at an account level?
No, you're forced into the A/B test. I assume they'll enable this on every account at some point. Maybe there's a way to edit your account's flags via some undocumented API endpoint, but I'm not sure. Even if that were possible, your account would likely be flagged for API abuse and banned within the day.
It's been patched now, so if your account wasn't already stolen, you're fine, at least for the time being.