So yesterday, I got a notification on a forum site that I frequent, advising that everyone was being required to reset their passwords due to a possible breach. Like a good netizen, I did so immediately and thought no more about it.
Last night, when I finally got home, I went to check the forum on my phone (via Tapatalk) and found I was logged out. No worries, I'll just log back in with LastPass. Except that it wasn't playing nice with LastPass anymore. OK, I'll paste in the password. No go. Let's try again…nope. OK, let's try the mobile site. Nada. Well, dammit..and that's the point at which I got a notice saying I was locked out for exceeding the maximum number of tries, and also got an email saying someone had tried logging into my account. I thought, OK, I'll try the password reset link--at which point I was told my email address was invalid. The exact same email address to which they'd just sent a notice.
It seems that the password reset wasn't working on mobile, only from a desktop or laptop computer (which is stupid in 2017). So when I got to work this morning, I changed my password yet again, and uninstalled Tapatalk, and then reinstalled it and logged in.
And that, ladies and gentlemen, is a textbook example of how not to implement a forced password reset across your entire user base.
Oh, just one more thing--this site still hasn't implemented SSL and doesn't provide for 2FA, so all of their security theater is kind of pointless. <sigh>