Available Now: Buy the new iPhone 14, iPhone 14 Pro and iPhone 14 Pro Max from AT&T!
Need to update email settings?
BBAM's profile

New Member

 • 

6 Messages

Mon, Jun 13, 2022 10:28 PM

att email keeps logging me out

at&t email keeps logging me out when i do anything else or  away.  i saw the clear cache/cookies advice, but it is on all 4 devices i have. i check the 'keep me logged in' option everytime. it doesnt matter. 

New Member

 • 

2 Messages

3 m مضت

OK, I love the "easy" questions. First off let me be succinct, all my computers get restarted when an issue pops-up. I've tried Incognito mode, Safe-mode in windows, IOs 15, iphone, ipad 4 and 5. Linux, Opera, Chrome, Safari, Firefox, Private browsing. I even tried opening it on my Powerbook 540c using OS 9 just for the heck of it.

Broke.

It sure does seen hopeless Mr Phil. Yes choices abound for another service. I just may. I really do respect you for trying to defend the situation; this company. Unless of course, your an underground mole of 'ole Mother hubbard.

In any event, I really don't "care" what it takes to fix due to the ridiculous amount of money this company makes and CAN invest into fixing it. Good luck on the defense.

(edited)

tonydi

ACE - Guru

 • 

7.4K Messages

3 m مضت

@phillipremaker   This is not browser plug-ins, A/V or privacy protection. Have you missed the posts from ATTHelp saying this password issue is the result of "bad actors" attempting to log into people's accounts?  After 6 failed attempts Yahoo locks the account, thus triggering the need to "change" passwords in order to resync the account. 

They are (apparently) trying to block these people through IP address blocking, but for reasons that are not clear to me, it's been a month since they announced this and they've made no headway.  Not sure what they were doing between last October and the first week of June.  🙄

New Member

 • 

108 Messages

3 m مضت

@tonydi I did miss that. Not a great practice to lock out an account under attack! That just punishes the innocent. How does Yahoo determine the login attempts since it's really a federated login from AT&T? Who is imposing the lock, AT&T or Yahoo?

@venemoux : I'm not defending the company, but part of my day job is managing federated logins and Oauth systems, so I know how deep the rabbit hole goes.

So, maybe I don't understand the problem. The problem *I* am talking about is that you get logged out and forced to log in again. 

The problem tonydi is talking about is that you get logged out and can't log in AT ALL until you change your password.

Which problem are we discussing? It may be better to start a fresh thread with a precise definition of the problem with examples.

New Member

 • 

9 Messages

3 m مضت

Unfortunately, I have had both problems. Logged out for no reason, while logged in and reading my emails and unable to log in until I change my password. I have tried all the suggestions mentioned in this thread and continue to have these issues. For the past month, it sometimes happens all day, every day, then it might be ok for a few days or even a week, then it starts again. There does not seem to be any rhyme or reason to it. It may indeed be better to just change my (email address, as extremely painful as it may be.

tonydi

ACE - Guru

 • 

7.4K Messages

3 m مضت

I totally disagree that this isn't a great practice.  Lockouts after x number of failures is super common, used all over the Internet.  I'm sure you're aware that hackers can brute force thousands of password attempts per second.  Given the general tendency of users to come up with lousy passwords, these accounts would have given the "bad actors" almost immediate access to the accounts.  How else would you guard against that (and keep in mind that Yahoo/AT&T can't even seem to figure out how to ID the source of these attacks and put mitigation processes in place to stop them)?

Given how clueless any of the AT&T people here about this whole issue, it's hard to say for sure but my understanding is that Yahoo blocks the account.  That process is in place for regular yahoo.com email accounts as well.

Yes, there are two logout issues.....ones where the user opens the webpage and is faced with the message that they've had too many failed login attempts.  The other issue is "live" logouts, where the user is logged in and either sitting on the webpage or even actually interacting with the page.  The latter seems to be far less common but my feeling is that the same account protection processes are causing both.

New Member

 • 

108 Messages

3 m مضت

@tonydi Lockout after failure is a vector for a denial of service attack, and is therefore a poor practice. "Thousands of password attempts per second" should blocked by rate limiting attempts and IP address blocking. This is what iCloud did after the Jennifer Lawrence attack.

But, I do see that this is the AT&T practice, which is unfortunate. That means I can lock anyone out of their account if I just know their email address. Booo!

You should only force a password change if someone from an unexpected location gets the right password and is denied after further verification. Locking out accounts due to brute force attacks is a bad practice.

Anyway, there are two separate issues, and should be diagnosed separately, even if they ultimately end up with the same root cause.

My main issue is that the clumsy, federated logins of AT&T (especially with the legacy domains) is full of pitfalls and things that some browser plugins may misinterpret as threats.

I'm certainly not ruling out a back end AT&T problem, but it would be best to approach AT&T with solid evidence. 

Unfortunately, I don't know the authentication architecture and haven't spend a lot of time reverse engineering it. 

However, if someone is attacking their accounts with password guesses, there's nothing they can do but change providers. That's why it is a bad design.

tonydi

ACE - Guru

 • 

7.4K Messages

3 m مضت

@phillipremaker   You make some good points and have convinced me to rescind the "great practice" statement.  I don't doubt that there are far better ways to approach this type of attack but looking at the history of Yahoo in particular, it's not a surprise that they lack best practices. 

Again, this presumes what ATTHelp is telling us about "bad actors" is true. The questions it brings up, like why did it take 7 months to discover this and, a month later why is it still happening when there are commonly available tools to stop it, makes it difficult for me to process.

From taking a cursory look through the sign in processes (and admittedly with just my unprofessional eyes), AT&T hands off the login procedure very quickly to Yahoo, like within a fraction of a second, and doesn't appear to be involved at all after that point. 

Maybe you could look at the process and see exactly what is going on.

New Member

 • 

108 Messages

3 m مضت

@tonydi - I'm not an expert, but the basic idea is that AT&T generates a "session token" which is stored as a cookie, and Yahoo honors it.

I logged in at currently.att.net with my att.net id which is tied to an sbcglobal.net email. That process generated 20 att.net cookies, 14 yahoo.com cookies, and one mail.yahoo.com cookie. 9 are session cookies (2 yahoo, 7 att) and the expiration times of the rest range from 3 hours after I connected to the year 2072 (!). 

The 3 hour cookie for ATT is QuantumMetricSessionID, and the 3 hour Yahoo cookie is GUCS. 

I may start experimenting with deleting individual cookies and see what happens. 

It's far from simple - a lot of moving parts under the hood and it may vary depending on your account type. 

Suddenly being logged out seems weird, though. 

tonydi

ACE - Guru

 • 

7.4K Messages

3 m مضت

Ok, I wasn't really looking at stuff like the cookies, I was looking at the network traffic to see who was doing what and when.  I suppose the cookie generation could easily be done in the fraction of a second before Yahoo shows up.  Heck, there's more traffic with Google and Microsoft than with AT&T in the first second.  😁

New Member

 • 

6 Messages

3 m مضت

Everyone, this problem has nothing to do with cookies, logging into "Currently.com", making sure to "keep logged in for 2 weeks" or anything else having to do with us or our PCs. This is 100% a failure of AT&T and/or Yahoo! mail. This is a mail server problem and AT&T couldn't care less. This problem is extremely widespread and is effecting thousands of users. I spent over 1/2 an hour on the phone with AT&T's Filipino "tech experts" and they had no idea what they were talking about. The only thing they said that was true is that this is AT&T's fault, not ours. But, it's been going on for quite a while now and AT&T has done nothing. It could even be something as slimy as making free email so annoying, so dysfunctional that we move to the paid version of their email. Don't do it, folks. Keep complaining until AT&T gets off its A $ $ and fixes this email disaster.

(edited)

New Member

 • 

108 Messages

3 m مضت

@TechKnow fair enough, but it sounds like the problem hasn't been clearly defined yet. The key to fixing a problem is reproducibility, or knowing what changed when it went wrong.

It would be interesting, fo example, to see what happened exactly before logout. Did a cookie expire? Did a cookie refresh fail? Did the lookup happen on a different server? Is one member of the mail cluster or auth cluster failing? Is a NAT device table expiring? Without better clues than "logged out at random" it's difficult to get more attention.

New Member

 • 

6 Messages

3 m مضت

@phillipremaker The point is that AT&T wants to make this a user failure rather than an AT&T failure. This has nothing to do with cookies, nothing to do with how we log in; it's a technical failure/glitch on AT&T's end. My Yahoo mail account never logged me out when the browser was closed; now, it does it every time. This has nothing to do with logging in to Currently.com either. I log in there every time and it does nothing to solve the problem. AT&T is doing all it can to dodge accountability for this issue. It's 100% AT&T's (or its affiliate) failure (and has been going on for weeks).

New Member

 • 

108 Messages

3 m مضت

I definitely understand how annoying the "blame the user" attitude is, and I hate that. Unfortunately, the only way to fight it is with hard evidence. There could be all kinds of things changed - new browser versions, changes at Yahoo, or changes at AT&T. The intertwining of AT&T and Yahoo make it especially hard, doubly so when using legacy domains.

Even if it is a glitch, there are probably a dozen systems involved, and since it only affects some AT&T customers, nailing down the mix of things that makes it happen is key to getting it fixed. AT&T support is optimized to do a high volume of simple questions. If you have something harder, you need to show up with a lot more evidence and put up with their slow process. Unless you know the contours of the problem well and drive them relentlessly, they will presume the problem is between the chair and the keyboard.

 

tonydi

ACE - Guru

 • 

7.4K Messages

3 m مضت

@TechKnow   AT&T isn't claiming this is a user failure.  ATTHelp has no clue so they do what they do best.....regurgitate old boilerplate (clear cache/cookies, reboot the gateway, etc etc etc) so they appear to be "helping".  The few times that they deviate from that script, they admit the problem is not the users but rather "bad actors". Then, inexplicably, they start posting the boilerplate again.  So as usual, ignore what they have to say.

The only "fix" is to do the Forgot Password dance.

The only real fix is to move to a different email provider.

New Member

 • 

5 Messages

3 m مضت

issue back again here. After 3 password changes and talking to AT&T CS last week, I finally got back in. I checked the “keep me logged in” box and no issues for a week.  
Earlier today I logged out, hoping that might resolve the multiple “McAfee” and “Kohl’s” spamming, along with many others. No dice. I am still able to stay logged in on my phone, it is using yahoo mail. But tonight I tried to login to my currently.att email and back came the “too many unsuccessful attempts” error. 
Here is my theory of what is going on; just my theory, and I hope AT&T reads this…Since our AT&T email login is our email address, hackers may be using that and trying multiple password hack attempts, which then locks the user out after the limit is reached.  I managed to reset my password on the att.com site this evening and now am able to get to my email. So I figured if I changed my User ID to something complex that is not my email address I should have “unsuccessful attempts” problem resolved. However, AT&T requires that my User ID be a valid email address.  This is poor security protocol. 
My recommendation consists of two parts (you listening, AT&T?) 1) allow the user to create a User ID that is not an email address, but maybe something that is as complex as their email password.  2) enable two-factor authentication. When the user attempts to login to their email with their password, they must also enter a six-digit PIN (stored in their Profile) or have the option of having a six-digit PIN texted to their phone. 
(Sending me a PIN to my email address is moot if I can’t log in to my email. Duh!!)

(edited)

Need help?
New to AT&T Community?
New to the AT&T Community? Start by visiting the Community How-To.
New to the AT&T Community?
Visit the Community How-To.