Someone made an account on my own site with my email address. Is that bad?
It depends on whether your app verifies email ownership before letting the account do things. If the account can sign in and place orders without clicking a verification link, it's a takeover bug — an attacker can create accounts as any email (yours, your CEO's, a customer's) and use them. The fix is email verification before any sensitive action.
Sign-up with any email isn't a bug by itself — it's how your site works during sign-up. The bug is what the unverified account can DO before the email is proven.
**Dangerous patterns to check:** 1. Can the account place orders / make purchases before clicking the verification email? 2. Can the account post content, comments, or messages visible to others? 3. Does the account count as 'registered' in any metric that matters (billing, seat count, invite tree)? 4. If the real owner of that email later signs up, do they get the attacker's data? Or does their attempt fail because 'email exists'? 5. If the real owner clicks 'forgot password' on their own email, does the attacker's account transfer to them, or is the attacker now locked out after they set the password (meaning they can kick out the attacker, but the attacker's prior activity stays)?
**Safer pattern:** - Sign-up creates a *pending* account. - Pending account can't do anything user-facing until email is verified (click the link). - Verification link expires in 1 hour. - If someone else signs up for the same email while a pending account exists, they replace the pending one (since ownership wasn't proven).
Supabase Auth has built-in email verification — enable 'Confirm email' in Auth settings. If you're not using Supabase, check your auth provider's equivalent. Do not roll your own.
Securie's free scan (launching this year) will try to sign up with a victim email and test what the unverified account can do. Join the list for a week-1 run — if anything sensitive is reachable, you get the exact route + the fix.