If a user clicks on "If this wasn't you, (change|reset) your password" in the security emails, we should be notified.

[seanmonstar]

Importing from https://github.com/mozilla/fxa-auth-mailer/issues/185

---

This is from the original signin confirmation designs, but I think it has merit for all emails that include the text "If this wasn't you, (change|reset) your password." We have a lot of monitoring to see if there is a spike in certain types of errors, but it would be nice if we could use crowd-sourcing as another data point. Of course, some users may mistakenly click the link and we'll receive a notification. Perhaps to guard against this, we require the number of notifications to cross a pre-defined threshold for a given time frame. If the number of notifications crosses the threshold, alerts are sent to the team that we may be under attack.

FWIW, we can now see what users are doing from our sign-in confirmation emails. The attached graph says that from this email, 99% goto the complete_signin view verses 1% goto change password view.

https://app.datadoghq.com/graph/embed?from_ts=1471484740396&to_ts=1471571140396&token=15de6d04e44196ed21cbfbc65ab0cbf54760e2ae65b394ae3890ad2f1c98f51c&height=300&width=600&legend=true&tile_size=m&live=true

This does seem like a pretty low number, but it only counts interactions from the email. The user could change their password by manually logging in and changing it.

Given "let's keep an eye on it" I am going to put this back into the backlog and remove it from the sign-in confirmation milestone. We'll do an analysis of the reset rate when we finish up the sign-in confirmation milestone, and we can take a fresh look at adding additional UI for this if/when we decide we need it for a new feature.

[rfk]

This sounds like a dup of #1856 to me, so closing it in favour of that one.