Your sign-up form is a weapon (bytemash.net)

Bytemash reports that it saw low-volume bot sign-ups using real victims’ email addresses and then immediately triggering password resets to generate multiple unwanted emails (“subscription bombing”). The attack stayed under typical rate limits and relied on forms that allow email entry without verification, aiming to overwhelm inboxes and bury account-security alerts. The site says it mitigated the issue by tightening bot/firewall rules, deploying Cloudflare Turnstile via its auth stack, and changing its email flow to send only a verification email until the address is confirmed.