All Products Community Forum

Hi, somehow thunderbird forced me to use OAuth for caldav and carddav. (v140 on linux) Unless I've probably missed something this approach doesn't seem to have considered that people might use more than one device. In the past I had an application password per device with my mail provider. That password covered imap, smtp, caldav and carddav. The application password I could set with a specific name at my mail provider. If the device was lost, compromised or whatever I just deleted that one application password at my mail provider, problem solved.

Now a regular thunderbird setup has the application password for mail and 2 OAuth records per device under "Connected Apps" at my mail provider. But it is not possible to see anymore to which device the OAuth record belong, as there is nothing device specific coming along with these OAuth records, just an IP.

With that perspective OAuth weakened my security options, as I can only guess which OAuth record I have to delete in an emergency case. Did anyone who implemented that with Thunderbird considered that people may have more than 1 device? Maybe even more than 5 devices?

That OAuth approach looks unmanagable to me. Is there a way to switch OAuth off in thunderbird, until it becomes more useable in >1 device setups?

Cheers Tjareson

Hi, I just noticed that my computer has been infected by a trojan called "HEUR:Trojan.VBS.SAgent.gen", and I can't remove it via Kapersky...The trojan is found in the inbox file in Thunderbird. So it's not a file that I can remove (it's all code). Kapersky stated that these two files are the source of the Trojan (they are not found as an e-mail attachment in my inbox, it's all code in the inbox file in Thunderbird):

P000009384:Emirates_Marble-pdf.gz and P000009384:Emirates_Marble-pdf.vbs

So I'm simply wondering how I should go about to remove this trojan from my computer?

Source: https://threats.kaspersky.com/en/threat/HEUR:Trojan.VBS.SAgent.gen/

Today (February 25, 2026) I received an email notice, apparently from Mozilla Monitor, advising me that my "Email addresses, Partial credit card data, Passwords, and Phone numbers" had been exposed in a data breach at Canadian Tire. This email seemed legitimate (the sender was breach-alerts@mozilla.com), but since it gave me a link to login to Mozilla Monitor, my first concern was that this might be a phishing email and it would be dangerous to click on that link. Instead, I went through the Firefox settings to login to my Firefox account and from there, I checked what Monitor had reported. The Canadian Tire breach was not listed there. However, when I went to haveibeenpwned.com, the Canadian Tire breach was listed there. It showed that the breach occurred on October 25, 2025. So why was the breach not listed for me on Mozilla Monitor? And why would I have received an alert from Monitor 4 months after the breach? Was this breach alert notice actually a phishing scam perpetrated by someone using the information from haveibeenpwned.com as bait?

I keep getting blocked threats and my email will not download because Thunderbird is blocking the threat. I deleted all emails that came in prior to the problem. not sure how to find the bad email

The breach source was Canadian Tire, but I've never bought anything from them online. Why would my credit card, email , credit card and phone number be compromised?

I've just received an email from breach-alerts@mozilla.com stating: You’ve been in a new data breach. Breach source: CarGurus. Yet there's no record of CarGurus in the Mozilla Monitor database. Is this an erroneous message? Or have I missed something obvious? Thanks

Even though I have created a main password I find that I suddenly I can open the application and view accounts and even security info, without putting it in anyway.

Dear all,

I would like to use Thunderbird on a shared computer at my universitys lab space (it is mainly my PC but other people have access and use it sometimes). However, as we are requested to keep mails confidential I thought it would be as easy as just setting a primary password and thunderbird would not start if that password is not set. However, that proofed to be a wrong assumption. Instead if I just cancel the dialog it will open and still display all the locally stored mails.

We are using IMAP server and I already set up that the mails are not stored locally. Still, some mails that I have used recently are visible. I am aware that there would anyway be the local copy in the profile folder but I guess none of the people sharing that computer would take the efford to check that, so I would be fine if I could simply prevent thunderbird from starting without the primary password.

Is there any option for that or any extention that would do so?

Thank you in advance! Juergen

Someone has created Mozilla accounts using several of my company's openly available email accounts. I can't figure why. Anyone have an idea why? I know this because all three accounts received the following email message from Mozilla: "Welcome to Mozilla! A few days ago you created a Mozilla account, but never confirmed it. Please confirm your account in the next 15 days or it will be automatically deleted. Don’t miss out on the browser that puts you and your privacy first."

Moderator note: This question has been edited to remove extra newlines.