Skip to Content
DocsV3 PortalAccountSecurity Alerts

Security Alerts

QuickBox sends a small family of security emails whenever something account-sensitive happens — passwords change, API keys rotate, a new device signs in, and so on. These alerts exist so the account owner hears about a change even if the change was not theirs. If you ever receive one of these and it was not you, the email tells you exactly what to do next.

All security alerts are sent from security@quickbox.io. Five of the seven are essential and always send (they bypass notification preferences). Two are advisory and respect the Account Activity notification preference in your settings.

The seven alerts

🔐 Password changed

Your account password was updated — either via the signed-in change flow or via the forgot-password reset link.

📧 Primary email changed

The primary email address on your account was changed. Both the old and new address are notified.

🌍 New sign-in

A successful sign-in came from an IP network or country we have not seen for your account recently.

🚨 Unusual failed sign-ins

Several failed password attempts stacked up against your account in a short window — credential-stuffing or brute-force signal.

🔒 Active sessions ended

Sessions were invalidated on your account — usually alongside a password change.

🔑 API key changed

An API key tied to one of your licenses was created, rotated, or revoked.

📬 Secondary email changed

A secondary (recovery) email was added to your account.

1. Password changed

Subject: 🔐 Your QuickBox Pro Password Was Changed

Trigger. Your account password was updated. This fires from two paths:

  • Signed-in change — you used the Security tab in settings to change your password (requires your current password).
  • Forgot-password reset — you clicked the reset link emailed to you and set a new password.

Who receives it. Your primary email, plus your verified secondary (recovery) email if one is set.

What to do.

  • If it was you: no action needed. This is a confirmation receipt.
  • If it was not you: your account may be compromised. Go to the sign-in page, click Forgot password, and rotate the password yourself. Then review active sessions on your profile and revoke anything you do not recognize. If you cannot sign in because an attacker already moved the password, contact support on Discord.

2. Primary email changed

Subject: 📧 Your QuickBox Pro Primary Email Was Changed

Trigger. The primary email address on your account was changed through the email-change flow.

Who receives it. Both the old primary address and the new primary address get a copy. The old address is notified so a lost or compromised inbox cannot silently move the account out from under the real owner. A verified secondary email is also notified.

What to do.

  • If it was you: confirm from the new inbox and you are done.
  • If it was not you: the alert sent to your old address tells you the account is being stolen. Start a password reset immediately from the sign-in page, and reach out on Discord so the team can help restore access.

3. New sign-in (unusual location)

Subject: 🌍 New Sign-In to Your QuickBox Pro Account

Trigger. A successful sign-in came from a network (/24 IPv4 block or /48 IPv6 prefix) and country we have not seen on your account in the last 50 successful logins. Sign-ins from your usual home network, office, or country do not fire this alert. Your first-ever login is not flagged either.

Who receives it. Primary email, plus verified secondary.

What to do.

  • If it was you: traveling, new ISP, hotel Wi-Fi, or a new device — ignore the email.
  • If it was not you: go to the sign-in page, use Forgot password to rotate your password, and revoke every session you do not recognize under Settings → Security.

Advisory alert

This email respects your Account Activity notification preference. If you turn that off in settings, you will still see the change events in the dashboard but you will not get this email.

4. Unusual failed sign-in attempts

Subject: 🚨 Unusual Failed Sign-In Attempts on Your QuickBox Pro Account

Trigger. A configured threshold of failed password attempts against your account stacked up inside a short window (by default, 5 attempts in 15 minutes). Nothing succeeded — this is an early-warning signal, not a breach notice.

Who receives it. Primary email, plus verified secondary.

What to do.

  • If you were fat-fingering your own password: sign in once successfully and the counter resets. No further action needed.
  • If you were not signing in: someone is probing your account. The attempts failed, but you should still rotate your password from Forgot password as a precaution and consider enabling two-factor authentication and a passkey in your profile’s Security tab.

Advisory alert

This email also respects the Account Activity preference. The counter resets every time you successfully sign in, so one email covers each burst — you will not be spammed.

5. Active sessions ended

Subject: 🔒 Active Sessions Ended on Your QuickBox Pro Account

Trigger. Active sessions on your account were invalidated. Today this fires alongside every password change (signed-in or reset-flow) — the password event and the session-ended event are sent as a pair.

Who receives it. Primary email, plus verified secondary.

What to do. If you just changed your password, this is expected. If you see it without a corresponding password-changed email, start a password reset immediately from the sign-in page.

6. API key changed

Subject: 🔑 API Key Created on Your QuickBox Pro Account (or Rotated / Revoked depending on the action)

Trigger. An API key tied to one of your licenses was touched:

  • Created — a license’s API key was issued for the first time or regenerated after a previous one was deleted.
  • Rotated — an existing key was regenerated. The old secret stops working the moment the new one is issued.
  • Revoked — a key was permanently revoked. Any tooling still using it will fail on the next call.

Who receives it. Primary email, plus verified secondary.

What to do.

  • If it was you: update any tooling (CLI installs, heartbeat scripts, integrations) with the new key. The email shows the key label and a short prefix so you can match it up.
  • If it was not you: sign in, open Dashboard → Licenses, and revoke every key you do not recognize. Then rotate your password from Forgot password because an attacker with dashboard access cannot be trusted to stop at API keys.

7. Secondary email added

Subject: 📧 Secondary Email Added on Your QuickBox Pro Account

Trigger. A new secondary (recovery) email was verified and attached to your account.

Who receives it. The primary email only. The primary owner must know a new recovery channel was just plugged into their account, because a recovery channel can be used to take the account over later.

What to do.

  • If you added it: you are done. Future security alerts will now dual-send to this address too.
  • If you did not add it: sign in, remove the unknown secondary address immediately, then rotate your password from Forgot password.

The dual-send design

Once you verify a secondary email on your account, every security alert above (except the secondary-email-added event itself) goes to both inboxes — your primary address and your verified secondary. This is intentional: if one inbox is compromised or unreachable, the other still hears about the change.

To add a secondary email, open your account settings at v3.quickbox.io/dashboard/settings  and follow the verification flow. An unverified secondary address does not receive security alerts — it is ignored until you click the verification link.

The primary-email-changed alert is a special case: both the old and new primary addresses receive it, regardless of secondary setup, so the previous owner always hears about a primary handoff.

What we never include

Phishing guardrail

QuickBox security alerts never contain a one-click link to change your password. If an email claims to be from QuickBox and offers a “reset your password now” button inline, treat it as phishing.

When you receive a real security alert and you want to rotate your password, the instruction is always the same: go to the sign-in page at v3.quickbox.io/login  yourself and use Forgot password. You type the URL, not a link from the email. This means a copycat phishing email cannot trick you into handing your new password to an attacker’s site.

The real alerts do contain:

  • A settings link so you can review activity, sessions, and API keys.
  • A forgot-password link — but only to the public forgot-password page, which asks you to enter your email and sends a fresh reset email to that inbox. An attacker cannot shortcut this.

Got one you did not expect?

If a security alert lands and you did not do the thing it describes, treat the account as possibly compromised and work through these steps in order:

  1. Rotate your password. Open v3.quickbox.io/login , click Forgot password, and set a new password. Do this from a device you trust.
  2. Review active sessions. In Settings → Security, sign out every session you do not recognize. This boots any intruder who is still connected.
  3. Review API keys. In Dashboard → Licenses, revoke any API keys you do not recognize. If in doubt, rotate them all — your CLI install just needs the new key pasted back in.
  4. Enable stronger auth. Add a passkey and turn on two-factor authentication from Settings → Security so a stolen password alone is not enough to sign in.
  5. Remove unknown recovery channels. If a secondary email was added that you do not own, remove it. Otherwise the attacker can use the recovery flow to get back in later.
  6. Ask for help. If you cannot sign in at all — for example, the attacker already moved the password and email — reach the team on Discord and we will help restore access.

Best practices

Do

  • Verify a secondary (recovery) email so critical alerts land in two inboxes
  • Always reach password reset by typing v3.quickbox.io yourself, never by clicking a link in email
  • Enable two-factor authentication and add a passkey from Settings → Security
  • Treat the old-address copy of a primary-email-changed alert as a 'stop, think' signal — it is designed to catch account theft
  • Revoke sessions and rotate API keys after any alert you did not trigger yourself

Don't

  • Don't click password-change buttons inside emails — real alerts never offer one
  • Don't ignore a Sessions Ended email that arrived without a matching password-changed email
  • Don't leave a secondary email unverified — unverified addresses get no alerts
  • Don't share your API key in screenshots, pastes, or chat logs; treat it like a password
  • Don't dismiss an 'Unusual Failed Sign-Ins' email just because no login succeeded — it is a probe signal

Frequently asked questions

Five of the seven are essential and always send — password-changed, primary-email-changed, sessions-ended, api-key-changed, and secondary-email-added. Two are advisory and respect the Account Activity notification preference in your settings: new sign-in and unusual failed sign-ins. Turning Account Activity off silences those two but does not hide the events themselves — they still happen on the account.
A password change triggers two alerts by design: Your QuickBox Pro Password Was Changed (confirms the password update) and Active Sessions Ended (confirms other sign-ins were invalidated). Seeing both is the correct, secure behavior — it is how you verify the password change also cleared any attacker sessions.
Either the secondary address has not been verified (click the verification link in the original set-up email), or the alert was the Secondary Email Added event — that one only goes to the primary address on purpose, so the account owner hears about the new recovery channel without the attacker's inbox getting a receipt.
No. A new sign-in alert means your account saw a login from a network or country it has not seen recently — which is exactly what happens when you travel, switch ISPs, or use hotel Wi-Fi. If you signed in, no action is needed. The email exists so you find out when the sign-in was not you.
No. The only links that change account state are the forgot-password flow (which asks you to enter your email and sends a fresh token) and the email-verification flow (which confirms ownership, not authentication). No QuickBox email contains a one-click 'sign me in' shortcut.
Either you, a staff member with support access, or an attacker triggered a rotation. Open Dashboard → Licenses and check the key label and timestamp in the alert. If nothing matches your own activity, rotate your password from Forgot-password right away and reach support on Discord.

Join the Community

Media server operators sharing configs, getting support, and shaping the future of QuickBox Pro.

Dedicated Support
Feature Previews
Community Configs
Active Discussions
Join Discord Server
Using the v3 DashboardBilling & Payments