I seriously doubt that was what was actually happening. Most likely either your password didn’t meet their requirements or your email was already on file from a previous account you set up and you weren’t using the same password you did the last time.
Some sites do want your email password to get access to your contacts. There can be reasonable situations where that is beneficial, such as importing a large number of contacts to LinkedIn or Facebook if you deem that useful. It’s not useful to me, but by itself it’s not an outrageous feature.
This is very common. They need a way to identify you, and they probably also need a way to communicate with you (to send you information about your order and, unless you opt out, advertisements in the future).
What, exactly, did it say was “wrong”? There are several possibilities:
You had already previously set up a password for that site, and the one you were trying to use didn’t match the one they already had on file for you.
They were asking you to create a password, but the one you tried to use didn’t match their requirements. (Often passwords are required to be a certain length, or to contain a certain mixture of types of characters (upper- and lower-case letters, digits, etc.).)
You were asked to create a password and then type it in again to verify that you hadn’t mistyped it, and the two didn’t match.
Just to let you know, this is becoming more and more common. I work for a major lender and we allow you to verify your assets by using a 3rd party service that uses your online login information to validate. https://www.formfree.com/accountchek/
Most major banks (Chase, Wells Fargo, etc.) probably offer this service. If you don’t want to do any business with a company offering this service, you might as well start stuffing your money under your mattress.
One reason to be getting a “wrong” password on a site you (think you) are newly signing up for is that some bot already signed “you” up on the site with some random password.
Sadly, an amazing number of respectable sites allow bots to sign up using someone else’s email address without going thru email verification.
(One that is particularly annoying is Paypal. Someone created an account using a secondary email account of mine. I got Paypal to lock the fake account, but I couldn’t get them to remove it completely. AT&T allowed someone to use one of my accounts as “their” email for a cell phone. I’ve been getting monthly statements and such for a couple years on this one. AT&T has no mechanism for me to do anything about this. I need to provide info I don’t have to change anything on the account.)
Sometimes certain weaknesses are found in sites where Bad Things can be done at some point using such fake signups. E.g., they set up an account with a 2nd email or a phone number. Yours and theirs. You later signup (having to go thru password reset to get in). But you don’t notice the other stuff on the account and don’t delete it. Now the other person can waltz in a some point (resetting the password via the other things) and access whatever data you’ve since connected to the account.
One way to test this: ask for a password reset. See if you can then get into the account. If so, check all settings including emails/phone numbers/etc. while providing a brand new secure password.
Can you go to AT&T’s site and hit the ‘lost my password’ button? Since you have access to the email address, you should be able to reset the password.
From there, you could either wait until the person tries to log in again, at which point they’ll have to reset their password, which will involve having to call AT&T because they’re not getting the password reset links.
Now, as I think about it, it might be particularly funny if, upon getting the password reset emails, you changed the password. The account owner will probably try it a few times, give up, call AT&T and have a really confusing conversation.
Nope. In addition to the email, they ask, as I specifically mentioned, for other information to do this. (Just to note: I was a professor of Computer Science. So when I say it couldn’t be done this way, trust me.)
It is so weird, they don’t allow you to do a simple password reset my email since that’s not so secure, but they don’t send an email verification when the account is set up to ensure that the email belongs to the customer.