Ok - so ...... turns out the issue was NOT duplicate emails. The issue was whitespace
Users managed to get accounts with both "email@example.com" and "firstname.lastname@example.org " and sometimes " email@example.com" - the email attribute is not automatically trimmed and spaces before or after an email address are not considered invalid or anything else. Also, as far as cognito is concerned, these are treated as different email addresses.
In the UI, the email appears the same - because you can't see the rouge spaces.
The solution is to clean up these accounts and make sure these attributes are trimmed before the signup call.
I think it might be considered as a Cognito bug. Since even though you can trim the email using Java SDK, an attacker can sign up a new account using the same technique using Cognito API directly without using UI.
Cognito Allow all 3 Aliases (Email, Phone, and Username)asked 23 days ago
Cognito UI does not show error when User Pool is not enabled.asked a year ago
how implement forgot password for cognito user by emailasked 8 months ago
Problem creating Cognito user pool with optional MFA without SMS optionasked 5 months ago
Cognito pool allows duplicate confirmed email address aliasesasked a year ago
unique identities in cognito user poolasked 10 months ago
How to Set Cognito preferred_username for User When email, phone, and preferred_username Can All Be Used as Aliases?asked 2 months ago
Unable to create Cognito User Poolasked 3 years ago
Cognito User Pool not creating user in new pool after Migration Trigger runs succesfullyasked a month ago