UK telecoms company Sky sent some of its customers an email yesterday evening telling them that their passwords were being reset.
I guess I should be pleased that so many recipients questioned whether the email was legitimate, and contacted Sky’s customer service department on Twitter to seek reassurance that they weren’t being phished.
But there’s little doubt in my mind that Sky could have done a better job when they designed their email to make it look less suspicious.
Here’s the email that Sky sent some of its customers:
At Sky we take the security of your data and information extremely seriously. To help keep your account safe we have reset the password for your Sky account.
You will now need to choose a new password to access your account. To reset your password, please visit [LINK] and enter your email or username.
We’re sorry for any inconvenience caused.
There are a number of ways that Sky could have better reassured its customers about what has happened, and reduced recipients’ fears that they were being phished.
Why not name the customer? Why use a generic term like “Customer”? Sky surely knows the names of its customers, so why not use the information? A phishing email might use a genuine customer’s name in its greeting, but it’s more common that they will use a generic term like “Customer”?
While we’re on the subject – why not reference the Sky user’s customer ID or maybe the last three characters of their postcode? That, again, would make the email look more convincing than a generic greeting.
To help keep your account safe we have reset the password for your Sky account.
Why? Has Sky been hacked? Do you have reason to believe the user’s account has been compromised? Tell the customer why you are doing this, and whether their account may have been accessed. Sky has just told a customer that their password has been changed to “keep their account safe.” That’s likely to give the typical user collywobbles.
Offer an explanation with enough detail so users can assess the level of risk. Maybe point people to a security page on Sky’s website which confirms the email is legitimate, and gives concerned users an FAQ rather than leave it to the company’s social media and support team to mop up the mess.
My hunch is that Sky hasn’t been hacked. My guess is that Sky is resetting some users’ passwords after it saw evidence of attempts to access accounts by unauthorised parties, perhaps by credential stuffing (where hackers attempt to break into accounts using previously-breached username and passwords).
But these are just hunches and guesses because Sky’s email doesn’t offer any details, and there’s no advisory on its website where users can find more information.
To reset your password, please visit [LINK] and enter your email or username.
And this, of course, is what phishing emails do. They include a clickable link to a website which asks users to re-enter their login credentials, and then carts them off into the hands of online criminals.
Banks who care about their users’ account security don’t send out password reset links because they know that it’s the kind of dirty trick used by fraudsters. Instead they tell you to visit the website and reset your password as part of the regular login process. Maybe other companies with online accounts could learn a thing or two from that.
For what it’s worth, here is the real, genuine link to reset your Sky password: https://skyid.sky.com/resetpassword/skycom
But you shouldn’t click on it to reset your password, because you shouldn’t trust me. And similarly you shouldn’t trust any emails that carry the hallmarks of a phish.
Thanks to an anonymous reader who points out that Sky has published a brief FAQ with more details on its website. Here’s part of it:
What has happened?
Sky has been informed by the provider of Sky.com email accounts that a number of accounts have been accessed without permission through an attack called ‘credential stuffing’. This is where an intruder has obtained a list of usernames and passwords (“credentials”) from one or more external sources illegitimately. The intruder then runs an automated programme across a range of online services to see if those credentials are still valid. If the credentials match, the intruder can then log in to that account.
What can I do about it?
We’ve already locked the accounts of everyone who has been affected. If your account has been locked, you’ll need to call us on the number above and follow the steps provided. To help keep your account as safe as possible, please ensure you regularly update your password and change any similar passwords you may use on other accounts.
Sky doesn’t say on its webpage, but the company which provides its email service is Yahoo.