Sky has been getting in touch with some customers to tell them that their account passwords have been reset − but as “good password management practice” rather than a consequence of anything more sinister.
“At Sky we take the security of customer data and information extremely seriously,” a Sky spokesperson told Trusted Reviews. “We’re resetting passwords for sky.com email customers as good password management practice. We’re sorry for any inconvenience caused.”
Related: Sky Q review
The company has confirmed that these accounts haven’t been broken into, but the content of the messages that Sky sent to affected customers has provoked some criticism. They weren’t exactly crystal clear.
Alarm bells were further raised by the company addressing users as “Dear Customer” rather than by their own name. As security blogger Graham Cluley points out, there’s no mention of the customer’s Sky ID, nor their account number of postcode in order to offer a greater sense this wasn’t a general phishing email.
Some users were concerned enough to ignore the email and contact the @SkyHelpTeam on Twitter.
There’s also a clickable link taking customers to their sign-in page. Although the written link spells out the URL, we all know the hyperlink text can say one thing while taking you to another page. Like this, for example.
Earlier this month, in a separate incident, a number of Sky accounts were breached through an attack called ‘credential stuffing’.
“This is where an intruder has obtained a list of usernames and passwords (‘credentials’) from one or more external sources illegitimately. The intruder then runs an automated programme across a range of online services to see if those credentials are still valid. If the credentials match, the intruder can then log in to that account,” said Sky.
Stressing that this incident isn’t related to the mass password reset prompts, it added: “As a precautionary measure those accounts were locked, and customers affected were contacted directly at that time.”