Sky has been getting in touch with some customers to tell them that their account passwords have been reset − but as “good password management practice” rather than a consequence of anything more sinister.
“At Sky we take the security of customer data and information extremely seriously,” a Sky spokesperson told Trusted Reviews. “We’re resetting passwords for sky.com email customers as good password management practice. We’re sorry for any inconvenience caused.”
Related: Sky Q review
The company has confirmed that these accounts haven’t been broken into, but the content of the messages that Sky sent to affected customers has provoked some criticism. They weren’t exactly crystal clear.
Image credit: Graham Cluley
Alarm bells were further raised by the company addressing users as “Dear Customer” rather than by their own name. As security blogger Graham Cluley points out, there’s no mention of the customer’s Sky ID, nor their account number of postcode in order to offer a greater sense this wasn’t a general phishing email.
Some users were concerned enough to ignore the email and contact the @SkyHelpTeam on Twitter.
@SkyHelpTeam I received an email addressed "Dear Customer" and telling me to reset my Sky password. I presume this is a phishing scam and have therefore deleted it.
— Tannya (@Tannya21000096) July 24, 2019
There’s also a clickable link taking customers to their sign-in page. Although the written link spells out the URL, we all know the hyperlink text can say one thing while taking you to another page. Like this, for example.
Earlier this month, in a separate incident, a number of Sky accounts were breached through an attack called ‘credential stuffing’.
“This is where an intruder has obtained a list of usernames and passwords (‘credentials’) from one or more external sources illegitimately. The intruder then runs an automated programme across a range of online services to see if those credentials are still valid. If the credentials match, the intruder can then log in to that account,” said Sky.
Stressing that this incident isn’t related to the mass password reset prompts, it added: “As a precautionary measure those accounts were locked, and customers affected were contacted directly at that time.”
Editorial independence
Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.
Professional conduct
We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.
Editorial independence
Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.
Professional conduct
We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.