Training Users to Fail

My account password for LinkedIn was leaked as part of the 2012 breach.  I use the same user name on Pandora and, if my password was the same on both sites, this would have left me exposed to password reuse attacks.

I received an email from Pandora Radio today and I think it is great that companies are taking proactive steps to analyze the leaked data and notify potentially affected customers.

What I think Pandora did poorly is include a link and direct users to click on the link.  This looks like a classic phishing email.  We spend money and time training our users not to click links in these kinds of emails and then companies like Pandora undo all of that training by sending legitimate emails that teach users that it is OK to click the link.

It is not OK and Pandora Radio should have done better here.