Training Users to Fail

My account password for LinkedIn was leaked as part of the 2012 breach.  I use the same user name on Pandora and, if my password was the same on both sites, this would have left me exposed to password reuse attacks.

I received an email from Pandora Radio today and I think it is great that companies are taking proactive steps to analyze the leaked data and notify potentially affected customers.

What I think Pandora did poorly is include a link and direct users to click on the link.  This looks like a classic phishing email.  We spend money and time training our users not to click links in these kinds of emails and then companies like Pandora undo all of that training by sending legitimate emails that teach users that it is OK to click the link.

It is not OK and Pandora Radio should have done better here.

Pandora

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s