Guest contributor Bob Covello isn’t happy about a password reset email that Citrix has been sending its customers.
Over the last few days, many people received an email from Citrix Systems, requesting them to change their passwords. Many wondered if this was the result of a breach. I wondered what they were thinking when they sent these messages.
Here is a screenshot of the email Citrix ShareFile users received:
There has been a constant increase in internet-account credential (usernames and passwords) theft. Those same credentials are often used to access other accounts. In response to this, we are requiring a password reset and will be incorporating a regularly-scheduled, forced password reset into our normal operating procedures. Users will need to reset their passwords when logging into ShareFlle. We believe this is an important step to continue to help our customers use our solutions securely.
To reset your password, please click here.
For help about how to reset your password, please click here.
Most people who contacted me wanted to know if this was a phishing scam. My immediate response was “of course it is!” Everything about this message violates everything we teach about security:
- The message arrived unsolicited;
- The message is very generic;
- The message contains links.
The only thing missing from the message is an urgent warning and a threat. In the land of notifications, Citrix certainly got it wrong.
To get it right, all that Citrix needed to do was to stop after the sentence that reads “Users will need to reset their passwords when logging into ShareFile.” This would force a person to go to the Citrix ShareFile site on their own to reset the password.
Citrix posted a blog about the password reset on their site, but it was a bit late.
As always, please do not click on links in unsolicited messages. Visit the site directly to update your information.