Oh dear. Gmail misidentifies Adobe password reset message as spam

Graham Cluley

GmailOn Thursday, Adobe announced that hackers had broken into its systems, stealing some of its source code and stealing information on some 2.9 million customers.

Adobe’s security team said that it was contacting customers via email to tell them how they can change their passwords, as well as sending letters to those who had credit card information exposed.

It’s somewhat disappointing then to discover that Gmail, one of the world’s most popular webmail providers, is mistakenly blocking Adobe’s warning as spam.

Here’s how the message, sent by Adobe Customer Care with the subject line “Important Password Reset Information”, appears in Gmail’s spam folder.

Adobe email warning

Google has added the (incorrect) warning that users should be cautious of the email:

Be careful with this message. Similar messages have been used to steal people’s personal information. Unless you trust the sender, don’t click on links or reply with personal information.

It’s not clear quite why Gmail has mistaken this legitimate email from Adobe as spam, but clearly the Google service has misidentified it as an attempt to phish details from users.

Possibly a lot of Gmail users have received the message and mistakenly flagged it as spam, tricking Gmail’s systems into believing that the message is bogus.

It’s just speculation on my part, but I wonder if Gmail would have thought the email less suspicious if each message had been customised with the recipient’s name in its body (“Dear Graham Cluley”) rather than identical generic wording?

Of course, users *should* be wary of the email. And indeed *any* other email telling them to visit a webpage to reset their passwords. After all, there *are* plenty of phishing messages which might attempt to trick you like that.

But this wasn’t one of them.

Gmail users who have accounts at Adobe might wish to check their “spam” folder, but if you can’t be bothered to go hunting here is the link to reset your Adobe password: www.adobe.com/go/passwordreset

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

11 Replies to “Oh dear. Gmail misidentifies Adobe password reset message as spam”

  1. That's just what happens when you depend on automation…

    You have to wait for something not to work so you can be notified then tweak it for certain items.

  2. What do you expect, if that message was sent 2.9 million
    times then surely the Gmail systems would notice that? Can you not
    blame google, most people check their spam folder anyway, and
    besides, the lack of a name in the email led it to look a little
    suspicious.

  3. Yes, lets blame Google because the uber-secure Adobe (can
    you say Adobe vulns 5 times fast) sent a generic e-mail notifying
    the world that they were compromised. Pleeeaaasssseeee. If they
    can't secure their product, or their systems, why would
    you think they would actually be able to send e-mail with any hint
    of user security?

  4. I think you're being a little reactionary. The
    Geeks that Be are constantly encouraging computer users to beware
    of any emails that look suspicious and I thought this one did, too,
    until I did an online search. Give us a little break here, fella.
    BTW, Gmail did not flag Adobe's email as spam for me.
    Thank you.

  5. I received this message in Gmail, not tagged as spam, and immediately deleted it. It has all the marks of a phishing message. In my opinion Google did the right thing. Adobe ought to have contacted them in advance.

    1. It reads like a phising email, even contains a link to
      reset my password, it doesn't address the reader by name.
      I got one and tagged it as suspicious as it had arrived in an
      account I only ever use for family

  6. Adobe did it all wrong to begin with! They NEVER should
    have included the link to the reset webpage in the first page. All
    they should have done was ask the users to go to the Adobe web page
    with a cut and page web address, not hotlinked.

  7. I found the email in one of my Gmail addresses today. I was suspicious because I use only Adobe Flash Player. Which has never asked for a password to the best of my recollection.

  8. In Google's defense, I was irritated when I first saw it in my inbox because I thought it was a phishing expedition and almost marked it as spam myself.

  9. Adobe should know better. They sent and email that looks exaxtly like the dozens of phishing emails we've all gotten.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.