Oh dear. Gmail misidentifies Adobe password reset message as spam


GmailOn Thursday, Adobe announced that hackers had broken into its systems, stealing some of its source code and stealing information on some 2.9 million customers.

Adobe’s security team said that it was contacting customers via email to tell them how they can change their passwords, as well as sending letters to those who had credit card information exposed.

It’s somewhat disappointing then to discover that Gmail, one of the world’s most popular webmail providers, is mistakenly blocking Adobe’s warning as spam.

Here’s how the message, sent by Adobe Customer Care with the subject line “Important Password Reset Information”, appears in Gmail’s spam folder.

Adobe email warning

Google has added the (incorrect) warning that users should be cautious of the email:

Be careful with this message. Similar messages have been used to steal people’s personal information. Unless you trust the sender, don’t click on links or reply with personal information.

It’s not clear quite why Gmail has mistaken this legitimate email from Adobe as spam, but clearly the Google service has misidentified it as an attempt to phish details from users.

Possibly a lot of Gmail users have received the message and mistakenly flagged it as spam, tricking Gmail’s systems into believing that the message is bogus.

It’s just speculation on my part, but I wonder if Gmail would have thought the email less suspicious if each message had been customised with the recipient’s name in its body (“Dear Graham Cluley”) rather than identical generic wording?

Of course, users *should* be wary of the email. And indeed *any* other email telling them to visit a webpage to reset their passwords. After all, there *are* plenty of phishing messages which might attempt to trick you like that.

But this wasn’t one of them.

Gmail users who have accounts at Adobe might wish to check their “spam” folder, but if you can’t be bothered to go hunting here is the link to reset your Adobe password: www.adobe.com/go/passwordreset

Tags: , , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , ,

11 Responses

  1. spryte

    October 7, 2013 at 1:04 am #

    That’s just what happens when you depend on automation…

    You have to wait for something not to work so you can be notified then tweak it for certain items.

  2. Dylan Hinde

    October 7, 2013 at 7:35 am #

    What do you expect, if that message was sent 2.9 million
    times then surely the Gmail systems would notice that? Can you not
    blame google, most people check their spam folder anyway, and
    besides, the lack of a name in the email led it to look a little

  3. Dave Smythe

    October 7, 2013 at 5:07 pm #

    Yes, lets blame Google because the uber-secure Adobe (can
    you say Adobe vulns 5 times fast) sent a generic e-mail notifying
    the world that they were compromised. Pleeeaaasssseeee. If they
    can’t secure their product, or their systems, why would
    you think they would actually be able to send e-mail with any hint
    of user security?

  4. Pam Mastin

    October 11, 2013 at 2:13 am #

    I think you’re being a little reactionary. The
    Geeks that Be are constantly encouraging computer users to beware
    of any emails that look suspicious and I thought this one did, too,
    until I did an online search. Give us a little break here, fella.
    BTW, Gmail did not flag Adobe’s email as spam for me.
    Thank you.

  5. Giovanni Gervasio

    October 11, 2013 at 7:06 am #

    I received this message in Gmail, not tagged as spam, and immediately deleted it. It has all the marks of a phishing message. In my opinion Google did the right thing. Adobe ought to have contacted them in advance.

    • TheresaRibble in reply to Giovanni Gervasio.

      October 23, 2013 at 7:18 pm #

      It reads like a phising email, even contains a link to
      reset my password, it doesn’t address the reader by name.
      I got one and tagged it as suspicious as it had arrived in an
      account I only ever use for family

      • Morten Sørensen in reply to TheresaRibble.

        November 26, 2013 at 5:41 pm #

        It looks likes the address to the password reset page is not clickable (not hiding another domain in the link), you have to copy and paste it.

  6. Mike Nesbitt

    October 11, 2013 at 4:29 pm #

    Adobe did it all wrong to begin with! They NEVER should
    have included the link to the reset webpage in the first page. All
    they should have done was ask the users to go to the Adobe web page
    with a cut and page web address, not hotlinked.

  7. Gregoryno6

    October 21, 2013 at 10:44 pm #

    I found the email in one of my Gmail addresses today. I was suspicious because I use only Adobe Flash Player. Which has never asked for a password to the best of my recollection.

  8. James

    October 23, 2013 at 8:05 pm #

    In Google’s defense, I was irritated when I first saw it in my inbox because I thought it was a phishing expedition and almost marked it as spam myself.

  9. Josh

    October 25, 2013 at 12:54 pm #

    Adobe should know better. They sent and email that looks exaxtly like the dozens of phishing emails we’ve all gotten.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.