Pandora tells some users to reset their passwords

Are you still using the same password on multiple websites?

Pandora

Some users of the Pandora Radio have been advised to change their passwords - not because the music streaming service has suffered a data breach, but because Pandora has reason to believe that their passwords may have been compromised.

How can users' passwords be compromised if Pandora hasn't suffered a hacking attack? Simple. The affected users have made the classic mistake of reusing the same password on different websites - and one of those other sites has had its passwords compromised.

Here is an email that Pandora has sent to impacted users:

Email sent to Pandora user

Dear Pandora listener:

As a precaution, we want to make you aware of a situation that could possibly affect your Pandora account.

First off, there is no evidence that your Pandora account has been compromised or tampered with in any way.

However, usernames and passwords that were breached from a service other than Pandora a few years ago were posted on the web recently.

In order to protect Pandora Listeners, our security teams have analyzed the data and found that your Pandora username was included in the list.

If you share passwords across services and haven't updated them recently, and you haven't already reset your Pandora password, you should do so now.

Below is a link with which you can request a password reset on Pandora.
https://www.pandora.com/account/help

Pandora doesn't make clear in its email advisory quite what site it is referring to when it refers to "usernames and passwords that were breached from a service other than Pandora a few years ago..." but it's quite possible they are referring to some of the mega-breaches that have recently grabbed the headlines.

Reset your Pandora password

But don't stop there. After you have changed your Pandora password, you should also ensure that you have created new passwords for any other site where you might be using the same credentials.

Your best defence to protect against password reuse attacks is very simple: stop reusing passwords. Always use different passwords for different websites.

And if you think that your puny human brain can't remember lots of different, hard-to-crack passwords then simply get a password manager to do the job for you. That's what I do.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

,

20 Responses

  1. D.Turner

    June 28, 2016 at 11:54 pm #

    Bad Post. Did you either confirm with Pandora the authenticity of the email or research the imbedded links to reset your password? Hover your mouse and look at it – it goes to Singapore (SG). The service, operated by Pandora Media, Inc., is available only in Australia, New Zealand, and the United States, and is NOT based in Singapore. So much for your level of "security"…

    • Graham Cluley in reply to D.Turner.

      June 29, 2016 at 12:38 am #

      Thanks for the comment, but I believe you are mistaken.

      If you hover your mouse over the links in Pandora's email they go to sg.pandora.com – that's not anything to do with Singapore. Instead I suspect the sg stands for SendGrid, the email delivery service that Pandora appears to be using.

      I would agree with you that ideally Pandora would have included direct links in its advisory email, rather than redirecting via SendGrid, to make it look less phishy to the untrained eye – although they're hardly the only ones to do that.

    • Michael in reply to D.Turner.

      June 30, 2016 at 11:47 am #

      I think the question here is, before you cast your stone at the author, did you do any proper diligence before claiming the author didn't do their diligence? Doubt you did, or else you'd see it is a legit post.

      If anyone knows one of the sites compromised, please post. My elderly neighbor asked me to look into this for her as one of her accounts was a potential target. ,

  2. bj johnson

    June 30, 2016 at 12:48 pm #

    https://haveibeenpwned.com/

    Mine was on linkedin

    ………………………………………………..

    • Elle in reply to bj johnson.

      July 10, 2016 at 8:21 pm #

      Interesting… My daughter has Pandora and she uses my email and does not have linkedin, but I do. How many passwords and who's need to be changed?

  3. confused

    June 30, 2016 at 2:27 pm #

    Is this a scam? I haven't seen any posts or anything from Pandora.

  4. Jen

    July 2, 2016 at 12:19 am #

    This was the reply from them, directly. It's kind of odd. It's about LinkedIn more than Pandora?

    —–

    Thanks for writing and sorry for any confusion.

    We did send you this email. LinkedIn was affected by a data breach resulting in usernames and passwords being released to the internet last month. Pandora identified your information from the LinkedIn credential dump.

    Like LinkedIn, Pandora usernames are made up of the email address registered to the account. We don't have access to your LinkedIn account password. We are just letting you know as a precaution since many people use the same email address and password on multiple accounts.

    To verify that this email address or any other email address you may have was affected by this breach you can visit this site: https://haveibeenpwned.com/

    At this time, there is no evidence that your Pandora account has been tampered with. However, we pride ourselves on running a tight ship and threats of this nature are taken very seriously. As a precautionary measure, our security team has determined that it would be well advised to update your Pandora password.

  5. Claus

    July 2, 2016 at 4:26 pm #

    I've got exactly this one. How can I check/prove that the email was really send by pandora.com? Can I forward the mail to pandora to get a confirmation? And if, what's the address?

  6. Mary

    July 7, 2016 at 7:09 pm #

    I found that 2 or the 3 emails I carry for various things have been breached…..is it advisable to delete those emails?…They are aol and bellsouth.

  7. Reed

    July 7, 2016 at 7:56 pm #

    I also received this email. However, I don't use a username and password to login to Pandora. i do it through Facebook. Does that mean I need to change my Facebook password? I'm confused.

  8. Elle

    July 10, 2016 at 8:22 pm #

    I really appreciate this article, but I feel it is not clear on how to determine who should change what on what websites?
    More clarification would be appreciated. Thanks so much !

    • Graham Cluley in reply to Elle.

      July 10, 2016 at 10:31 pm #

      If you received the notification email from Pandora then you should consider changing your password on Pandora.

      Make sure it is a strong, hard-to-crack password – and ensure that you are not using the same password anywhere else on the net. Pandora hasn't said where it has got its information from – but if you were using the same password anywhere else, it makes sense to change it there too.

  9. Cath

    July 11, 2016 at 8:22 am #

    what if your password manager gets cimpromised?

    • Graham Cluley in reply to Cath.

      July 11, 2016 at 10:43 am #

      Then you potentially have a problem.

      But I would argue that it is less of a problem than reusing passwords, or using your brain to choose "random", unique, hard-to-crack passwords.

      And if your password manager is on your local machine and your computer gets hacked to access the password manager, well.. you've probably got more things to worry about than just your password manager being hacked.

  10. vpod1

    July 11, 2016 at 2:14 pm #

    Hi, I just got the Pandora email today. But, I only use Pandora on my phone. I downloaded the App a few years ago. I don't subscribe to anything nor do I use a password when I open it. Does this effect me? If so, what do I do? Thanks, vpod

    • Graham Cluley in reply to vpod1.

      July 11, 2016 at 2:21 pm #

      You may never log into the Pandora website, but your app will be using a password to connect to your account in order to listen to music.

      If you've received the email warning from Pandora, it would probably be sensible to visit their site and reset your password. Also ensure that you are not using the same password anywhere else on the web.

  11. Helaine

    July 12, 2016 at 12:30 pm #

    The main reason that I'm concerned and also confused is that I am 99.999999% sure that I never opened a Pandora account, so there would be no password to change! I'm just not sure what to do here. Do you think it's safe to simply hit "reply" and ask them what in the heck this is all about? The sender address is as shown above, pandora-support@pandora.com. Help! Thank you in advance :-)

  12. D. Wynne

    July 12, 2016 at 4:15 pm #

    To your point, I never received a notice or request to change my LinkedIn password and mine was apparently involved in the breach, according to that pwned link below. I also received the Pandora email. Curious, with a site like Pandora where I don't store any personal or financial data, what is the harm if it gets hacked? LinkedIn, on the other hand, has some personal clues I'd like to protect. Also, do you recommend any password manager programs?

  13. Eric Bram

    July 12, 2016 at 5:08 pm #

    I got one of those emails, but I assumed it was just a phishing attempt to get my Pandora account password. I supposed I would click on the link which would take me to a phony website asking for my Pandora account email address. Then the phisher would send me a link that would directly to another phony website that would ask me to enter my old password and desired password. Then the Fisher would have both my Pandora account email address and password.

    Anytime I receive any "security" message that has a link in it that directs me to someplace I'm supposed to confirm or change my security information, I just assume it's a phishing attempt. I figured if it were legitimate it would just tell me to log on to my account and change my password, but would not give me a link which, when I hold my mouse over it, shows about a thousand characters in it. Or if they did give a link, it would be just plain text.

  14. Eric Bram

    July 12, 2016 at 5:09 pm #

    I got one of those emails, but I assumed it was just a phishing attempt to get my Pandora account password. I supposed I would click on the link which would take me to a phony website asking for my Pandora account email address. Then the phisher would send me a link that would direct me to another phony website that would ask me to enter my old password and desired password. Then the phisher would have both my Pandora account email address and my password.

    Any time I receive any "security" message that has a link in it that directs me to someplace I'm supposed to confirm or change my security information, I just assume it's a phishing attempt. I figured if it were legitimate it would just tell me to log on to my account and change my password, but would not give me a link which, when I hold my mouse over it, shows about a thousand characters in it. Or if they did give a link, it would be just plain text.

Leave a Reply