Pandora tells some users to reset their passwords

Graham Cluley

Pandora tells some users to reset their passwords

Pandora

Some users of the Pandora Radio have been advised to change their passwords – not because the music streaming service has suffered a data breach, but because Pandora has reason to believe that their passwords may have been compromised.

How can users’ passwords be compromised if Pandora hasn’t suffered a hacking attack? Simple. The affected users have made the classic mistake of reusing the same password on different websites – and one of those other sites has had its passwords compromised.

Here is an email that Pandora has sent to impacted users:

Email sent to Pandora user

Dear Pandora listener:

As a precaution, we want to make you aware of a situation that could possibly affect your Pandora account.

First off, there is no evidence that your Pandora account has been compromised or tampered with in any way.

However, usernames and passwords that were breached from a service other than Pandora a few years ago were posted on the web recently.

In order to protect Pandora Listeners, our security teams have analyzed the data and found that your Pandora username was included in the list.

If you share passwords across services and haven’t updated them recently, and you haven’t already reset your Pandora password, you should do so now.

Below is a link with which you can request a password reset on Pandora.
https://www.pandora.com/account/help

Pandora doesn’t make clear in its email advisory quite what site it is referring to when it refers to “usernames and passwords that were breached from a service other than Pandora a few years ago…” but it’s quite possible they are referring to some of the mega-breaches that have recently grabbed the headlines.

Reset your Pandora password

But don’t stop there. After you have changed your Pandora password, you should also ensure that you have created new passwords for any other site where you might be using the same credentials.

Your best defence to protect against password reuse attacks is very simple: stop reusing passwords. Always use different passwords for different websites.

And if you think that your puny human brain can’t remember lots of different, hard-to-crack passwords then simply get a password manager to do the job for you. That’s what I do.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

21 Replies to “Pandora tells some users to reset their passwords”

  1. Bad Post. Did you either confirm with Pandora the authenticity of the email or research the imbedded links to reset your password? Hover your mouse and look at it – it goes to Singapore (SG). The service, operated by Pandora Media, Inc., is available only in Australia, New Zealand, and the United States, and is NOT based in Singapore. So much for your level of "security"…

    1. Thanks for the comment, but I believe you are mistaken.

      If you hover your mouse over the links in Pandora's email they go to sg.pandora.com – that's not anything to do with Singapore. Instead I suspect the sg stands for SendGrid, the email delivery service that Pandora appears to be using.

      I would agree with you that ideally Pandora would have included direct links in its advisory email, rather than redirecting via SendGrid, to make it look less phishy to the untrained eye – although they're hardly the only ones to do that.

    2. I think the question here is, before you cast your stone at the author, did you do any proper diligence before claiming the author didn't do their diligence? Doubt you did, or else you'd see it is a legit post.

      If anyone knows one of the sites compromised, please post. My elderly neighbor asked me to look into this for her as one of her accounts was a potential target. ,

  2. https://haveibeenpwned.com/

    Mine was on linkedin

    ………………………………………………..

    1. Interesting… My daughter has Pandora and she uses my email and does not have linkedin, but I do. How many passwords and who's need to be changed?

  3. This was the reply from them, directly. It's kind of odd. It's about LinkedIn more than Pandora?

    —–

    Thanks for writing and sorry for any confusion.

    We did send you this email. LinkedIn was affected by a data breach resulting in usernames and passwords being released to the internet last month. Pandora identified your information from the LinkedIn credential dump.

    Like LinkedIn, Pandora usernames are made up of the email address registered to the account. We don't have access to your LinkedIn account password. We are just letting you know as a precaution since many people use the same email address and password on multiple accounts.

    To verify that this email address or any other email address you may have was affected by this breach you can visit this site: https://haveibeenpwned.com/

    At this time, there is no evidence that your Pandora account has been tampered with. However, we pride ourselves on running a tight ship and threats of this nature are taken very seriously. As a precautionary measure, our security team has determined that it would be well advised to update your Pandora password.

  4. I've got exactly this one. How can I check/prove that the email was really send by pandora.com? Can I forward the mail to pandora to get a confirmation? And if, what's the address?

  5. I found that 2 or the 3 emails I carry for various things have been breached…..is it advisable to delete those emails?…They are aol and bellsouth.

  6. I also received this email. However, I don't use a username and password to login to Pandora. i do it through Facebook. Does that mean I need to change my Facebook password? I'm confused.

  7. I really appreciate this article, but I feel it is not clear on how to determine who should change what on what websites?
    More clarification would be appreciated. Thanks so much !

    1. If you received the notification email from Pandora then you should consider changing your password on Pandora.

      Make sure it is a strong, hard-to-crack password – and ensure that you are not using the same password anywhere else on the net. Pandora hasn't said where it has got its information from – but if you were using the same password anywhere else, it makes sense to change it there too.

    1. Then you potentially have a problem.

      But I would argue that it is less of a problem than reusing passwords, or using your brain to choose "random", unique, hard-to-crack passwords.

      And if your password manager is on your local machine and your computer gets hacked to access the password manager, well.. you've probably got more things to worry about than just your password manager being hacked.

  8. Hi, I just got the Pandora email today. But, I only use Pandora on my phone. I downloaded the App a few years ago. I don't subscribe to anything nor do I use a password when I open it. Does this effect me? If so, what do I do? Thanks, vpod

    1. You may never log into the Pandora website, but your app will be using a password to connect to your account in order to listen to music.

      If you've received the email warning from Pandora, it would probably be sensible to visit their site and reset your password. Also ensure that you are not using the same password anywhere else on the web.

  9. The main reason that I'm concerned and also confused is that I am 99.999999% sure that I never opened a Pandora account, so there would be no password to change! I'm just not sure what to do here. Do you think it's safe to simply hit "reply" and ask them what in the heck this is all about? The sender address is as shown above, pandora-support@pandora.com. Help! Thank you in advance :-)

  10. To your point, I never received a notice or request to change my LinkedIn password and mine was apparently involved in the breach, according to that pwned link below. I also received the Pandora email. Curious, with a site like Pandora where I don't store any personal or financial data, what is the harm if it gets hacked? LinkedIn, on the other hand, has some personal clues I'd like to protect. Also, do you recommend any password manager programs?

  11. I got one of those emails, but I assumed it was just a phishing attempt to get my Pandora account password. I supposed I would click on the link which would take me to a phony website asking for my Pandora account email address. Then the phisher would send me a link that would directly to another phony website that would ask me to enter my old password and desired password. Then the Fisher would have both my Pandora account email address and password.

    Anytime I receive any "security" message that has a link in it that directs me to someplace I'm supposed to confirm or change my security information, I just assume it's a phishing attempt. I figured if it were legitimate it would just tell me to log on to my account and change my password, but would not give me a link which, when I hold my mouse over it, shows about a thousand characters in it. Or if they did give a link, it would be just plain text.

  12. I got one of those emails, but I assumed it was just a phishing attempt to get my Pandora account password. I supposed I would click on the link which would take me to a phony website asking for my Pandora account email address. Then the phisher would send me a link that would direct me to another phony website that would ask me to enter my old password and desired password. Then the phisher would have both my Pandora account email address and my password.

    Any time I receive any "security" message that has a link in it that directs me to someplace I'm supposed to confirm or change my security information, I just assume it's a phishing attempt. I figured if it were legitimate it would just tell me to log on to my account and change my password, but would not give me a link which, when I hold my mouse over it, shows about a thousand characters in it. Or if they did give a link, it would be just plain text.

  13. Haha, I happened upon this post while doing a Google search about Pandora asking for passwords: I received such an email just 14 minutes ago. I found it suspicious, as it just demands, "Change your password" and blah blah…yet doesn't have information beyond that (and yup, I searched about that "sg" thing as well).

    In any case: great post! I apologize if I am breathing life into something seemingly "dead"…but it's not!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES