Some users of the Pandora Radio have been advised to change their passwords - not because the music streaming service has suffered a data breach, but because Pandora has reason to believe that their passwords may have been compromised.
How can users’ passwords be compromised if Pandora hasn’t suffered a hacking attack? Simple. The affected users have made the classic mistake of reusing the same password on different websites - and one of those other sites has had its passwords compromised.
Here is an email that Pandora has sent to impacted users:
Dear Pandora listener:
As a precaution, we want to make you aware of a situation that could possibly affect your Pandora account.
First off, there is no evidence that your Pandora account has been compromised or tampered with in any way.
However, usernames and passwords that were breached from a service other than Pandora a few years ago were posted on the web recently.
In order to protect Pandora Listeners, our security teams have analyzed the data and found that your Pandora username was included in the list.
If you share passwords across services and haven’t updated them recently, and you haven’t already reset your Pandora password, you should do so now.
Below is a link with which you can request a password reset on Pandora.
Pandora doesn’t make clear in its email advisory quite what site it is referring to when it refers to “usernames and passwords that were breached from a service other than Pandora a few years ago…” but it’s quite possible they are referring to some of the mega-breaches that have recently grabbed the headlines.
But don’t stop there. After you have changed your Pandora password, you should also ensure that you have created new passwords for any other site where you might be using the same credentials.
Your best defence to protect against password reuse attacks is very simple: stop reusing passwords. Always use different passwords for different websites.
And if you think that your puny human brain can’t remember lots of different, hard-to-crack passwords then simply get a password manager to do the job for you. That’s what I do.