Mandatory password reset for some Facebook and Netflix users in wake of mega-breaches

Don’t panic. Facebook and Netflix have not suffered a data breach.

But it’s quite possible that they are asking you to change your password.

The reason for the mandatory password reset is that recent weeks have seen a series of revelations about so-called mega-breaches. Sites like LinkedIn, Tumblr and MySpace have all suffered at the hands of hackers, who are selling user information and passwords for the millions of users on the dark web.

And, as even Facebook CEO Mark Zuckerberg knows all too well, many internet users are guilty of committing the sin of using the same password on different websites.

Human apathy and lack of awareness being what it is, it’s great to see companies like Netflix and Facebook proactively take steps to protect their users – examining the contents of some of the recent mega-breaches, and comparing them to their own user databases.

And, where they believe a password might be being reused, informing the user that it’s high time for a password reset.

As security blogger Brian Krebs reports, notifications are already being seen by Facebook and Netflix users… and it wouldn’t be a surprise if other big internet firms jumped on the bandwagon.

Here is the message that some Facebook users are seeing:

Facebook notification

Someone May Have Accessed Your Account

Recently, there was a security incident on another website unrelated to Facebook. Facebook was not directly affected by the incident, but your Facebook account is at risk because you were using the same password in both places.

To secure your account, you’ll need to answer a few questions and change your password. For your protection, no one can see you on Facebook until you finish.

And here is the email that Brian Krebs reports is being sent to some of its customers:

Netflix email

Personally I prefer Facebook’s approach of asking you to reset your password at next login, rather than the manner in which Netflix has emailed some of its customers. The danger of asking users via email to reset their passwords by clicking on a link is… well, isn’t that precisely what phishing attacks do all the time?

It would be relatively easy for a scammer to spam out emails claiming to come from Netflix which might pretend to link to the real Netflix website, but in reality take users to a bogus site instead.

And, if those users are indeed in the habit of reusing their passwords across the net, then they have not just handed over their credentials to someone who might want to watch the latest episodes of “House of Cards” or “Orange is the New Black”, but also their email, Amazon, PayPal, and other accounts.

Take care folks. Get out of the bad habit of using the same password on multiple websites, and consider acquiring a decent password manager instead. If possible, enable two-step verification on your online accounts (on Facebook it is called Login Approvals) to harden your account security.

Author Graham Cluley, We Live Security

Follow us

Copyright © 2016 ESET, All Rights Reserved.