You might like

5 Responses to Sending a "Heartbleed" password reset email? Please don't include a login link!

  1. Bob · 508 days ago

    Just had an email from Pinterest regarding this issue with a suggestion to change passwords - complete with a nice 'reset password' link.

  2. I recieved an email supposedly from Bitcasa, which had exactly the same. When I say supposedly it's because I couldn't figure if it was Bitcasa being amateurish or a clever phisher with a sense of humour.

    The link leads to a sub-domain - - so I guess it's legit, but wouldn't wanna try my luck as the email in general looked dodgy with a weird return path.

    Instead I decided to delete my account, which I had never used since I first tried it out. That turned out to be a challenge as they have no visible clues on how to do it.

    After applying some duckduckgo-fu I found a link to their support forums - where I had to create an account (!) to read and article explaining that you have to send a support ticket with the subject "Delete my account." Brave new IT world ;)

    Much to my surprise I actually got an automated answer asking me to confirm the deletion by replying. Still waiting for a response to that though.

    The funny part:

    The HTML version of their initial mail looked very professional - besides the link part - but the plain text version was very different. The quote below is the entire plain text part:

    Last Chance to Save 35%
    Seriously, this is your last chance.

    Dave doesn't work here
    i gotta check out the brochure, nom nom nom nom .

    We love Curry Fries
    Curry fries are good, get in my belly yum yum yum yum.

    -Bitcasa Team

    • Paul Ducklin · 507 days ago

      Chilli goes better with fries (chips) than curry!

      My guess would be that someone just put some placeholder text in while testing...and then, ah, forgot to remove it. And my advice would be, "Don't do that."

      If you must have placeholder text, in documents, emails, code strings, and so on, use something that will not leave you with egg on your face or nearly mean something incorrect or misleading.

      There are many lorem ipsum [qv] generators on the web that can give you realistic looking (Roman) text that helpfully has no meaning that might add to your embarrassment if you accidentally publish it.

  3. Laurence Marks · 507 days ago

    Hmmm. All the web server folks are running around screaming "Change your password! Change your password! The sky is falling."

    But the credit card folks (who have much more skin in the game) aren't saying a thing.

    Do you hear anyone crying wolf?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog