The other day my wife received an email from Amazon.com saying that her account name, and possibly her password, was found on a website and the information might be real. Amazon wasn't breached. The list of accounts was one of 67,000 released by Lulzsec, and some of them seem to have come from another site unrelated to Amazon.com that she was registered with. Since users tend to re-use passwords, Amazon customer service sent an alert. Unlike other alerts and regular customer communication from other companies, this email didn’t contain any links but did tell her to enter www.amazon.com into her browser and then how to reset her password. That is the proper and safe way to notify users and have them change a password. More companies should follow Amazon’s lead.
User account management and outreach is an important part of any organization's customer service efforts. For many years, banks, insurance companies and other organizations that manage sensitive customer information have largely done their users a disservice by using links in emails. While they are trying to be helpful by providing links, the critical side effect is that users get used to clicking on them, and that is one--one of many--way of facilitating phishing. Users get used to clicking on links in emails, emails that look legitimate (even with horrible misspellings). Phishers use that knowledge, plus various techniques, to hide malicious URLs behind HTML anchor tags.
If you work for a company that interacts with customers, do your customers a favor and stop sending emails with links in them. Rather, examine your customer service processes for account management and make them easy (but secure!) to use. Then, create your email templates telling customers to enter the URL in a browser and take the following steps to manage their accounts. If customers complain, and some will, tell them why you are doing so. They’ll get it, and you will have done one small but effective thing to slow the success of phishing.
I tell everyone I know not to click on links in emails, regardless of how legitimate the email looks. If they are telling you to do something, then type the URL in your browser or use a bookmark. If the email is legitimate, then you can always verify that by going to the website directly. Yes, it is slightly less convenient to click a bookmark or type in a URL, but it’s better than having your account credentials stolen.
I also encourage everyone to use a password manager and not re-use passwords across sites. This is slightly harder to do in practice, since it requires extra effort and you have to protect the password manager database, but the benefit is that, if one account is stolen, attackers can’t use one password to get in everywhere. There were a number of Tweets, unverified, of people using the account information in the posted password file to access a number of sites and change the information of victims.
I’d like to thank whoever at Amazon took the initiative to get the list, run a comparison of account names against Amazon’s customer list, and then notify customers of a potential problem.