Security experts have criticized Sky for sending emails asking customers to create new passwords, saying they could easily have been mistaken as scams.
Sky told people with Sky.com accounts to reset their password to “keep your account safe”. However, it began the email with a generic `Dear Customer’ (see screenshot), rather than addressing customers personally, leading many to suspect it was a scam.
Security blogger Graham Cluley (www.grahamcluley.com) said the email didn’t include enough personal details: “Why not reference the Sky user’s customer ID or maybe the last three characters of their postcode? That would make the email look more convincing than a generic greeting”.
The email also asked users to click a link and enter their login details to set a new password. Urging people to click email links is a common tactic used by fraudsters.
To make matters worse, Sky didn’t explain in the email why it had reset customers’ passwords, confusing many users who wondered understandably whether their account had been hacked. Cluley said such lack of detail is likely “to give the typical user collywobbles”.
Only after users complained on social media did the company publish an information page online (www.sky.com), confirming that it reset passwords as a “precautionary measure” because some accounts had been subjected to a ‘credential stuffing’ hack. In these attacks, hackers run stolen usernames and passwords through an automated program in a bid to sign into customers’ accounts.
Sky said it has locked the accounts of everyone affected, and advised them to phone its automated system (03442 411 280) to “unlock” their password. Once that’s done, you need to follow the instructions on the page.