Security Sense: Are we Beginning to Over-Communicate Data Breaches?

I got an email from Pandora the other day. That in itself is a bit unusual as I haven’t used the service in quite some time and I always opt out of any non-essential comms, but it was the content of this email that I found particularly interesting. They started out with an ominous opening sentence:

“As a precaution, we want to make you aware of a situation that could possibly affect your Pandora account”

Uh oh, they get hacked? Quite the contrary actually as they then went on to explain:

“However, usernames and passwords that were breached from a service other than Pandora a few years ago were posted on the web recently. In order to protect Pandora Listeners, our security teams have analyzed the data and found that your Pandora username was included in the list.”

This is part of a recent trend where organisations proactively warn their customers when they’re exposed in another site’s data breach. But Pandora is taking it a step further which is what’s worrying me a little. You see, in the link above, Amazon are proactively notifying their customers when they find reused credentials, that is both the user’s username (usually an email address) and their password appear in another data breach. There are some tricky logistics as to how they actually do this when the passwords are hashed but be that as it may, notifications such as Amazon’s occur when there’s a real risk of account takeover as the credentials are identical. Pandora’s, however, is altogether different.

My Pandora password is unique to Pandora. It’s 20 characters long and it was randomly generated by 1Password. The other service Pandora refers to in their email is almost certainly LinkedIn which was being sold around the web more than five weeks before they sent their notification. The LinkedIn hack occurred in 2012, the year after I implemented 1Password and changed all accounts – including LinkedIn – to long, strong, random strings. On the face of it, Pandora has decided to become a breach notification service.

I have a number of problems with this and the first is that their approach is simply not scalable for the end user. We all have dozens – perhaps hundreds – of online accounts, do we really want each one to send us an email when a data breach occurs and our address is found in there?

Then there’s the vagaries of their messaging; in the email above they say “breached from a service other than Pandora”. Which service?! What do I as an everyday person do with the information they just sent me? The password wasn’t reused so they’re not saying “change your Pandora password”, but they also don’t tell me what service was compromised so I don’t have any actionable information.

This is just not a service I want from Pandora or from any other website that has absolutely nothing to do with the one that was compromised unless it poses a clear and present threat to my Pandora account. I’m honestly mystified by the approach and frankly, my first thought when I saw the message (complete with a link to a password reset page), was that it was a phishing email!

We need better ways of dealing with data breaches and alerting those impacted to the heightened risk they now face. But we need to be sensible about it too and this means the right organisations communicating the right information to the right people. Unfortunately, Pandora’s email is none of these things.