Sky Customers Are Informed That Their Passwords Have Been Reset as a 'Safety Precaution'
What's worse than a cybersecurity incident? Poorly handled cybersecurity incident. British telecommunication provider Sky UK is trying to give everybody a pretty good understanding of what 'poorly handled cybersecurity incident' actually means.
Typically, when there's been a problem with a company's online security, three questions pop up immediately:
"What happened exactly?"
"When did it happen?"
"What is the affected company doing to prevent future attacks?"
Miraculously, Sky managed to fail to answer all three questions.
Password reset emails start flying around
It all began around July 13, when Sky subscribers started having trouble logging in to their Sky email accounts. Sometime later, they got notifications telling them that their passwords had been reset. The emails didn't really give out much information about what was going on. They did come with an apology for the inconvenience, and the customary "we take security seriously" claim was also there, but Sky didn't actually tell users why they were being forced to pick new passwords. To some extent, this set the scene for the rest of the story.
Users start asking questions
Predictably, people began wondering whether the emails were real. The unexpected nature of the notifications and the fact that they weren't accompanied by any sort of official announcement got users worried that they might be facing a phishing attack. Not surprisingly, they took to Twitter to express their concern, and Sky's social media team were quick to reassure them that the emails were legitimate. Once again, however, nobody was willing to say what had prompted the unexpected password reset campaign.
Sky fails to answer the questions
According to Sky's tweets, the passwords were being reset as "a security precaution". The support people didn't say whether the passwords were deemed too old or whether they had been put in any real risk, and even after a not-terribly gentle nudge from security researcher Troy Hunt, they still remained incredibly tight-lipped.
Sky is one of the UK's biggest telecommunications providers, and the matter inevitably caught the attention of journalists. Davey Winder covered the story for Forbes, and predictably, he tried to see what's going on. Sky did respond, and it finally shed some light on the matter.
Apparently, Yahoo, the company helping Sky maintain its email service, noticed unauthorized access to some accounts after what is believed to be a credential stuffing attack. Sky was notified, and it decided to play it safe and reset the passwords of all users who have Sky email accounts. People were even pointed to a page on Sky's Help section which was supposed to help us understand what was going on. The page didn't do a terribly good job, though.
It didn't say when the attack happened, there was no mention of how many people might have been affected, and apart from the fact that some passwords have been reset, there was no information on what sort of measures have been taken to minimize the risk of further attacks. Yahoo hasn't given out any information on the matter, either.
People continue to ask questions, and these questions continue to remain unanswered. Under the best circumstances, this would be a less than ideal situation. When users' security is at stake, however, the impact on the affected company's credibility is much more significant, and its customers are much more frustrated.