OFFICIAL SECURITY BLOG
April 17, 2014 | BY Jovi Umawing
In response to AWS’s announcement that several of their services were found vulnerable to the Heartbleed bug, GearBox Software, the makers of the popular Half-Life and Borderlands series, urged their community of Borderlands 2 gamers to update their passwords.
Game developers informing their community of gamers, whether about a potential breach in their systems or the latest news about their most loved games, is the right thing to do. However, GearBox executed their notification email in poor form:
Subject: SHiFT Security Notice
SHiFT is GearBox’s is a platform where they reward their gaming community with in-game freebies: keys and character loot, to name a few. Anyone with a SHiFT account can link to their Steam, XBox Live and other accounts under Sony Entertainment.
And, yes, the email above is legit.
Once users click the “Reset Password” button, it leads them to a page saying that a password reset mail has been sent to their mails.
Subject: Reset password instructions
This, too, is legit.
Since everything above has been good so far, you may be wondering what I’m really getting at. Including a link in the mail to reset the user’s password can potentially fosters them to act similarly towards potentially dangerous emails like spam and phishing mails.
I understand that links in mails can be convenient, but once security of data is at stake, it’s better for game companies to inform users to visit their official page and make the necessary changes there.
Almost a year ago, Ubisoft was compromised and account credentials were stolen. Immediately after this, the company sent out notifications to users to update their password. The email, as you may have known by now, contains a reset link.
I wish to reiterate what we have been telling our readers since time immemorial: never click links on emails. If you know a company who is doing this, or still continues to, I think it won’t hurt to call them out.
Other related post/s: