Email scam?
-
Hi. I got email from WordPress. Is this straight from WordPress or is this a scam?
Hello,
We recently discovered your login credentials in a list of compromised emails and passwords published by a group of security researchers. This list was not generated as the result of any exploit on WordPress.com, but rather someone gaining access to the email & password combination you also used on another service.
Since the email and password associated with your WordPress.com account was in this list, we have reset your WordPress.com password as a precaution to protect your account and web site.
To request a new password and regain access to your account, please follow these steps:
Go to WordPress.com
Click the “Log In” link on the top right of the homepage
Click on the link “Lost your password?”
Enter your WordPress.com username: *username*
Click the “Get New Password” button
It is very important that your password be unique to WordPress.com. Reusing the same password on different web sites increases the risk of your account being compromised. Now would be a good time to go through all of your online services and set distinct, strong passwords for each.While you’re at it, please consider making your account even more secure by enabling two-step authentication. To do so, from the WordPress.com home page, click on your avatar at the top right of your screen, then click “Security” on the left sidebar menu. Select “Two-Step Authentication” at the top of the page and follow the instructions.
If you have trouble resetting your password, please reply to this message to get help from our support team. We will never ask you to supply your account password or financial information via email.
The WordPress.com Team
And email is directed from passwordhelp@wordpress.com
-
I don’t know but you should change your password. Do not click on the link provided by them, open wordpress.com website yourself to prevent possible phishing attack.
-
Pinging in to say that I’ve received the exact same email as well and decided to change my password. But as above user said above, go to the main wordpress website rather than click the link in the email when changing password to be on the safe site, even if it looks authentic or is the correct URL. Hopefully WordPress themselves can look into it and answer some questions.
-
-
I received it as well.. I think it looks pretty legit but the thing I noticed is that the username they provided is not one that I use for wordpress. I use it for other sites, but not wordpress. My guess is that you click on the link and when you put in your password, it tells you it is the wrong one, so most people will continue to try their other passwords to no avail. Meanwhile, they are logging each of your passwords. Things are getting tricky out there..
-
I see that this thread has already been tagged for Staff attention.
It also appears from the content of the email @gtxjokke posted, you are being directed to the WordPress.com website to create a new password and not click a link in an email.
To request a new password and regain access to your account, please follow these steps:
Go to WordPress.com
Click the “Log In” link on the top right of the homepage
Click on the link “Lost your password?”
Enter your WordPress.com username: *username*
Click the “Get New Password” button
It is very important that your password be unique to WordPress.com. Reusing the same password on different web sites increases the risk of your account being compromised. Now would be a good time to go through all of your online services and set distinct, strong passwords for each.While we are waiting for Staff to reply, here’s more good information on best security practices: https://en.support.wordpress.com/security/
-
Hi there,
That email is from us. If you’ve received it, please follow the instructions to set a new password.
Do not click on the link provided by them, open wordpress.com website yourself to prevent possible phishing attack.
Excellent advice here from @kulthidalblog, which is also why we posted directions in the email, and not a link that you need to click.
That said, if you follow those directions and submit the lost password form, you will receive another email with the reset link. That one you’ll need to click.
If you have any other questions about the email, please reply to it directly and we’ll help you via email.
-
I got the email too- and changed my password. Can you give more details? Like, where did these security researchers publish this list? What sites _were_ compromised that let them obtain this list? What was my password that was compromised (I just had to click to request change and type in a new one without verifying the old one)?
-
We prefer not to make too much information available publicly as this is a sensitive issue, but if you reply to the email we can try to answer your questions there.
I just had to click to request change and type in a new one without verifying the old one
This is normal. We reset the password, meaning we completely disabled the old one so it no longer exists. The only way you can set a new password is via the unique link we send to your email address when you submit the lost password form.
In normal circumstances someone would use that form if they can’t remember their password, so it wouldn’t work if we required them to still enter the old password there :)
-
Can someone please provide us with the information we need here? Please tell us what site so we can avoid any more trouble.
-
@rawlikesushijapan, follow the instructions in the email you received from WordPressdotcom to reset your account password.
As @kokkieh (who is WordPressdotcom Staff) requested, please respond to the email you received from WordPressdotcom should you have any other question about this. Thanks.
-
I have but I would like to know what site was compromised so that I can make sure my info there is secure. It creates a lot of stress sending that email without more information. I have been worried all day about it. Ruined my Sunday.
-
-
@rawlikesushijapan as @kokkieh replied earlier:
We prefer not to make too much information available publicly as this is a sensitive issue, but if you reply to the email we can try to answer your questions there.
If @kokkieh is not able to mention specifics here, kindly keep any confidential information you receive from the email or chat private and do not post it here. Thanks for your understanding.
-
-
Hi, @rawlikesushijapan
I would like to know what site was compromised so that I can make sure my info there is secure
It is not one specific site. We regularly import known lists of potentially compromised user account and passwords from several sources, in an effort to keep all our users secure. If you would like more detail, http://haveibeenpwned.com is a good resource to confirm where your email may have been leaked.
The bottom line is, if you’ve been using the same password on more than one site, you should update the password on every single site and account where you are using it, and going forward you should make sure to use a unique password for each account.
If you’re concerned about not being able to remember all the different passwords, you’re not alone. I can’t remember all my passwords either, which is why I use a password manager to generate very long, completely random passwords for all my online accounts, and remember them for me. You can find more information on doing that here:
-
-
-
Hey,
Is there an email address whereby one can send suspicious emails to for you guys to follow them up?
The email address that it came from is (email visible only to moderators and staff)
Thanks,
Angelo -
- The topic ‘Email scam?’ is closed to new replies.
WordPress.com Forums 