I have already shared the reason why we had asked Murena Shop users to recreate their passwords. It was as an added safety measure. There was no data breach. We continue monitoring all our services for such attempts to gain unauthorized access.
Have requested helpdesk to send out mails if not already sent, assuring their users.
The good pratices are to make a copy of this warning email in the website.
Email is a way of lot spam or scam. When an user have a warning email, he must check if itâs a fake or not. The check is to go to the official website (here https://murena.com/products/smartphones/ ) or an official canal (like Mastodon or this forum).
I donât see anything of this, for this warming.
Iâm sorry @Manoj , but thatâs not enough of an explanation.
In IT you change user passwords only for specific reasons:
If we are talking about the 3rd case, Murena HAS TO PROVE they found the entry point and that they fixed it or everybody has to judge the murena shop to be still compromized and not safe to use.
Thatâs the reason Iâm so keen on a more detailed explanation. Because changing everybodies passwords is rather serious and cannot be explained by âno breach-all is good-just to be cautiousâ. No, you change passwords for everybody only if something more serious happened. I want to know because my credit card information are in there and I want to know if you are safe to do buisiness with.
Iâve had providers expire my password for no apparent reason before. Itâs a hassle when they do that and I wish they wouldnât, but some do it when you havenât changed your password in some arbitrary amount of time.
A forced password reset wouldnât concern me that much, but if the account is new or they did a blanket reset of all accounts that would be cause for concern. Though I could chalk it up to poor management. Resetting passwords for all accounts as a precaution is not a good idea since itâs going to cause problems. Doing something like that would be bad form in terms of administration. Or maybe they made some error that corrupted the password file and they donât want to admit to their screw up.
As far as security of credit card info, I donât know how things work where you are, but in the USA a compromised credit card is not a big deal. You simply call the bank and they reverse any unauthorized charges. Then they kill the credit card number and issue you a new credit card with a different number. Itâs pretty painless. It used to happen to me a lot some years ago, but it hasnât happened for a long time. I donât know if thatâs because my usage has changed or theyâve made credit card accounts more secure.
This is the email sent out by the helpdesk to customers who had contacted us :
We have understood there is still some concern about the reset of passwords that we triggered 2 weeks ago. To clarify further: we have a lot of routine security checks on our various IT components. It is common that we are made aware of (possible) attacks. This can lead to a number of different actions. In this case, we PREEMPTIVELY triggered a password reset, when the nature of the attack was still unknown to us, to protect usersâ shop accounts. Upon further research, we discovered that the attack had been successfully blocked and that there had been no breach of user data.
We hope this clarifies things to your satisfaction.
Just asking for a clarification: When you say âpassword resetâ you mean a âmessage that the user should reset his passwordâ, right? Because I only got a message and was not forced to update my password by Murena resetting it. This is an important difference!
I guess I know why the latter was done (an actual password reset by the platform is jarring to the user and can catch him off-guard e.g. on travels), but this actually threw up red flags for me because the e-mail mentioned a login block/password reset and I, using anti-scam best practice, went to the website myself to check whether reality aligns with what the e-mail said. Only, it didnât align, since everything was as before and still is to this day⌠So I immediately suspected a scam e-mail and therefore posted here.
This topic was automatically closed after 39 days. New replies are no longer allowed.