Watch out for Heartbleed password change phishing emails

A few days ago we discussed the Heartbleed flaw that was causing many people headaches as it potentially allowed scammers to access personal information, such as passwords.

Many of the web services that could have been affected by this – and there were many – have been urging users to change their passwords, just in case their accounts were compromised.

This means that there are more than the usual number of emails floating about cyberspace from companies to their users requesting users change their passwords.

This presents scammers with an unusually effective way to go phishing, since scammers can send their own emails with much more nefarious purposes.

Think about it, you see an email from, let’s say Yahoo, and it says that because of all this Heartbleed nonsense that you need to change your password, and inside the email is a link to go to your account settings to change it.

You, like most people, have heard of the Heartbleed scare and thus believe the email. You click on the link and change your password, which of course usually requires entering your existing password followed by the new password.

The only problem is that the email you got wasn’t from Yahoo. It was from a scammer. The link you clicked directed you to a spoof website that looked like Yahoo and has just stolen your password, and thus potentially given a scammer control of your Yahoo account.

So whilst there will be legitimate emails asking you to change your password, there will also be counterfeit ones as well. To avoid this whole problem, avoid clicking on links inside the email and navigate to the website directly. Something that we recommend doing any way to avoid phishing scams.

Have you seen a Heartbleed “password change” phishing scam yet? Let us know.