Phishing email received…
-
I received an email saying my wordpress account was blocked which it was not how do I notify you of these breeches in security? Is there an email address where I can send these phishing emails?
-
Hi there, if the email didn’t end in @wordpress.com, it is indeed a phishing email. I’m not exactly if WordPress.com can help, but I’ve tagged them just in case they can: https://en.support.wordpress.com/getting-help-in-the-forums/#how-do-i-get-a-moderatorstaff-reply-for-my-question
-
It looked legit and the address was passwordhelp@wordpress.com the body of the email says…
Howdy,Your login credentials were recently discovered in a list of compromised accounts published by security researchers. This list was not generated as a result of any security issue on WordPress.com, but rather an external site or service that you also use being hacked and their user data leaked by the attackers.
For your security, we have temporarily locked your WordPress.com account (timdowd).
Until your password has been reset you will not be able to access your sites:
– timdowd.wordpress.com
– timothydowd.com
To request a new password and regain access to your account, please click the “Lost your password?” link on the WordPress.com login page and follow the instructions.It is very important that your new password be unique. Using the same password on different web sites increases the risk of your account being compromised. Now would be a good time to go through all of your online services and set distinct, strong passwords for each.
Once your password has been changed, we strongly recommend making your account even more secure by enabling Two Step Authentication under the Security section of your Profile menu.
– The WordPress.com Team
-
I got one too. Message headers look legit (with my name and server replaced with myserver.com):
Return-Path: <neek=(email visible only to moderators and staff)>
X-Original-To: (email visible only to moderators and staff)
Delivered-To: (email visible only to moderators and staff)
Received: from smtp1.dca.wordpress.com (smtp1.dca.wordpress.com [192.0.97.161])
(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by myserver.com (Postfix) with ESMTPS id 28A4E1810D5
for <(email visible only to moderators and staff)>; Wed, 18 Jul 2018 11:02:57 +0000 (UTC)
Received: from wordpress.com (unknown [192.0.89.241])
by smtp1.dca.wordpress.com (Postfix) with ESMTP id 41VvPm1NcLzMmhY
for <(email visible only to moderators and staff)>; Wed, 18 Jul 2018 11:02:52 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wordpress.com; s=my5;
t=1531911772; bh=48JFOLcPptE/0q4f9rXYnSmmg6s4dvrKMm6I4DWzwhA=;
h=Date:To:From:Subject:From;
b=MGpYpnOJHHNCTnyDSSCknCdERt0cCj8XB6P8PI14DLbEfCLm05pe7ABFjv5R1LUfQ
BzYgl/06hfTrQWzFuPpc7c/DovuVRLH+IHUEcpnNC39W+leAiQGS3Ex5IZ/H8ZZsK7
Jd3Fxm31fchrGX9x5nt1cVrltk4FquRftWpsRvdE=
Date: Wed, 18 Jul 2018 11:02:30 +0000
To: (email visible only to moderators and staff)
From: “WordPress.com” <passwordhelp@wordpress.com>
Subject: Your WordPress.com password has been reset
Message-ID: <(email visible only to moderators and staff)>
X-Automattic-Campaign-ID: bluestripe:common
X-Automattic-Destination: bmVla0BuaWNrZmVud2ljay5jb20=
X-Automattic-Tracking: 0:1:G9nLAM8t8h9klCVqPIBIyg==.Rk5s0B9bRlOoPkDOBOg/3o3W3Fnp/QQldXCjG+QRHgc8c7NQYsvf7f3Nwe9PCpQq:29428530:0:0
MIME-Version: 1.0Further the email does not attempt standard phishing activities, it reads:
“To request a new password and regain access to your account, please click the “Lost your password?” link on the WordPress.com login page and follow the instructions.”.
This leaves you in charge of entering the wordpress.com site yourself and using features on it. Phishing attempts would try to trick you into clicking a fake URL in the email or otherwise tricking you into revealing information to them.
There seem to be no embedded image URLs, tracking pixels, or other tracking methods in the email, that might leak your information to a third party.
So I’d say this does not look like a phishing attempt, but it is weird that your account isn’t suspended as the email says it is. Perhaps they screwed up their mailshot recipients and accidentally included you, or failed to actually suspend your account?
These pages also discuss this email:
https://en.forums.wordpress.com/topic/close-blog-site/
Nick
-
-
Hi there, Staff will reply when they look in on this thread, but in the meantime please see this previous forum thread when WordPress.com sent out such password reset emails at the end of 2017. Please note the Staff replies at https://en.forums.wordpress.com/topic/help-with-e-mail-received-from-wordpress/
-
Hi there,
These emails are from us. We’ve forced password resets on a number of accounts as a precaution, and as @neekfenwick points out above, we don’t include an actual password reset link in that email, just instructions how to reach the WordPress.com lost password form on your own.
You say your account was blocked, but I can see you requested a password reset link five hours ago, seven hours after we sent you that email, and right before you posted this forum thread. The fact that you had to request a password reset link in order to log in again proves that the account was, in fact, locked by our forced reset. If I’m misunderstanding what you mean, please let me know.
I go this one too and account isn’t suspended. Seems phishy…
Nowhere does the email say your account has been suspended. It says your account has been temporarily locked. We locked it by disabling the password you had set, and to access it again until you need to request a password reset and set a new password.
I hope that clarifies things, but let us know if you have any more questions.
-
Thank you @kokkieh.
Yes I mentioned ‘suspended’ instead of ‘locked’ too, sorry. Sounds the same to me :) S password reset is a sensible thing to enforce. Your teams approach seems very good, and I think it’s important to recognise what is, and what is not, a phishing attempt. Everything about your email is above board and legitimate.
We had a couple of obvious phishing emails relating to Virgin Media to my Mum’s account, with clearly invalid ‘from’ addresses and a hyperlink in the email with text that was correct but underlying target URL was fraudulent. Fortunately the most my mum did was print them out for the record and not actually click on anything until I got there to advise her :)
Stay safe everyone!
-
@kokkieh yes you misunderstand… I logged into my wordpress site and updated a few plugins… so I assumed that I was being phished… then I tried to find out how to notify you and found this forum… logging into this forum I was asked for my password which I forgot so I requested a reset… My wordpress site named in your email was unaffected… probably because I host it at GoDaddy… but thanks for the confirmation it was you and not hackers…
you may close the thread now… -
Where may I view the “list of compromised accounts published by security researchers” to which the email refers?
-
Hi, I also received this email but wasnt aware that I even have a WordPress account…? Any advice please? Someone I know we’re a blog in WorsPress which I read but having my own account is news to me. Thanks, Jo
-
Hi @joannalouisecross, was it on the account that you are logged in here with or for another account? I’m seeing two sites listed on the account you are logged in with.
-
@rhbecker, if you wish to see if any of your email addresses were compromised, you can enter them here to find out: https://haveibeenpwned.com/.
For security and privacy reasons the lists will not be made available.
-
In response to @thesacredpath recommending to check haveibeenpwned, bear in mind that as @justjennifer linked to previous responses by staff at https://en.forums.wordpress.com/topic/help-with-e-mail-received-from-wordpress/ , @kokkieh did say that “Haveibeenpwned.com is just one of several services we monitor that disclose data from know breaches like this. So your email not being flagged on haveibeenpwned does not necessarily mean it hasn’t been part of any breach.” :)
- The topic ‘Phishing email received…’ is closed to new replies.
WordPress.com Forums 