When Tech Companies Send You Email
We use services like Facebook, Twitter and Instagram, but we don't expect to get email from them. What is your reaction when you do? Do you believe what you read and act on it, or are you suspicious of some sort of scam? Do you click on links provided in the emails? In the past week, many people heard from these services by email. Were you among them?
Facebook's emailed legal notice
Facebook sent an email to some of its users last week with the subject line "LEGAL NOTICE OF SETTLEMENT OF CLASS ACTION." The email explained what the class action was about:
The Action claims that Facebook unlawfully used the names, profile pictures, photographs, likenesses, and identities of Facebook users in the United States to advertise or sell products and services through Sponsored Stories without obtaining those users' consent. Facebook denies any wrongdoing and any liability whatsoever. No court or other entity has made any judgment or other determination of any liability.
Like other letters about class action lawsuits, the recipient of the letter has to fill in a bit of paperwork to be part of the suit. Each recipient was given a unique case number and a URL for the law firm handling the case.
Like others I talked to about this, I wondered if the letter was legitimate. Before I volunteered personal data, I went looking for more information about the story. Here's what PCWorld said in Facebook legal notice could get you cash, so don't trash it.
To settle a class action lawsuit (Angel Fraley v. Facebook) resulting from those allegations of unlawful use of its members' content, the social network is proposing to pay $20 million into a fund to be used to pay members who appeared in the sponsored stories.
If you received the legal notice from Facebook, you may be paid up to $10 as part of the settlement.
That $10 was a high estimate, the payout could be less, depending on the number of people who sign up to participate in the class action suit.
But, that email turned out to be legitimate. You can sign up for the potential payout with no worries about being scammed.
Twitter sends an email
On the Twitter blog, in Keeping Our Users Secure, there was an announcement about an email that some 250,000 Twitter users would receive.
This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.
As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts. If your account was one of them, you will have recently received (or will shortly) an email from us at the address associated with your Twitter account notifying you that you will need to create a new password. Your old password will not work when you try to log in to Twitter.
That email was legitimate as well. Many people who didn't receive the email changed their passwords on Twitter anyway, just as a precaution.
Hearing from Instagram
Last week I heard from Instagram by email as well. The email said that someone had tried to change my password and wanted confirmation that it was me. It was not. I looked at my Instagram account and didn't see any content that I hadn't put there myself, so I hadn't been hacked – yet.
This was a personal email, not one sent to thousands of people. You often get an email like this after you change a password. Those emails say something like "hey, was it really you who just changed your password?" If it was you, no action is required, but if it wasn't – you've been warned.
There was a link in the email to my Instagram account, but I didn't follow it. Maybe it's paranoia, but I never follow links in emails to any accounts - I always open a browser and navigate to the appropriate URL. It only takes one instance of getting fooled into clicking a link in an email to get sent to some bogus site that will grab my password or other sensitive info. At Instagram, I opened my profile and changed my password as a precaution.
Even when I'm expecting an email, for example a notice that my phone bill is ready to view, I never use the links in an email. Do you use links to your accounts in emails when sensitive information is involved?