Email prompt to reset password

  • 6
  • Problem
  • Updated 1 week ago
I'm a little concerned. I received 2 emails Citrix with the following:

"There has been a constant increase in internet-account credential (usernames and passwords) theft. Those same credentials are often used to access other accounts. In response to this, we are requiring a password reset and will be incorporating a regularly-scheduled, forced password reset into our normal operating procedures. Users will need to reset their passwords when logging into ShareFile. We believe this is an important step to continue to help our customers use our solutions securely."

The problem I have with this email is that it is an email with a link to reset a password. That typically is not expected from a company, unless it's something that I initiated. My first reaction was, someone stole my password and gained unauthorized access. My second reaction was, this is a phishing activity.

I really think that the whoever approved this email should re-think the way it was sent. A prompt asking them to log in, without a link, would be smarter, and confirming with them something to the effect of, "we will never send you an email with a link to access your account" would be smart.

I'm just a little surprised to see something so careless from an organization that should know better.

Just my thoughts, and perhaps my suggestion that this practice be changed.



Photo of burnsey

burnsey

  • 1 Post
  • 0 Reply Likes

Posted 2 weeks ago

  • 6
Photo of Cheryl Parrish

Cheryl Parrish

  • 1 Post
  • 1 Reply Like
Exactly what I thought!  100% . I actually just changed my password on Sunday, so I was concerned about the email after that .  I would never "click" here from an email. Not ever . I would only do it by logging in.   I am very concerned and now very worried about the safety of my business and who made this decision.  And I did not change my password again.  Tech support is a joke . When will the hire more people?
Photo of Lukas

Lukas

  • 13 Posts
  • 2 Reply Likes
Some of my Users got this Mail too, i found it in my Spam Folder. Ist already a big theme here in the community. Let's see, what Sharefile is telling us about this.
Photo of Matthew

Matthew

  • 12 Posts
  • 0 Reply Likes
Technical support would need to hire hundreds of additional people to handle the call volumes we're receiving right now.
Photo of jason MAMC

jason MAMC

  • 74 Posts
  • 16 Reply Likes
it doesn't make sense because there is a security feature to force people to change their passwords.  you set it to 90 days, 180, etc.  Why would citrix take it upon themselves to reset passwords?  if anything force that feature but what if I changed my password on Friday because i have that security feature enabled and then they did this on Sunday, its bonkers.   it just smells like they were compromised.
Photo of Lukas

Lukas

  • 14 Posts
  • 3 Reply Likes
It Looks like Sharefile forces their Password reset over the one admins configured. Doesn't make sense, but okay.
Photo of Matthew

Matthew

  • 12 Posts
  • 0 Reply Likes
Accounts that were affected by this credential stuffing did not have any password reset options in place:

https://www.citrix.com/blogs/2018/12/04/citrix-forces-password-reset-to-protect-against-credential-s...
Photo of Gareth Houston

Gareth Houston

  • 7 Posts
  • 2 Reply Likes
It's genuine alright; http://status.sharefile.com/#
Photo of Joe Moore

Joe Moore

  • 2 Posts
  • 1 Reply Like
Genuine yes, but poorly executed don't you think?
Photo of Gareth Houston

Gareth Houston

  • 7 Posts
  • 2 Reply Likes
Very badly handled, especially after I checked the best I could do to make sure the email was from Citrix, when I followed the link to reset my password I did not receive and email, which straight away made me very worried. I had to use the reset link on the login screen to get an email and change my password. As the Administrator I then had to reassure those within my organisation that even though the email looked like a PHISING email and in some cases had gone into their Junk Folder it was genuine. Very poorly handled.
Photo of Lukas

Lukas

  • 14 Posts
  • 3 Reply Likes
Houston, i think they have a Problem :-)
Photo of Gareth Houston

Gareth Houston

  • 7 Posts
  • 2 Reply Likes
That's not the first time I have heard that!
Photo of Carol Grosvenor

Carol Grosvenor

  • 1 Post
  • 0 Reply Likes
I too experienced not receiving an email after following the Citrix link.  I then went to another section of Citrix support to request a password reset and that support site doesn't recognize my email.  I need access to my data....now!
Photo of rahn6502

rahn6502

  • 1 Post
  • 3 Reply Likes
Isn't the general consensus now that mandatory password reset is a bad idea?  Oh, you didn't get the memo?
Photo of Matthew

Matthew

  • 10 Posts
  • 0 Reply Likes
Mandatory password resets prevent unwarranted third-party access especially when said access goes unnoticed until it's too late.
Photo of Greg Francis

Greg Francis

  • 9 Posts
  • 3 Reply Likes
I was out on vacation when this occurred. We use KnowBe4 for phishing training and a number of people submitted the Sharefile e-mail as potential phishing. Bravo for my employees! This looks like a classic phishing scam. I am very disappointed with Citrix for how they've handled this issue.
Photo of Joe Moore

Joe Moore

  • 2 Posts
  • 2 Reply Likes
Citrix really screwed the pooch on this one. Everyone thinks these emails are phishing emails and it's costing IT resource time to get everyone settled down. If I were a hacker I'd be sending out similar emails right now. I still tell our folks not to click the link and just go to the ShareFile login and use forgot password. All that would have been needed was an advanced notification that all passwords would be reset on a particular date and to use the forgot password link on the login page. What a mess caused by what should be an experienced IT company.
Photo of Matthew

Matthew

  • 12 Posts
  • 0 Reply Likes