New password needed?

[Guest]

Today I got an email from admin@emby.media saying I need to change my password for security reasons. My email app tells me this message might be a scam. Anyone knows this is genuine or not? Neither on the Emby website, nor in the forum, I could find information on this issue.

[GrimReaper 3269]

14 minutes ago, Flip said:

My email app tells me this message might be a scam.

It is not.

14 minutes ago, Flip said:

Anyone knows this is genuine or not?

It is, as a preventive measure, for example if you haven't logged-in in certain time period.and have less than certain amount of posts.

14 minutes ago, Flip said:

Neither on the Emby website, nor in the forum, I could find information on this issue.

@Abobader, maybe an announcement?

[Guest]

I am relieved that the email is genuine. Nevertheless, I didn't click the link in it, I went to the site itself to change my password. Your suggestion I haven't logged-in for quite some time is correct. The last time should be a few months ago, let alone I posted anything since. Thanks for your quick answer.

[rbjtech 4223]

1 hour ago, Flip said:

I am relieved that the email is genuine. Nevertheless, I didn't click the link in it, I went to the site itself to change my password. 

Great security behaviour - if you are not expecting an email, then it's the #1 thing to do - go to the site independently, ideally on a different network connection to where you got the message. 

[antpk 2]

yea i had the same email and did exactly the same. came to the site directly. Glad it's a preventative measure. 

[Guest]

4 minutes ago, LostBenji said:

Sending an un-expected email with a direct password reset link..... Who on earth thought that was a great idea?  FAIL!

My thoughts exactly.

[Abobader 2941]

So email sent from the Emby domain requesting to change your password is incorrect action to do? OK, next time we will send you that on Twitter.

[antpk 2]

3 minutes ago, Abobader said:

So email sent from the Emby domain requesting to change your password is incorrect action to do? OK, next time we will send you that on Twitter.

i think the issue is the link in the email. if the email just said the existing password had been disabled due to inactivity and a password reset via the site would restore access, that is better security and informing the user why the account was disabled. i thought someone got hold of my password or something.

[rbjtech 4223]

Just now, antpk said:

i think the issue is the link in the email. if the email just said the existing password had been disabled due to inactivity and a password reset via the site would restore access, that is better security and informing the user why the account was disabled. i thought someone got hold of my password or something.

Agreed - disabling the account and forcing a password change at next login (if at all - remember these are dormant accounts, the user is highly unlikely to even read the email..) - this is the usual protocol here.

[Guest]

3 minutes ago, Abobader said:

So email sent from the Emby domain requesting to change your password is incorrect action to do? OK, next time we will send you that on Twitter.

"Next time we send it via Twitter" is a bullshit remark. Sorry about that, but maybe you'd better think 30 seconds before hitting the send button.

The only line that email contains is:

"For security reasons, the administrator of Emby Community has required you to reset your password."

And when the email is marked as a possible scam..... An email, okay. But just one line, and a button to click on, that is not the way to inform users properly. And you may want to check the DNS settings of your mail server.

[rbjtech 4223]

2 minutes ago, Flip said:

And you may want to check the DNS settings of your mail server.

SPF... 

[Abobader 2941]

For all:

First our DNS is correct, if whatever reason any email from our domain flag as spam from your providers, you should report that to us so we can work with them to clear the matters.

Second, the email contents about password reset it default email from our forum software, not a custom one, yes, we should make it a custom nice one, we notice this and thanks for the suggestion.

Third and most important, your account security is very important to us.

Thanks all.

[boggy4062 1]

49 minutes ago, Flip said:

My thoughts exactly.

I am going to disagree here.

If one uses (and EVERYBODY should) any decent password manager, it will verify that the web page is legit. If you are VERY paranoid, you could use an isolated browser in KASM environment. I did think that this was a fishing email, so I did look at the raw message. I looked kosher so I opened the link. The admin of this domain practices very good email habits. The email wasn't rejected as all the necessary DKIM SPF DMARC have been generated and verified. There are much bigger operators who still fail this basic safety check. 

Having said that, it is very encouraging to see that more and more people are aware of the fishing attacks (both users and the websites admins).  Small price to pay. 

Also, I have this dream, that one day websites and users will implement email digital S/MIME signatures. They still are unreasonably expensive IMHO, but this is one more way to stop the crooks in their tracks. 

[pwhodges 1523]

1 hour ago, Abobader said:

if whatever reason any email from our domain flag as spam from your providers, you should report that to us so we can work with them to clear the matters.

That's what this thread is already about.  In this specific case, one of the triggers for spam detection is a link in a mail with little text; that is not a test that they will "work with you" to remove - changing the way the email is set up is the way to go.

Paul

[sleeplessone 0]

> Third and most important, your account security is very important to us.

If account security was important then you wouldn't be making people reset their passwords at random and you would offer 2FA on the accounts.  The only reason to make someone reset their password is because either your site was compromised or because you use a service the Have I Been Pwned API and validate against already compromised passwords.

[Mnejing 21]

I've had Google flag Google-sent e-mails about resetting a Google password as suspicious. It's a paranoid false-positive. It's default behavior to protect people who otherwise have no idea what's going on. I understand and applaud you going to the website directly instead of the link (I do the same), but this isn't the right way of going about it.

The correct course here is, I think, the one proposed already. The forum software sent out a basic form e-mail, that wasn't customized for Emby proper. It's been mentioned as something they want to fix.

It is, however, amusing to see people get up in arms about poor security because the team tried to warn you about security. Even worse, it's because people were re-using passwords....

Seriously, the e-mail could have been better, but people getting mad at the Emby team for trying to keep the forums secure by sending a password reset to potentially abusable accounts is absolutely incredible. People just want to be outraged by something, I guess.

[akira6968 5]

7 hours ago, Abobader said:

So email sent from the Emby domain requesting to change your password is incorrect action to do? OK, next time we will send you that on Twitter.

I appreciate the easy reset button. I checked the "from" email, googled "emby community" and it was a match. clicked the button, still a match= good to go  

[Estlla 0]

9 hours ago, Abobader said:

So email sent from the Emby domain requesting to change your password is incorrect action to do? OK, next time we will send you that on Twitter.

So, here's the problem.  Domain spoofing is easy, and I couldn't find any support articles listing that this 'password push' is done.  Understand why people are wondering why they're getting this all of a sudden?  Cut the passive aggressive BS to boot.  You're only going to piss people off like what happened with the PLEX community when they decided to go with the "You'll like our UI redesign and suck it." 

Next, an email saying "an administrator ..." that sets off a bunch of red flags for anyone who takes infosec even at a basic level.  My first thought was, oh great, they were compromised and didn't tell anybody.  My next thought was, I wonder what they're using to salt and hash their databases, and hopefully it's not a SCOMF-style weaselly worded bullshit about how security is our job, like every other breach.  My last thought was, I really hope that the admin accounts weren't compromised. Like we've seen happen in Fortune 250 companies in the last 10 years.

[Abobader 2941]

7 hours ago, pwhodges said:

That's what this thread is already about.  In this specific case, one of the triggers for spam detection is a link in a mail with little text; that is not a test that they will "work with you" to remove - changing the way the email is set up is the way to go.

That right, but we actually used this option once, last night, as we explain in the forum thread at the announcement why we force to do it.

7 hours ago, sleeplessone said:

If account security was important then you wouldn't be making people reset their passwords at random and you would offer 2FA on the accounts.

As I explain above, the problem as most of the "member" group. 0 posts, and many are coming from our emby connect, they hardly consider the community forum only for browsing from time to time.

To All:

Again, it not Emby Community Accounts the issue, other sites been breached, and many users using same user/email/pass everywhere, as we notice lately spammers group been using these old account mostly 0 posts for spamming.

I read some replies here and there we also whom here as well post here ending requesting account removal as they do not use their accounts anymore, that fine indeed.

Again, we stand correct about our action, so please let move on, and thanks.

[Estlla 0]

There's a really simple answer to this:  Be clearer on policies, especially account policies with zero user posts.  90-day pre warning email?  It's that simple.  

[zozzman 0]

On 1/16/2023 at 2:25 PM, Guest said:

I am relieved that the email is genuine. Nevertheless, I didn't click the link in it, I went to the site itself to change my password. Your suggestion I haven't logged-in for quite some time is correct. The last time should be a few months ago, let alone I posted anything since. Thanks for your quick answer.

I did the same as you when I received the email, it's good practice for any email you receive from any service you subscribe to. Never trust emails asking for password change unless you have initiated the change yourself.

[simonmason 6]

I am going to use this thread to expand the question of Emby Connect vs direct login.  All of my family users around the world find Emby Connect confusing.  All of them have one Emby server that they connect to - mine, and are never going to connect to another one or access this forum.  So am I better off issuing them passwords through the user setup panel and telling them to ignore Emby Connect?  Thanks.

[GrimReaper 3269]

4 minutes ago, simonmason said:

I am going to use this thread to expand the question of Emby Connect vs direct login.  All of my family users around the world find Emby Connect confusing.  All of them have one Emby server that they connect to - mine, and are never going to connect to another one or access this forum.  So am I better off issuing them passwords through the user setup panel and telling them to ignore Emby Connect?  Thanks.

Do you have static IP/domain/DDNS or your external IP changes?

[brida9963 0]

On 1/16/2023 at 4:27 PM, boggy4062 said:

ishing email, so I did look at the raw message. I looked kosher so I opened the link. The admin of this domain practices very good email habits. The email wasn't rejected as all the necessary DKIM SPF

I got it today also, came here and changed my password, not a big deal but being in IT it is always suspicious to receive an unsolicited email to change your password, especially one with little info in it.

[clandestine8 0]

Glad to hear your community wasn't hacked!

Agree with everyone else. I myself came to the site to check if the old password worked and reset manually.