Phishing attempt from entity purporting to be TiVo

Discussion in 'TiVo Coffee House - TiVo Discussion' started by jlb, Mar 18, 2020.

  1. jlb

    jlb Go Pats!

    9,069
    330
    Dec 13, 2001
    Burlington, VT
    Ok so TiVo confirmed that I over reacted.

    I still don’t understand this though?

    Prior to last night I had a 20char password. Out of an abundance of caution I had changed it but the system only seemed to allow 16. Can anyone else consider changing theirs and seeing what the system will allow you?

    I did ask the same question of TiVo twitter support. We shall see if they send an answer to that.

    [​IMG]


    Sent from my iPhone using Tapatalk
     
  2. jlb

    jlb Go Pats!

    9,069
    330
    Dec 13, 2001
    Burlington, VT
    Ugh, in response to my asking about why it only allows me to use 16 char now I get this:


    When creating or changing password, following are the only password requirements:
    1. Special characters will not be accepted as a first character.
    2. The first character in the password cannot be a question mark or a digit.
    3. The first three characters in the password must be different.
    4. The password must contain at least 1 letter and 1 number.
    5. The password should be unique from the Username.


    Sent from my iPhone using Tapatalk
     
  3. nrc

    nrc Cracker Soul

    2,485
    26
    Nov 17, 1999
    Living in a...
    I got the same response from TiVo. The problem is that sending out emails with links asking people to set a password looks exactly like a phishing attack. It's bad practice. They shouldn't be doing it so testing it makes no sense. Likewise leaving the sender set to example.com is amateurish even in a test.

    Tivo hasn't used store.tivo.com in ages but they have the domain redirected to magento cloud. I don't see any sign that they're using that so my assumption was that it was old and abandoned. It's entirely possible that site could have been compromised either way.

    Maybe they're working on moving their store to magento cloud and moving it back to the store.tivo.com in the process. But if they're thinking about doing something as stupid as sending out mass emails for people to set passwords it would be bad on two fronts.

    First it would be stupid because it looks like phishing. Second, it would suggest that they're segmenting the retail business so hard that the store won't even have access to the existing accounts.
     
  4. dishrich

    dishrich Active Member

    944
    70
    Jan 16, 2002
    Springfield, IL
    That @example (still) looked fishy to me, so I marked it spam accordingly...
     
  5. ashipkowski

    ashipkowski Member

    45
    17
    Oct 7, 2008
    Having seen this thread and reset my password before running through the whole thing, I was a bit surprised when none of these requirements were shown and I had to run my random password generator multiple times to get something acceptable to it. It even told me 'no # character allowed in password' at one point -- it was not in the first position, either. Felt like the world's silliest game of Mao.
     
  6. pfiagra

    pfiagra Well-Known Member

    788
    258
    Oct 13, 2014
    Gmail threw it into Spam for me.
     
  7. unclehonkey

    unclehonkey Well-Known Member

    2,087
    1,470
    Dec 20, 2012
    Mankato, MN
    yahoo threw it into spam folder too
     
  8. Mikeguy

    Mikeguy Well-Known Member

    27,636
    9,195
    Jul 28, 2005
    Just to mention: you did not overreact. :up:
     
    mrsean and jlb like this.
  9. lstone19

    lstone19 Member

    45
    3
    Mar 28, 2003
    Agreed. You did not overreact; TiVo has under-reacted by not sending any kind of "Oops, we goofed" followup. For those of us with well above average understanding of email who carefully looked beneath the surface of the email, it was fairly apparent (but not certain) that it was an errant, test email. But for the vast majority who we keep trying to hammer the message of being alert for phishing emails, it had many of the characteristics of phishing emails (unfortunately, there seem to be far too many businesses that when told their email looked like a phishing email, just respond with "you overreacted - of course it wasn't a phishing email since it was from us" (phishing emails, done "well", are, of course, supposed to look like they're from the business)).
     
    KDeFlane and mrsean like this.
  10. jlb

    jlb Go Pats!

    9,069
    330
    Dec 13, 2001
    Burlington, VT
    Thanks for the moral support guys! :)
     

Share This Page