Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Tesla security issue

This site may earn commission on affiliate links.
P

PaulMac

Member
Nov 13, 2014
37
0
Surrey, UK
#1
As a warning to everyone...


I am not sure if the following is legitimate, but it feels wrong and worth sharing.


I received an email from someone this morning claiming that I wanted to join a Facebook tesla group, and should follow a link and enter my tesla password as log in. (paste from email below).


This feels like a really really bad idea. Surely as soon as you release the username and password anyone can install the app, and then track your car, unlock it start it, and take it!!


Apple get a lot of bad press for hacking, which is actually people cracking or guessing passwords and accessing photo streams, so there is extra authentication added to the process. I would hate for tesla to get the bad publicity, and there is no device authentication used.


Sorry if this is a legitimate email and Facebook group, but it feels like we should be really careful with the username and password!!!!!!!! So that is worth repeating :)




{You have requested to join the Tesla Owners Group on Facebook. Only Bona Fide owners and reservation holders can become members of the group so please visit http://l.facebook.com/l/jAQFNm4d0AQGKnfMnXjh4a1D2a5fwGiUtAiGkXqhwk4PWCg/my.teslamotors.com/en_GB/forum/forums/joining-facebook-owners-group and follow the instructions to get your request to join approved.


The login for the forum is also the login for your Tesla Reservation page on My Tesla, simply use the same login email and password to be able to comment on the thread.}
 
#3
Luke is correct. You've received a phishing e-mail. Facebook never sends out requests like that. Best practice is to always go to the official Facebook/Bank/Tesla/etc. site and log in. Many phishing email look legitimate (displaying the full headers can show you where the email comes from, but you have to know how to read them). Never trust the From: address because those are easily forged.
 
#4
.................................................................................................................................................................................................................................................................................................................................................................................................................................................................... wow.

Either this thread isn't real, or the OP is 60+ with absolutely no experience whatsoever with the the internet / email. Who buys a $100,000 car and then gives some random person in your email your account number and password?? I'm sorry but you deserve to lose everything.
 
#6
Shawn Snider said:
.................................................................................................................................................................................................................................................................................................................................................................................................................................................................... wow.

Either this thread isn't real, or the OP is 60+ with absolutely no experience whatsoever with the the internet / email. Who buys a $100,000 car and then gives some random person in your email your account number and password?? I'm sorry but you deserve to lose everything.
Click to expand...

What if he is 60+ and/or isn't all that up to date on phishing scams? Does he still "deserve to lose everything"? I work with a LOT of very smart and successful people (under 60) who don't know much about computers at all. It actually amazes me. But I don't think they deserve to be scammed...
 
#7
Shawn Snider said:
.................................................................................................................................................................................................................................................................................................................................................................................................................................................................... wow.

Either this thread isn't real, or the OP is 60+ with absolutely no experience whatsoever with the the internet / email. Who buys a $100,000 car and then gives some random person in your email your account number and password?? I'm sorry but you deserve to lose everything.
Click to expand...
Don't blame the victim. Phishing happens because it works.
Mod note- perhaps change the title to something like "Beware Tesla phishing emails"
 
#8
Shawn Snider said:
Either this thread isn't real, or the OP is 60+ with absolutely no experience whatsoever with the the internet / email. Who buys a $100,000 car and then gives some random person in your email your account number and password?? I'm sorry but you deserve to lose everything.
Click to expand...

bollar said:
Perhaps a re-read of the OP's message would be helpful.
Click to expand...

And who says there isn't humor on the internet?

:)
 
Last edited:
#9
To the OP: never give your Tesla Motors account login information to anyone. You are the the only person who needs to know it. Tesla of course also knows it so there is never a need to give it to Tesla. All other requests for that information should be ignored.

And yes, if you have a spouse who also drives your Tesla they can have it if you wish to provide it, but they don't need to know it to drive the car.
 
#10
Yes, that is why I posted it....there are people out there...not me...who will give out all sorts of personal info if an email, call or visitor sounds legitimate. So it felt like the right thing to do to lift the profile of this risk.

As it turns out the email appears legitimate although badly written, and was not actually trying to get my info, but to prove I had a Tesla by asking for communication with them via the tesla owners forum.

So...my message still stands never give out your username and password!!!! Oh and Tesla, perhaps this system needs to be more robust, a simple username and password is not much to protect a £100k car.
 
Last edited:
#11
PaulMac said:
o...my message still stands never give out your username and password!!!! Oh and Tesla, perhaps this system needs to be more robust, a simple username and password is not much to protect a £100k car.
Click to expand...

True. You should use a complex password and store it encrypted. The fly in the ointment is that Tesla expires the password and logs you out without warning. Not so bad if you are at home, but if you are on a trip or really need the App to start your car it's not good (no one, including me, memorizes complex passwords). However, hope is on the horizon:

"Thank You for contacting Tesla Motors Technical Support. We can appreciate your input on the mobile applications limits. The two week notification for the password change seems like a great idea. I will go ahead and create a feature request for this immediately."
 
#12
This is not a malicious or phishing email, though I can see how it looks a little bit suspect.

The link you have been sent is a link to a conversation on the teslamotors.com forum. For some reason it's wrapped inside a Facebook link redirector but ultimately it takes you Joining the Facebook Owners Group | Forums | Tesla Motors

The instruction to "log in with the same username and password you use for your My Tesla account" is telling you how to log in and add a comment to that thread on the TM forums (for which you do indeed need to use the same password you use with your app).

The way you get approved to join the UK Tesla Motors FB group is by commenting on that thread on the teslamotors.com site (so the only place you type this password in is on a TM webpage).

So while it sounds suspicious, it is in fact most likely a completely genuine request to you to verify that you are a reservation holder/owner.

I will let the guy who runs the UK FB group know that this email is being misconstrued!
 
#13
LuckyLuke said:
Never enter your tesla user/pass on any sites except teslamotors.com or the official iOS/android app, ever! (Only exception perhaps verified safe apps like visibletesla)
Click to expand...

Did anybody even read the OP's post?

The post simply asks you to enter your Tesla username and password at teslamotors.com in order to make a post on the Forum hosted by ... wait for it... teslamotors.com.

A lot of people doesn't know about that forum and doesn't know how to log into it.


So take precautions and don't click on links - rather type in teslamotors.com directly in the browser. But if you don't trust teslamotors.com with your teslamotors.com username/password, then how did you buy the car in the first place...?
 
#14
mgboyes said:
So while it sounds suspicious, it is in fact most likely a completely genuine request to you to verify that you are a reservation holder/owner.
Click to expand...

But it doesn't even do that! All that does is prove you created an account on Teslamotors.com. There's no validation or proof anyone that logs into the forums is an owner or reservation holder. I had a TM account log before I bought my car.
 
#15
HankLloydRight said:
But it doesn't even do that! All that does is prove you created an account on Teslamotors.com. There's no validation or proof anyone that logs into the forums is an owner or reservation holder. I had a TM account log before I bought my car.
Click to expand...

If it's a thread that's marked private, only reservation holders and owners can post. Was typically used to try to weed out "trolls" complaining about cars they didn't actually own.

Screen Shot 2015-02-07 at 2.47.56 PM.png
 
#18
jerry33 said:
True. You should use a complex password and store it encrypted. The fly in the ointment is that Tesla expires the password and logs you out without warning. Not so bad if you are at home, but if you are on a trip or really need the App to start your car it's not good (no one, including me, memorizes complex passwords). However, hope is on the horizon:

"Thank You for contacting Tesla Motors Technical Support. We can appreciate your input on the mobile applications limits. The two week notification for the password change seems like a great idea. I will go ahead and create a feature request for this immediately."
Click to expand...

Jerry - have a look at lastpass from lastpass.com. Create and store different random very complex passwords for any web page (and some apps) .. the free version is for PC only and has adds, however the licensed version at 12 USD a year includes all mobile devices and is add free. Free version however is good enough to play with for a bit and then when you see the value its easily worth the 12 USD a year .. I can confirm it works with the Tesla App on android

I am not associated with lastpass in any way, just as a happy user
 
#19
I'd throw in a vote for 1Password as well. Amazing program and for Mac and PC. Syncs to your phone so you always have your passwords with you. iOS versions uses TouchID if you have a newer iPhone.
 
You must log in or register to reply here.

Similar threads

ColR
  • Article
My Tesla Model 3 Highland experience – 1000 kilometres and 2 weeks later (in Ireland)
Replies
54
Views
3K
Model 3
noelslekkie
N
G
Why does Tesla vehicles have so many issues?
Replies
38
Views
4K
Electric Vehicles
Ritzcarlton123
R
Bomely
Vendor Bomely® Tesla Model 3&Y Accessories are Constantly Being Updated.
Replies
14
Views
3K
Model Y: Interior & Exterior
Bomely
Bomely
LASFIT
Vendor Elevate Your Tesla with Lasfit All-Weather Floor Mats
Replies
2
Views
905
Model Y: Interior & Exterior
Mrdrbot23
Mrdrbot23
J
  • Article
BMS-029 - Tesla Must Do Better
Replies
223
Views
23K
Model S
JVL
J
Top
Back
Blog
New
Forum list
Marketplace
Menu