I just received this letter from Amazon
Subject: Your Amazon password has been changed Hello, At Amazon we take your security and privacy very seriously. As part of our routine monitoring, we discovered a list of email address and password sets posted online. While the list was not Amazon-related, we know that many customers reuse their passwords on several websites. We believe your email address and password set was on that list. For your security, we have assigned a temporary password to your account. You will need to reset your password when you return to the Amazon.com site. To reset your password, click "Your Account" at the top of any page on Amazon.com. On the Sign In page, click the "Forgot your password?" link to reach the Amazon.com Password Assistance page. After you enter your email or mobile phone number, you will receive an email containing a personalized link. Click the link from the email and follow the directions provided. Your new password will be effective immediately. We recommend that you choose a password that you have never used with any website. Sincerely, Amazon.com http://www.amazon.com
This is an example of how you do these things properly!
Firstly, they don’t provide a link to change your password. We really need to teach people not to fall for phishing attacks, and conditioning them to go directly to a site, rather than through a link embedded in an email is good!
Secondly, they provide clear instructions on how to change your password, and detail the steps you need to follow, and what will happen at each step.
Lastly, they give people a nudge to change other sites’ passwords, just in case the user has used that same password on other sites.
The only black mark I’d give them is including the final link directly to Amazon, simply because it gives someone something to click, and as stated above, we really don’t want that.
Still, it’s one of the best examples I’ve received of how to do this kind of thing!
Well done, Amazon! (I’m not sure I get to say that often)