Important Security Update
Users must now manually enter their passwords or invitation codes to access review features
As part of our program of continual improvement in application security, we have implemented a mandatory security update for all accounts. Please read the below carefully and let us know if you have questions.
Effective immediately, all URLs embedded in invitation or reminder email will no longer auto-populate a user's invitation code or password into the log-in screen when clicked. Instead, users will be required to enter their invitation codes or passwords manually. Invitation codes are, by default, displayed in the user's invitation and reminder email, so the only extra step that most users will need to take is to type or copy the invitation code from the email into their log-in forms.
Why was this change made?
This change is in response to the growing problem posed by malware browser extensions that secretly steal and publish users' Web site browsing history. When a URL that includes log-in information is misused by these browser extensions, user credentials can be compromised. While embedding log-in information was a valued convenience for our customers, we have decided that the potential for problems is too great, and have disabled this feature.
While we normally strive to provide advance notice as to changes that affect functionality, this update was classified as a security enhancement and was given the highest priority. We have not detected any corruption or loss of data as a result of this potential problem, but rather are working quickly and proactively to keep your data safe.
What do I need to do?
Most clients will not need to take any action; we have automatically updated your rater summary invitation and reminder templates to account for the necessary changes. But please do review your next round of invitations or reminders before sending them to ensure that they contain the information below. Our apologies for any inconvenience, and please feel free to contact us if you need help.
Please be sure to INCLUDE the invitation code or password merge fields in all
communications sent to your participants moving forward. As a reminder, the
merge fields are below.
360 Merge Fields
Email Address: [[email]]
Invitation Code: [[targetid]] (FOR TARGETS ONLY)
Invitation Code: [[raterid]] (FOR RATERS ONLY)
Performance Review Merge Fields (for employees and managers)
Email Address: [[RTEMAIL]]