Here is a copy of the email I was sent by Pandora to inform me that my account was compromised kindof but not really and it was totally not their fault.
This is somewhat old news (I received this email July 6th) but the more copies of this online the better, IMO.
There are a number of things about this email that irritate me. First of all, the email is so incredibly vague that I have absolutely no idea what happened. Someone, somewhere posted my Pandora username (email address?) on the internet along with, presumably, one of the bazillion passwords associated with it. Who posted this information? Why? Where was it taken from? Was it stolen from one of Pandora's infrastructure providers?
If what Pandora implies in the email is true - that the compromise is completely unrelated to Pandora in any way - why are they sending me this email? Does Pandora scour the internet for the email addresses and account names of its many users? If Pandora had no responsibility for this breach and they sent me this message in order to be proactive to protect me - which is great - then why couldn't they be more forthcoming with detailed information? I get that many of Pandora's users are going to be non-technical, but you can include a link to a website with a comprehensive explanation of what happened or simply format the email to begin with a "tl;dr" version, followed by an exhaustive version for nerds.
There are no hard and fast rules for dealing with a compromise, but Pandora's message left me with many more questions than answers.