So, assuming this is legit, it's good of them to let customers know about the potential problem, though it would have been nice if they'd included a bit more detail on the malware in question. But they obviously have very little clue about how to handle this sort of thing.
The email they sent was mailed from mail17c.mkt030.com, and the return address is firstname.lastname@example.org. Links in the mail go to links.mkt030.com. That may be a legit bulk mailing company, but who knows?
They have a mechanism in place to deliver messages via the web site after you log in, so I check that; no copy of the message there, and no info on the site about the breach.
I go look up their customer service 888 number and call that; it's already closed for the night, and the message there says nothing about the problem.
There's an 877 number in the email I got, but the only google hit for that is a copy of this very email, and the guy who answers it admits it was newly registered to deal with this problem. So, um, how do I know I'm talking to Checkfree?
The email did contain my name and the out-of-date address I have on file with them, but of course, if their site was actually hacked, that doesn't tell me anything - and that much is public record anyways.
So, it's great they sent out a timely message about their breach. But I got it on Saturday night, and it appears there's no authenticatable method of contacting them for further information until Monday.
Checkfree Corp obviously has no clue about security and social engineering. Unfortunately I'm not sure there are any better options, since most billpay sites end up using Checkfree on the back-end. Anyone have any suggestions for other sites that do bill presentment and payment for Duke Energy and AT&T that don't use Checkfree?
ETA: Here's an article about the breach. So it would seem a Checkfree employee fell prey to a phishing attack and leaked their password with Network Solutions for domain registration. And now they're sending out emails to customers that are indistinguishable from a phishing attack. That's some astounding incompetence.