In the week of Black Friday, one of the busiest days of the shopping year, online retailing giant Amazon has reportedly begun forcibly resetting some users’ passwords over concerns about a password breach.
Some users received an email saying that their passwords had been reset, while others were notified through the site’s account message center, according to ZDNet. The email claimed that the company had “recently discovered that your [Amazon] password may have been improperly stored on your device or transmitted to Amazon in a way that could potentially expose it to a third party”.
The messages said that there was “no reason” to believe passwords had been disclosed to a third party, but the action was precautionary.
Other than what has been reported, there is little information on why Amazon has performed the reset and issued a warning to users. Speaking to Naked Security, Amazon’s press office said that there was no more information on the issue at the time of writing. If that changes, we will update this article.
Even if you haven’t received an alert from Amazon, out of an abundance of caution it’s worth considering resetting your password there and any other account where you’ve used the same password (but you wouldn’t do that would you?).
Remember the rule: one site, one password, and make sure you always pick a proper, secure one.
We reported last year that the average person has 19 passwords – and a third struggle to remember the stronger passwords. If you find it hard to remember them all, consider using a password manager to keep all your secure passwords in one place.
It always pays to be cautious about phishing messages and there is the chance that attackers may pounce on this opportunity to get Amazon users to click on rogue email links. So make sure you don’t click on any unexpected emails – far better to go straight to the Amazon site and change your password there.
The breach reports follow news last week that Amazon is enabling two-step verification, allowing users to log in via a one-time password sent to their phone, or by using an authenticator app.
This is a positive move by Amazon, and sees it follow other online retailers such as Apple, eBay and Facebook in offering this extra layer of security.
However, according to twofactorauth.org, many online retailers and other websites have a distinct lack of two-factor offerings.
If the sites you use offer any form of two-factor authentication, make sure you turn it on. It makes it a lot harder for any potential crook to get into your account, because they need a second level of authentication (such as a text message or app on your phone) as well as your login credentials.
Image of Amazon boxes courtesy of Joe Ravi / Shutterstock.com.
Simon Le Pine
The trick I use for 1 site:1 password is something like:
abcAmazon123! – Amazaon
abcFacebook123! – Facebook
It ensures each site has a unique password yet they are all easily remembered.
Paul Ducklin
Not too much variety or unpredictability in doing that:
https://nakedsecurity.sophos.com/2015/11/24/here-comes-black-friday-but-how-good-are-your-passwords
William S
Go beyond that rule of ‘One Site – One Password’ by also using unique usernames for each site.
Anonymous
Amazon or one of its associated parties has been hacked or something weird is going on. I had 8 fraudulent charges on my credit card and e-mails of orders from Amazon that weren’t done by me. I was locked out of my account as well. This happened the evening of 26 November 2015
oso
While attempting to straighten out an issue with customer service rep. (Very helpful) it necessitated 5 codes be sent to me via the two-step verification—none of them were correct according to Amazon. HuH? IF amazon isn’t generating the code THEN WHO THE PHUG is. Amazon couldn’t get into my account. Weird. Strange. Man in the middle? They seemed unconcerned and told me someone would get back to me with an hour–it’s been 4.
Very scary. They need to call in LEO’s.
James S
I did not receive an email, but it appears it could possibly have been more than just passwords. On the 30th someone tried charging $99.99 to somewhere I have never heard of and my bank caught it, called me and closed that card. Amazon was the last place I used my card and I have ran thorough virus/malware checks and nothing found on my end.