Tuesday, October 11, 2016

Amazon joins the password merry-go-round

Like many companies, Amazon.com regularly looks for evidence that its customers' usernames and passwords have been exposed. The company apparently discovered a trove of usernames and passwords recently, and is resetting some passwords as a precaution.

The company has not said how many accounts are affected, nor where they found the user details; the only thing they have said is that the list was not Amazon-related. This could mean it was a list of usernames and passwords from a completely unrelated site, but for individuals that reused the same passwords at Amazon.

The details are almost identical to reports about 6 months ago of a similar incident: Amazon reset some users' passwords after a list of names and passwords was found online. the list was not for Amazon accounts, but the account owners used the same passwords for their Amazon accounts. Go back a year, and the same scenario played out yet again.


What should you do?


First, don't panic. There is no indication that Amazon.com has been hacked. Rather, Amazon does an excellent job of searching for breaches elsewhere, and identifying customers that used the same password at Amazon.

  1. There is no harm whatsoever in changing your Amazon.com password just to be safe, even if you have not received a notice from the company.
     
  2. More important, make sure your Amazon (and every other account) password is long, and is not reused anywhere else. If the same password is used everywhere, a stolen password can give an attacker access to all of your accounts. A stolen password is far less damaging if it only unlocks that single account.
     
  3. If you do receive an email that appears to be from Amazon, don't click the password reset link in the email! While I haven't seen any examples specific to Amazon, fraudsters love to imitate a well-known service and claim your account is in jeopardy. In this example from last year, scammers sent a phishing email pretending that your Apple ID was amiss. When you click the link and "verify your information" though, you instead are giving the hacker your information so they can login as you.

    What to do instead?

    Go directly to Amazon.com, and change your password there.

If you received a phishing email imitating Amazon, I'd love to have an example to add to this story. I'll gladly credit you, or keep you anonymous, as you wish!

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.