ZDNet has reported that it has been sent a number of complaints from readers claiming to have received an email from Amazon saying that the company has reset their account passwords.
ZDNet also says that the message was also sent to its account message center on Amazon.com, and Amazon.co.uk, therefore they could confirm that the message is genuine.
It is not unusual for web companies to force resets to customers’ user accounts in response to a suspected compromise of their systems. However in this case Amazon is making no indication of any security breach, instead claiming that it: "recently discovered that your [Amazon] password may have been improperly stored on your device or transmitted to Amazon in a way that could potentially expose it to a third party."
Amazon says that it has "no reason" to believe passwords were improperly disclosed to a third party but have issued a temporary password out of an "abundance of caution” and have subsequently resolved the issue.
Amazon adds, "We have corrected the issue to prevent this exposure."
This is not the first time, or the last, that these kinds of force-reset password emails have been sent out. One specific example previously was when Amazon detected usernames and passwords available on the internet that matched Amazon’s registered customers’ user names.
Therefore, far from feeling inconvenienced by the password resets, Amazon customers should realise that Amazon is being proactive and taking its customers’ security and privacy seriously.
Mark Stollery, Managing Consultant, Enterprise and Cyber Security UK & I at Fujitsu:
“Another day, another security incident – this time Amazon is in the spotlight. The company is both an iconic global brand (so a prestigious scalp for amateur hackers) and a massive retail operator (so a mouth-watering repository of customers’ exploitable details for greedy criminals). It has therefore never been a question of whether Amazon would suffer a major cyber-attack, but when. This latest incident changes nothing and is just a reminder that cyber-attacks are a fact of daily life for today’s online businesses.
"The password reset is a sensible measure, even if it causes short-term nuisance. A future attack might be successful, as 100 per cent security is impossible, but Amazon is reducing its vulnerability by proving that it can spot suspicious incidents and deal with them swiftly. Research from Fujitsu indicates that only 9 per cent of UK consumers believe organisations are doing enough to protect their data, so Amazon and others will need to continually demonstrate their cyber security competence if they are to keep the trust of their customers.
"Because of the pervasive attempts by criminals to steal online data, it is vital that organisations take a proactive approach, as Amazon appears to have done in this case. They must focus on reacting quickly when a breach occurs, and must have well-rehearsed plans in place to understand what happened, minimise the impact, communicate clearly with their customers and restore normal operations as soon as possible."
Keith Graham CTO of SecureAuth:
“Amazon force-resetting some of its UK users’ accounts due to fears of a password leak is yet another nail in the coffin for businesses who continue to only rely on traditional username and password authentication.
"Organisations must strengthen their defenses against cyber adversaries by employing cutting edge adaptive authentication. By layering multiple methods such as, device recognition, analysis of the physical location of the user, or even by using behavioural biometrics to continually verify the true identity of the end user, not only will the customer maintain a simple user experience, it also makes stolen credentials ineffective.
"Individuals affected by this notification and those looking to improve their personal cybersecurity posture should be both vigilant and proactive about protecting their identities. This includes steering clear of password reuse across multiple sites and adopting a password manager to allow for extremely complex passwords."