Sophos Cloud Optix
Amazon has reset some customers’ passwords and asked them to change them, according to reports.
Amazon says that during “routine monitoring,” it stumbled on a set of email and password sets posted online.
Amazon isn’t the only online service to check for reused user credentials: both Facebook and Netflix prowl the internet looking for your username/password combos to show up in troves of leaked credentials.
From Amazon’s message, sent to an unknown number of customers:
While the list was not Amazon-related, we know that many customers reuse their passwords on several websites.
We believe your email address and password set was on that list. So we have taken the precaution of resetting your password.
We don’t know the size of the emails/passwords list that Amazon discovered. Nor do we know where, exactly, the credentials were found. All we know is that the drop spot wasn’t on anything Amazon-related.
There have been scads of breaches recently. The user credentials could have come from the recent LinkedIn breach, for example.
Other potential sources for the Amazon data set include the MySpace mega-breach, the Tumblr breach, or from the Yahoo breach of half a billion accounts.
With each breach comes an increased chance that a reused set of login details will be discovered and potentially used by crooks to gain access to any account set up with those details.
Amazon’s advice:
Please choose a new password and do not use the same password you used with us previously.
We also highly recommend that you choose a password that you are not using on any other sites. We look forward to seeing you again soon.
Hallelujah and amen to all that!
This is just one more example of why it’s such a bad idea to use a password twice. For more good reasons, here’s a detailed explanation of the dangers of password reuse.
So yes, please do as Amazon suggests and change your password, not just on Amazon but also on any other sites where you use the same login.
Make sure each online account has a different password, and make them all strong!
Lisa, This is a current trend in information security. Many organizations are leveraging the same strategy monitoring for compromised credential caches. While its possible that Amazon may have been breached its just as likely that criminals are stealing credentials from users by infecting their PCs and then building lists of credentials. You may want to explore this issue further. You may find that Amazon is doing good job when it comes to security and helping their customers by being proactive.
Did you read the article, or just head straight to the comments section?
*facepalm*
Amazon offers a strong authentication option. Use it in preference to merely changing your password.
Hopefully Amazon – or anyone else – does not simply force you to change your password just because your email is on a leaked list, but only if Amazon cross-checked the leaked password and it opens you account. Such kind of cross-check should routinely be done by providers, because most probably the crooks routinely use the leaked lists wherever they can.
I got a very similar password reset email from Walmart.com (very old & dormant account).
FWIW- the email used on Walmart.com is a yahoo account