Amazon Forces Password Reset For Some Users - InformationWeek
IoT
IoT
Software // Information Management
Commentary
11/26/2015
11:06 AM
Larry Loeb
Larry Loeb
Commentary
50%
50%

Amazon Forces Password Reset For Some Users

Amazon told an unknown number of customers that their passwords could have been potentially exposed to a third party, but claimed it has corrected the issue.

8 iPhone Security Apps To Keep Your Data Safe
8 iPhone Security Apps To Keep Your Data Safe
(Click image for larger view and slideshow.)

In time for the busiest online shopping season of the year, Amazon has forced the reset of a number of user passwords because of a security concern, according to a ZDNet report.

The email sent to affected users in the US and UK said that Amazon had "recently discovered that your [Amazon] password may have been improperly stored on your device or transmitted to Amazon in a way that could potentially expose it to a third party. We have corrected the issue to prevent this exposure," according to ZDNet. The email added that there was "no reason" to think that a breach had occurred, but the company was issuing a temporary password out of an "abundance of caution."

The report also noted since the emails were sent to users' account message center on Amazon.com and Amazon.co.uk, the messages are authentic.

(Image: Tuomas Kujansuu/iStockphoto)

(Image: Tuomas Kujansuu/iStockphoto)

This concern from Amazon indicates that it would be prudent to reset your Amazon password, even if the email has not been sent to you

The e-commerce giant recently added two-factor authentication for US customers. Perhaps the reasons behind the email sent to affected users sped up the decision to make that new authorization service active.

Amazon has not yet responded for requests for comments on this story.

This type of incident is nothing new to Amazon, which has sent out similar force-reset password emails to affected users in the past, with some cases dating back to 2010.

[ Read Comcast Resets 200,000 Compromised Email Passwords, But Questions Remain. ]

Keith Graham, the CTO of SecureAuth, which sells its access control products to major enterprise customers and has a technology partner relationship with Amazon Web Services, told InformationWeek in an email that, "Amazon force-resetting some of its users' accounts due to fears of a password leak is yet another indication organizations need an innovative approach to authentication that goes beyond the traditional username and password tactic."

Graham added, "While the early days of cumbersome two-factor authentication cast a shadow on the technology, times have very much changed for the better. Advances in adaptive authentication have brought to market a number of options that help users stay both secure and productive by layering multiple methods, such as device recognition, analysis of the physical location of the user, or even by using behavioral biometrics to continually verify the true identity of the end user. By layering adaptive authentication techniques, organizations like Amazon can further strengthen their defenses against cyber adversaries."

**New deadline of Dec. 18, 2015** Be a part of the prestigious InformationWeek Elite 100! Time is running out to submit your company's application by Dec. 18, 2015. Go to our 2016 registration page: InformationWeek's Elite 100 list for 2016.

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
11/30/2015 | 11:07:26 AM
Re: Re
All in favor of that as well. :)
larryloeb
50%
50%
larryloeb,
User Rank: Author
11/30/2015 | 11:06:24 AM
Re: Re
I personally like to hunt them down and destroy their hardware with an axe.

But, that's just me.

<g>
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
11/30/2015 | 10:58:59 AM
Re: Re
That's the goal of pretty much any security improvement, electronic or physical. Nothing is perfectly safe, so we have to settle for getting as close as we can. The harder I am to hack, the more likely someone will pick an easier target. I can't stop the hacker, but I can try to keep the target off of me.
larryloeb
50%
50%
larryloeb,
User Rank: Author
11/30/2015 | 10:56:53 AM
Re: Re
Yes, I agree with your last sentence. it makes it harder to gain entry.
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
11/30/2015 | 10:46:18 AM
Re: Re
Agreed that no system removes all possible failure points. The goal is to reduce failure points to the minimum that is acceptable for each situation. Passwords are not a good means of securing anything, and they haven't been for years. While specific individuals may feel comfortable that they are using sufficiently complex passwords, changing them often enough and using each password in only one place, that doesn't describe the vast majority of the population.

The text coming to me might get copied by a Stingray type of device, but someone would still need my password at the same point in time. The code expires within a minute or so, so timing is critical.

The advantage of multifactor authentication is that at least two avenues must be compromised at the same time in order to gain access. It's not going to protect 100%, but it certainly reduces the likelihood of a breach down to considerably less than 1%. If someone doesn't have a smartphone and can't use an authenticator app, then SMS is the option. It may not be hack-proof, but it certainly makes the job a lot harder for someone to get unauthorized access.
larryloeb
50%
50%
larryloeb,
User Rank: Author
11/30/2015 | 10:39:13 AM
Re: Re
Ok but that allows a mitm with the carrier as the point of failure. Like if a Stingray device was in use. Not that it's likely you understand, but possible. I just don't think any security method can always be relied on, even something like MFA
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
11/30/2015 | 9:56:20 AM
Re: Re
All 2-factor services I've seen also allow users to receive codes via SMS. Just about everyone can receive a text message. That's the fallback if the device with the authenticator app isn't available or isn't synced properly anyway.
larryloeb
50%
50%
larryloeb,
User Rank: Author
11/30/2015 | 9:54:32 AM
Re: Re
Sure if they have a device that can use something like Google Authentcator. The problem is that not everyone has such a device.
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
11/30/2015 | 9:09:34 AM
Re: Re
I would recommend that users enable 2-factor authentication anytime it's available from a provider. That's a relatively simple step that reaps huge gains in security of personal and financial data.
larryloeb
50%
50%
larryloeb,
User Rank: Author
11/30/2015 | 9:08:05 AM
Re: Re
Yes a good idea as well
Page 1 / 2   >   >>
Commentary
AI & Machine Learning: An Enterprise Guide
James M. Connolly, Executive Managing Editor, InformationWeekEditor in Chief,  9/27/2018
Commentary
How to Retain Your Best IT Workers
John Edwards, Technology Journalist & Author,  9/26/2018
Slideshows
10 Highest-Paying IT Job Skills
Cynthia Harvey, Contributor, NetworkComputing,  9/12/2018
Register for InformationWeek Newsletters
Video
Current Issue
The Next Generation of IT Support
The workforce is changing as businesses become global and technology erodes geographical and physical barriers.IT organizations are critical to enabling this transition and can utilize next-generation tools and strategies to provide world-class support regardless of location, platform or device
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll