Amazon Resets User Passwords But Denies Data Breach Rumors

“Out of an abundance of caution,” as every company likes to say these days, Amazon has started resetting passwords for a select list of users who had their personal details exposed online.

The company says that nobody breached its servers, but that it took this step after its security staff discovered a set of customer details posted online as part of another breach at another company.

Amazon says those details matched the details of Amazon accounts, and since it had no way of knowing if those customers reused the same passwords for their Amazon accounts, it decided to air on the safe side of things and reset those customers’ passwords, just in case.

Password reset emails started going out last week, when several users posted screenshots on Twitter, and have continued to reach users this week.

At the time of writing, only a small number of users have reported receiving these emails. The exact number of affected customers is currently unknown.

Amazon took a similar step of resetting user passwords in July when a hacker that goes on Twitter by the name of 0x2Taylor uploaded online a file with information on 80,000 Amazon Kindle users.

Amazon denied it was hacked, which may be true since hackers can also collect login credentials using malware (password dumpers, infostealers, keyloggers), and don’t have to necessarily breach Amazon’s well-defended servers.

This was not the case, though, as 0x2Taylor posted a screenshot of some of the leaked data, hours later, after saying that Amazon ignored him after reporting the security issue.

According to those who managed to grab a copy of the leaked data before being taken down, the file included details such as a user’s email, password, city, state, phone number, ZIP code, useragent string, IP address, and street address information.

While for that specific incident the truth seemed to lean towards 0x2Taylor’s side of events, Amazon should be happy that it’s been plagued only by smaller-sized breaches, and not by mega breach events that expose details of hundreds of millions of users (cough, Yahoo, cough).

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients