Rumors have been circulating that a massive Amazon data breach had occurred following the decision by the online retail giant to reset the passwords of users’ accounts. Amazon started resetting the passwords on certain accounts on Saturday and the process is ongoing. Emails have now been sent to users to advise them that their passwords were resent as a security precaution.
The decision was taken to protect customers whose credentials had been posted online; however, those credentials were not stolen as a result of an Amazon data breach. Instead they are believed to have been obtained in a breach of another platform. The password reset was performed as a proactive defense to prevent Amazon users’ accounts from being compromised. The password reset is understood to only have been performed on a small percentage of Amazon accounts.
Individuals whose passwords were reset were informed in the email that Amazon discovered that their credentials had been exposed. Amazon routinely monitors for data breaches and stolen credentials. The company’s security team recently identified a list of logins and passwords that matched Amazon customers’ accounts.
While Amazon investigated a potential breach, the security team determined that the breach was not Amazon-related. Affected Amazon customers were told “we have assigned a temporary password to your Amazon.com account out of an abundance of caution.”
The recycling of passwords across multiple platforms is ill-advised. If one website or online service is hacked and login credentials are stolen, they could be used to access multiple online accounts. Since Amazon.com is such a popular retailer, it would likely be one of the first sites that criminals attempt to gain access using stolen credentials.
In order to minimize the harm caused by a breach of login credentials, users should ensure that a strong, unique password is used for all accounts. A password manager can then be used to keep track of all the passwords.
Amazon did not say when the login credentials were discovered online or the source of the leaked credentials.