Online retailer Amazon on Tuesday started sending emails to some of its users, prompting them to reset their passwords, saying that they might have been compromised.
The company informed users that it decided to force-reset their passwords after learning that they might have been exposed to a third party. The emails sent out by Amazon also suggested that the company adopted this precautionary measure although it was not aware of user passwords being improperly disclosed, ZDNet reports.
The email reportedly informed users that Amazon “recently discovered that your [Amazon] password may have been improperly stored on your device or transmitted to Amazon in a way that could potentially expose it to a third party." The company also mentioned in the message that the issue has been already corrected to prevent further exposure.
The company hasn’t revealed information on the number of affected users as of now, but it appears that all those who might have had their passwords compromised were alerted on the matter. Those Amazon users who did not receive the email should be safe, though it might be a good idea for them to reset their passwords as well.
The news on Amazon comes one week after the company enabled two-factor authentication on its Amazon.com website, thus providing users with additional account protection. To enable it, users need to go to their accounts and access the Advanced Account Settings option, which will allow them to add Amazon to two-step verification apps via QR codes or have authentication codes sent to them via text.
Although Amazon didn’t offer details on the size on the breach, it appears that both Amazon.com and Amazon.co.uk users might have been impacted. The two-factor authentication option is not yet available for UK users.
It is not uncommon for companies to prompt users to reset passwords when they believe that accounts might have been compromised. While examples are numerous, Epic Games, ICANN.org, Hover, and Twitch can be named as companies to have recently requested users reset their passwords after security breaches.
While the traditional username and password login method continues to be widely used on websites, devices and applications, some believe that a more innovative approach to authentication is needed. In fact, some companies have already decided to shed the need for passwords, including Yahoo, which recently announced that it is allowing mobile users to sign-in through a process called Account Key, which involves sending text messages for login confirmation.
Keith Graham, CTO at SecureAuth, told SecurityWeek that the Amazon breach shows that organizations need to find an innovative approach to authentication that would allow them to move beyond the traditional username and password tactic. He also noted that two-factor authentication has started to prove a good technology lately, although it started on the wrong foot.
“Advances in adaptive authentication have brought to market a number of options that help users stay both secure and productive by layering multiple methods such as, device recognition, analysis of the physical location of the user, or even by using behavioral biometrics to continually verify the true identity of the end user. By layering adaptive authentication techniques, organizations like Amazon can further strengthen their defenses against cyber adversaries,” Graham said.
He also mentioned that Amazon users affected by this password reset should be vigilant and proactive about protecting their identities, the same as those who are merely looking to improve their personal cybersecurity posture. “This includes steering clear of password reuse across multiple sites and adopting a password manager to allow for extremely complex passwords. Where possible, it’s also wise to enable two-factor authentication on any websites or web based applications that support it,” he added.
Daniel Raskin, VP Strategy & Marketing, ForgeRock, told SecurityWeek that the news about Amazon shows why there has been constant talk of the death of the password lately. He also explained that companies and users need a new approach to security instead of evaluating risks only when they might have been compromised.
“When you can continuously analyze someone’s authenticity while already in the system, then you can provide a high security environment while still offering ease of use to the end user. Especially with the Internet of Things bringing billions of new devices, services and apps online, the ability to continuously monitor and authenticate users while they’re in your house will become a real business advantage,” Raskin said.