Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Amazon Forces Password Resets after Possible Security Breach

Online retailer Amazon on Tuesday started sending emails to some of its users, prompting them to reset their passwords, saying that they might have been compromised.

Online retailer Amazon on Tuesday started sending emails to some of its users, prompting them to reset their passwords, saying that they might have been compromised.

The company informed users that it decided to force-reset their passwords after learning that they might have been exposed to a third party. The emails sent out by Amazon also suggested that the company adopted this precautionary measure although it was not aware of user passwords being improperly disclosed, ZDNet reports.

The email reportedly informed users that Amazon “recently discovered that your [Amazon] password may have been improperly stored on your device or transmitted to Amazon in a way that could potentially expose it to a third party.” The company also mentioned in the message that the issue has been already corrected to prevent further exposure.

The company hasn’t revealed information on the number of affected users as of now, but it appears that all those who might have had their passwords compromised were alerted on the matter. Those Amazon users who did not receive the email should be safe, though it might be a good idea for them to reset their passwords as well.

The news on Amazon comes one week after the company enabled two-factor authentication on its website, thus providing users with additional account protection. To enable it, users need to go to their accounts and access the Advanced Account Settings option, which will allow them to add Amazon to two-step verification apps via QR codes or have authentication codes sent to them via text.

Although Amazon didn’t offer details on the size on the breach, it appears that both and users might have been impacted. The two-factor authentication option is not yet available for UK users.

It is not uncommon for companies to prompt users to reset passwords when they believe that accounts might have been compromised. While examples are numerous, Epic Games,, Hover, and Twitch can be named as companies to have recently requested users reset their passwords after security breaches.

While the traditional username and password login method continues to be widely used on websites, devices and applications, some believe that a more innovative approach to authentication is needed. In fact, some companies have already decided to shed the need for passwords, including Yahoo, which recently announced that it is allowing mobile users to sign-in through a process called Account Key, which involves sending text messages for login confirmation.

Keith Graham, CTO at SecureAuth, told SecurityWeek that the Amazon breach shows that organizations need to find an innovative approach to authentication that would allow them to move beyond the traditional username and password tactic. He also noted that two-factor authentication has started to prove a good technology lately, although it started on the wrong foot.

“Advances in adaptive authentication have brought to market a number of options that help users stay both secure and productive by layering multiple methods such as, device recognition, analysis of the physical location of the user, or even by using behavioral biometrics to continually verify the true identity of the end user. By layering adaptive authentication techniques, organizations like Amazon can further strengthen their defenses against cyber adversaries,” Graham said.

He also mentioned that Amazon users affected by this password reset should be vigilant and proactive about protecting their identities, the same as those who are merely looking to improve their personal cybersecurity posture. “This includes steering clear of password reuse across multiple sites and adopting a password manager to allow for extremely complex passwords. Where possible, it’s also wise to enable two-factor authentication on any websites or web based applications that support it,” he added.

Daniel Raskin, VP Strategy & Marketing, ForgeRock, told SecurityWeek that the news about Amazon shows why there has been constant talk of the death of the password lately. He also explained that companies and users need a new approach to security instead of evaluating risks only when they might have been compromised.

“When you can continuously analyze someone’s authenticity while already in the system, then you can provide a high security environment while still offering ease of use to the end user. Especially with the Internet of Things bringing billions of new devices, services and apps online, the ability to continuously monitor and authenticate users while they’re in your house will become a real business advantage,” Raskin said.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Incident Response

Implementation of security automation can be overwhelming, and has remained a barrier to adoption

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...