Change Your Amazon Password…Now!

I’m reticent to really even talk about this now as there are very few details as to what exactly happened, but Amazon is sending out warning emails to select customers that recommends those customers change their Amazon password immediately, as there has been a breach of security which has allowed certain bad actors to collect passwords for Amazon accounts from Amazon.1-30-11-amazonpsa

How this was achieved is presently unknown. My guess is that it was at least in part an “inside job” (I hate using that phrase) that allowed for this to happen. Not that Amazon servers are a hard target to find, as Amazon’s servers power something like 80% of the internet, so if you can hit the broad side of a barn, you’re hitting Amazon somewhere (speaking of “broad”, the description I just gave is very broad about the way Amazon operates server-side).  Regardless of that, the fact that Amazon has had a pretty serious security breach that directly affects Amazon the service doesn’t surprise me, but I think it should bring us pause.

Before I get into that, yes, you absolutely should change your Amazon password, whether you received an email from them or not. Yes, you should setup Two-Factor Authentication with them immediately, so that if this happens again, it likely won’t affect you (and, of course, you should have Two-Factor Authentication enabled on every other account from every other company you deal with).

Now, as to why this is a big deal, and to some of the oddities around this whole story. This is initially a big deal simply because of the size of the company that Amazon is. I’ve said it many times on my tech podcast Sovryn Tech that Amazon’s security was atrocious, and I didn’t know how they had yet been cracked (I don’t use the word “hacked” because I consider hacking a heroic act, which I guess for some, maybe this password leak could be considered heroic). But the rhetoric going on around this password leak is that Amazon’s security was actually above industry standards, and so this shouldn’t have happened. Well, that’s where the big deal comes in: If Amazon can get cracked, so can Facebook, and so can Google, and so on. Can you imagine the utter chaos that would happen if Facebook passwords were leaked (and people didn’t have some kind of two-factor security setup for their Facebook account)? All of the love affairs, backstabbing, and secret reality of people’s feelings getting exposed for all to see? You thought the Ashley Madison crack was bad?! Oh man…are we in for a treat when (not if) Facebook gets cracked. Or how about when (not if) it happens to Alphabet/Google? Oh ho ho…gold.

So that’s the big deal and the warning that comes out of this happening. But now for the little oddities that I like to think I often uniquely deliver.

First, as I linked to above, last week Amazon out of nowhere made Two-Factor Authentication (2FA) available (an option that most major–and even small–companies have made available to customers/users for years now). It’s funny that, just a few days later, Amazon admits that account passwords were stolen. I think this is easy proof that Amazon knew about this security breach for some time, and only finally offered 2FA because of it.

But wait, there’s more.

I think Amazon knew the scale and the meaning of their password leak. And when something of this magnitude happens, journalists generally point fingers at the man at the top of the company (despite how oddly quiet the bulk of tech journalists are about it). In this case it would be Amazon CEO Jeff Bezos. Interestingly, Jeff Bezos was the concentration of news sources on the day of this reported Amazon account password breach, but not because of that breach. Bezos made his very first tweet yesterday, and the media went gaga. Granted, it was about something impressive…

 


Now that is one Hell of an accomplishment for one of Jeff Bezos’ other companies, in this case the private space company Blue Origin. NASA can’t even launch and auto-land a rocket. I mean talk about serious steps towards cheaper, sustainable space travel. Kudos, from the bottom of my on that achievement (and thank you for besting NASA). And I don’t want to take anything away from the achievement, but in my opinion, the reveal of this news from Blue Origin was precisely timed to take the heat off of the password leak news that, again, I think Amazon knew about for some time. This guy just successfully pioneered reusable rocketry, how dare you complain about a password breach with his other company?

Exactly.

Honestly, the Amazon password leak–if that is all that was actually leaked–wouldn’t have mattered much a couple of years ago. Amazon doesn’t allow you to see your own complete credit card numbers, and the worst that would happen is that a bunch of stuff could get ordered that you would get instantly notified about and would have been able to do something about either through Amazon itself or through your credit card company or wherever, and all of it would have went to some wild new address that various law enforcement could stake out, whatever, and it all wouldn’t have meant much. But now, Amazon is much more than just an online retail provider. Now Amazon offers cloud storage for your photos and everything you could want to put into online storage, and bill pay features, and web browsing history (that’s right, ever Kindle device, from e-readers to the Fire tablets forcibly tracks your web history), and a slew of other things. If only Amazon were offering email (which I’m sure is coming soon), you’d be a completely screwed pooch by this password breach. So now, due to Amazon branching out into a million other areas, yes, you’re password getting stolen is serious business.

Granted, other than the possibility that Amazon knew that this happened some time ago and didn’t let you know right away, Amazon handled this situation right. They were proactive. Amazon automatically changed your password, and sent you an email (that properly told you to go to Amazon.com, they didn’t give you a link which is often the tactic of a malicious actor trying to get access to your account in the first place) to inform you how to get your password to one that you want. And as I said earlier, whether you get on email from Amazon or not, change your password anyway. One of the side concerns of this whole mess is that you or other people may use the same password on many different sites and accounts, so someone getting a hold of your Amazon password could mean that they have the password to a multitude of other accounts that have nothing to do with Amazon. Keep that in mind, because even when you have 2FA enabled on your Amazon account, they may still have a password for an account of yours that doesn’t have 2FA as an option. Always change your passwords regularly (and if you want to know how to keep track of your passwords, don’t use LastPass, just go for the little black book). And if you have the opportunity, no matter how much of a pain in the ass it is, turn on 2FA.

Still, the whole takeaway from this, regardless of how companies handle these situations, is that every single online company/service–no matter how large or small–is eventually going to get cracked (it’s not “if”, it’s “when”), and your online information to varying degrees is going to be available to someone you didn’t want it to be available to, and it may even become very, very public.

Perhaps it would behoove you to act accordingly.

Carpe lucem!

 

donate_svt2