Amazon force-resets passwords

Amazon say the reset was carried out because of an "abundance of caution"
Amazon say the reset was carried out because of an "abundance of caution"

Amazon has issued password resets to many of its members after a vulnerability scare. Yesterday, the online retailer sent an email out to many of its members stating that it has “recently discovered that your password may have been improperly stored on your device or transmitted to Amazon in a way that could potentially expose it to a third party.”

This is not the first time that Amazon has issued password resets for its customers either having done so several times in the last decade.

While Amazon went on to say it had corrected the issue and do not believe that any passwords were found by a third party but only issued this forced-resets out of an “abundance of caution.” That said, if the problems were on the customers end it begs the question why a password reset on Amazon's end would be effective?

Some industry commentators have put it down to Amazon's thorough security mindset and the looming shopping holiday of Black Friday. The riot-inciting day of deals has been known to be an active time for not only shoppers but for cyber-criminals looking to breach their accounts.

Mark Stollery, a managing consultant for Enterprise and Cyber Security at Fujitsu welcome the reset: “The password reset is a sensible measure, even if it causes short-term nuisance. Amazon is reducing its vulnerability by proving that it can spot suspicious incidents and deal with them swiftly. Stollery added that this proactivity is something that others might want to start thinking about: “research from Fujitsu indicates that only 9 percent of UK consumers believe organisations are doing enough to protect their data, so Amazon and others will need to continually demonstrate their cyber security competence if they are to keep the trust of their customers."

David Kennerley, senior manager for threat research at cybersecurity firm Webroot, echoed that sentiment to SC: “This move by Amazon should be highly commended because it's step further than just meeting standard security legislation, and instead they are actively going above and beyond to tackle an issue.”

Kennerley added that the new addition of two-factor authentication to amazon customers was a welcome addition: “The move towards two factor authentication is also a positive step, with Amazon following in the footsteps of sensitive industries such as banking. Between these two changes we are likely to see Amazon account holders' personal details be far more secure.”

SC spoke to Professor Kenny Paterson, an academic at Royal Holloway university who exposed a vulnerability in Amazon Web Services (AWS) earlier this year. AWS was in the process of switching from OpenSSL to a system called S2N and within days of Paterson and his colleagues told Amazon of the vulnerabilities he discovered.

S2N could be attacked with a ‘Lucky 13' attack. Paterson and his colleagues found, with about 8.39 million encrypted sessions, an attacker could recover one byte of plain text. That, Paterson told SC, is “quite high but the point was the system that AWS was releasing was meant to be bulletproof.” If a company like Amazon is going to make that switch “you've got to be damn serious.”

That said, Paterson was keen to say how responsive Amazon were to his disclosures: “The really good thing is that this was all done within days of AWS making their source code available and patched it quickly.”

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS