Modernizing Authentication — What It Takes to Transform Secure Access
Amazon has reset an undisclosed number of its customers' passwords in response to a possible compromise, ZDNet reports.
A message sent from Amazon to those affected says the company "recently discovered that your [Amazon] password may have been improperly stored on your device or transmitted to Amazon in a way that could potentially expose it to a third party."
"We have corrected the issue to prevent this exposure," the message adds.
The company says that while it has no reason to believe the passwords were improperly accessed, it has reset some passwords out of an "abundance of caution."https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i
SecureAuth CTO Keith Graham told eSecurity Planet by email that the news should serve as a reminder of the importance of seeking an innovative approach to authentication that reaches beyond user name and password. "While the early days of cumbersome two-factor authentication cast a shadow on the technology, times have very much changed for the better," he said. "Advances in adaptive authentication have brought to market a number of options that help users stay both secure and productive by layering multiple methods such as device recognition, analysis of the physical location of the user, or even by using behavioral biometrics to continually verify the true identity of the end user."
Still, ESET security researcher Lysa Myers said by email that the nature of Amazon's announcement indicates it's unlikely to have been a full breach. "More likely it was a glitch in the app or something that they discovered could be problematic," she said.
"If a friend came to me with this info, I'd tell them not to worry, but to reset their password to something new and unique," Myers added. "And change the password for any other accounts where they (naughty, naughty) used that password. And if they have any payment card info saved to the account, keep an extra close eye on activity on it for the next few months."
And if you're in the U.S. and not using two-factor authentication on your Amazon account, Myers said, it's time to add it.
Recent eSecurity Planet articles have examined how to use two-factor authentication for mobile security, and how to enforce password complexity without alienating users.