Over the past few weeks, hackers have leveraged passwords exposed in high-profile breaches to compromise Amazon third-party sellers' accounts, the Wall Street Journal reports.
The attackers have stolen tens of thousands of dollars from sellers' accounts, and have also used the accounts to post nonexistent items for sale in order to steal more funds.
More than two million seller accounts on Amazon.com account for more than half of its sales, Fox Business reports, and over 100,000 of those sellers earn more than $100,000 a year.
Amazon seller Margina Dennis told NBC News that tens of thousands of dollars were stolen from her seller account, and that she's received over 100 emails from customers complaining that they never received a Nintendo Switch they purchased from her, which hackers had placed for sale from her account.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
While Amazon notified Dennis on March 29 that her account may have been hacked, she told NBC she was unable to access it for several days, since the hackers had changed the account password.
In a statement, an Amazon spokesman told SC Magazine, "There have always been bad actors in the world; however, as fraudsters get smarter so do we. Amazon is constantly innovating on behalf of customers and sellers to ensure their information is secure and that they can buy and sell with confidence on Amazon.com."
Managing Third-Party Cyber Risk
CyberGRX CEO Fred Kneip told eSecurity Planet by email that it shouldn't be a surprise to see hackers exploiting Amazon's third-party ecosystem for financial gain. "Amazon is a high-profile example of how increasingly connected businesses have become, but organizations across the world in every industry are undergoing a similar transformation as outsourcing, globalization and the digitization of business expand their digital ecosystems exponentially," he said.
"Whether it's one of the world's largest retailers or a small business, companies need to approach third-party cyber risk as a real threat to their business that needs to be continuously managed," Kneip added.
AlienVault security advocate Javvad Malik said by email that while partnering with large providers can bring many benefits to smaller third parties, those smaller providers are still ultimately responsible for their own security. "It is therefore important that all companies of all sizes have at least a basic level of threat detection controls in place that can alert when unexpected changes occur, or when systems start behaving in an unusual manner," he said.
And Centrify senior director of products and marketing Corey Williams said it's crucial to apply proper security procedures and due dilligence throughout the supply chain. "Compromised credentials are the leading attack vectors in cyber breaches, as hackers target networks through trusted third-party suppliers and contractors who likely have less rigorous security than the ultimate target," he said.
"This certainly won't be the last time we see third parties being hacked -- organizations need to up the security stakes with multi-factor authentication, which requires more than one method of authentication to verify the user's identity for a login or other transaction, in order to stop the use of stolen credentials," Williams added.
Improving Password Security
In a recent analysis of the LinkedIn breach, Preempt researchers found that fully 35 percent of accounts used previously known passwords that could easily be cracked. To improve password security, company director of product management Eran Cohen suggests taking the following five steps:
- Use a password policy to enforce complexity and password expiration
- Require longer passwords (8 bad, 10 ok, 12 good)
- Educate people to:
- Not share passwords with other employees
- Not share passwords with other cloud services
- Not use simple patterns, personal data or common words
- Not repeat passwords when a password expires
- Add additional factors to authenticate users. For example, on suspicious logins, you could send end users a simple email notification or push an immediate notification to their mobile device
- Implement a context-based solution -- train and enforce password policy based on users' activity