Amazon resets passwords following Black Friday leak fears

Retailer has "no reason to believe" passwords were improperly used

Amazon has reset a number of user account passwords after fears that log-in details were compromised as the online retailer enters one of the busiest shopping periods of the year.

An email sent to one affected user said that Amazon has "recently discovered that your password may have been improperly stored on your device or transmitted to Amazon in a way that could potentially expose it to a third party," according to ZDNet.

The email said that the firm had "no reason to believe passwords were improperly used" and that the problem has now been corrected.

V3 contacted Amazon for additional comment but had received no response at the time of publication.

Many online retailers are already in the middle of Black Friday sales, and security firms are warning of an increased risk of cyber crime as Cyber Monday and Christmas approach.

Amazon reported its "busiest day on record" during the same sales period last year. Amazon.co.uk sold more than 5.5 million items on Black Friday 2014 at a rate of 64 items a second. Sales peaked at 8.29am, the firm revealed.

Amazon recently added a two-factor authentication option to its website, allowing customers to add a mobile number to verify log-in details and boost security on personal accounts.

David Kennerley, senior manager for threat research at cyber security firm Webroot, explained that Amazon's approach should be commended as the firm appears to have had a solid incident response plan in place, unlike companies such as TalkTalk and Vodafone.

"It's a step further than just meeting standard security legislation. Amazon is instead actively going above and beyond to tackle an issue," he said.

"In general, best practice is to change your password around every three months, using different passwords for the different sites visited, but very few people actually do this, leaving their account at risk.

"Although it might prove unpopular at first among some Amazon customers, the initiative will only improve security. The move towards two-factor authentication is also a positive step, and Amazon is following in the footsteps of sensitive industries such as banking."

Keith Graham, chief technology officer at SecureAuth, suggested that the forced password reset is "yet another nail in the coffin" for businesses that rely on traditional username/password verification.

"Organisations must strengthen their defences against cyber adversaries by employing cutting-edge adaptive authentication," he said.

"Layering multiple methods, such as device recognition, analysis of the physical location of the user, or even behavioural biometrics to continually verify the true identity of the end user, maintains a simple user experience and makes stolen credentials ineffective.

"Individuals affected by this notification, and those looking to improve their personal cyber security posture, should be vigilant and proactive about protecting their identities."

Mark Stollery, managing consultant of enterprise and cyber security at Fujitsu, believes that it was simply a matter of time before Amazon was targeted in a cyber attack.

"This latest incident changes nothing and is just a reminder that cyber attacks are a fact of daily life for today's online businesses. The password reset is a sensible measure, even if it causes a short-term nuisance," he said.

"A future attack might be successful, as 100 percent security is impossible, but Amazon is reducing its vulnerability by proving that it can spot suspicious incidents and deal with them swiftly."