Report: Amazon Possibly Hit By Breach, Asks Some Customers To Reset Passwords

On the eve of the kickoff of the biggest retail season of the year, online shopping behemoth Amazon has reportedly been hit by a breach, and is telling some of its customers to change their passwords.

According to a report by ZDNet, the retail giant was forced to reset the passwords of a number of Amazon customers, though it is not clear how many at this point. Citing emails sent to Amazon customers, the report said Amazon discovered that the passwords could have been ’improperly stored on your device or transmitted to Amazon in a way that could potentially expose it to a third party."

Amazon did not respond to CRN requests for comment.

[Related: Security Experts: Retail Sector More Aware, Not Necessarily More Secure]

Sponsored post

Jane Wright, senior analyst covering security at Technology Business Research, said that this type of move is common during the holiday season, as both retailers and customers are rushing to complete a high volume of orders.

’While I don’t know yet if the Amazon situation you mentioned is legitimate, ... we expect to see a lot of these password-reset communications going out to customers from retailers this holiday season,’ Wright said.

For retailers the size of Amazon, a material breach could be a huge reputation hit, said Jeff Schmidt, CEO and founder of Chicago-based JAS Global Advisors. For example, a recent Accenture survey found that 12 percent of loyal customers won’t return to a retailer after a data breach and 36 percent will slow their shopping with the retailer.

However, Schmidt said, breaches of retailers of that size are fewer and farther between, as the companies recognize the threat and have invested heavily in their security infrastructure.

"It's a really big problem if they had a material breach, so they've invested," Schmidt said.

However, there is always room for improvement for big retailers, Matt Johnson, CEO at Reisterstown, Md.-based Phalanx Secure, said in an email.

"Retailers in general need to do a better job of protecting customers' passwords and payment information," Johnson said, adding that he would like to see more retailers enforce regular password resets and enable multi-factor authentication. Amazon, for one, introduced optional multifactor authentication to its online shopping experience earlier this month.

So far in 2015, there have been nine reported data breaches in the retail and merchant sector, according to the Privacy Rights Clearinghouse. That includes breaches at CVS Pharmacy, Starbucks, Sally Beauty Supply, Toys R Us and more. That compares with 43 reported breaches in 2014, most notably Staples and Home Depot.

One thing customers have to be careful of, though, is that this type of password reset email can also be a phishing attack as hackers pose as retailers to try to use the busy holiday season to their advantage, TBR's Wright said.

"Hackers will use the bustle of the holiday shopping season to take advantage of confused customers," Wright said. "It will be difficult for customers to determine if the message they've received is a legitimate communication from the retailer, or an opportunistic attack by hackers."

Adding to that secondary security effect is an influx of shoppers who are not necessarily well-versed in the online shopping process, JAS' Schmidt said. Those shoppers might be more vulnerable than their more experienced peers, Schmidt said, as they might not recognize suspicious activity as quickly.

"People shop online during the holiday season that are not expert online shoppers. Those people become more susceptible to fraud and phishing," Schmidt said.