In an email, the company tells potentially affected customers that it doesn’t think passwords were exposed but that Amazon was acting “out of an abundance of caution.”
Amazon.com has required an undisclosed number of customers to reset passwords to their online accounts after the company said some passwords “may have been improperly stored” on devices.
Several Amazon customers reached out to tech-news site ZDNet, saying they received emails from Amazon that the passwords needed to be reset.
Amazon representatives did not return requests for comment.
In the email sent to affected customers, Amazon said it did not believe passwords were exposed but was acting “out of an abundance of caution.”
Most Read Business Stories
- Instacart shoppers besieged by bots that snatch lucrative orders
- Agency: Nearly 87,000 bogus unemployment claims filed in Washington state
- Alaska Airlines warns nearly 1,600 Washington state employees of COVID-19-driven fall layoffs
- FAA finalizes its plan for the return of Boeing's 737 MAX
- Clorox becomes 'it' brand in world sheltered in place, fearful of virus
The security issue, whether it is a serious problem or not, comes at an inopportune time for Amazon — just days before the start of the busiest shopping season of the year.
But it’s unlikely Amazon’s system was breached, said Lars Harvey, CEO of IID, an Internet security company in Tacoma. Rather, Amazon probably realized that a mobile device or a third-party app that people use to access the online store was not storing or transmitting passwords securely, he said.
“A fair number of mobile apps do not engage in a way that keeps passwords totally safe,” Harvey said. “Sometimes passwords are not transmitted over encrypted protocol.”
Amazon likely discovered the problem with the third-party device or app and decided to notify all customers that have used that service, he said
“They’re pretty vigilant looking to protect their customers,” Harvey said.
Security with many third-party apps is a widespread issue, he added.
In fact, there are security companies that specialize in seeking out and testing apps for security flaws.
Twitter user Lindsay Shaerf posted a picture of the email she got from Amazon UK.
“We recently discovered that your Amazon.co.uk password may have been improperly stored on your device or transmitted to Amazon in a way that could potentially expose it to a third party,” the email reads, in part.
“We have corrected the issue to prevent this exposure. While we have no reason to believe your password was improperly disclosed to a third party, out of an abundance of caution, we have assigned a temporary password to your account,” it said.
Amazon introduced two-factor authentication to boost security to its U.S. customers last week.
If customers choose, they can require that a code sent to them via text be entered along with their password.