Don’t panic! That is the message coming out of Amazon after acknowledging that they accidentally leaked users’ names and email addresses as the result of a technical error. The Verge has more of what scant details there are.
“Amazon has emailed users to tell them that a “technical error” made their names and email addresses visible publicly on its website (via BetaNews). Amazon declined to comment on how many users have been affected, and the only way to know if your email address has been exposed is by receiving one of the company’s surprisingly brief emails.”
If you got an email that looked like a phishing attack from Amazon about compromised personal data, it was probably real. That said, you should never follow any links from inside an email, especially to your accounts from Amazon, Apple, social media, or your bank. Go directly to the website from your browser and deal with the issue that way.
This is the perfect time to expect a phishing attack using Amazon. Now that hackers know this has happened, they can easily design a phishing campaign that includes some type of man in the middle attack. Once again, this can be defeated by never clicking on the link in the email.
Amazon's legit been sending out notices saying sorry we exposed your email address. Seems likely related to this https://t.co/21cRB2dHTk… Besides the brevity, what's giving people pause is they sign the email https://t.co/KDiteRFaeR Why cap the "a" and why no https://? Strange pic.twitter.com/mwty3GmCN1
— briankrebs (@briankrebs) November 21, 2018
Some concerned Twitter users have noted an anomaly in the letter being sent, making it appear questionable. There is a high likely hood the letter is real since it does not provide a link, and suggests that the problem has been fixed. The Verge does include a cautionary note.
“In these messages, Amazon says that the error has now been fixed, and it reassures users that it will not be necessary for them to reset their passwords. However, the information exposed still presents dangers for customers: it puts them at risk of phishing attacks, and it could allow hackers to attempt to reset their accounts.”
It is unusual, though not unheard of for a company to say that it is not necessary to reset passwords after a leak, regardless of how benign it is. The expectation is that Amazon would force a password reset. Companies want to go out of their way not to panic customers or appear weak. Google concealed a data breach because they wanted to avoid the negative press that was associated with Cambridge Analytica.
If you trust Amazon completely, then you have nothing to worry about. But Amazon has left the door open for questions as they have not revealed how many accounts were affected, or what part of the world was affected. To be safe, reset your Amazon password and be extra vigilant with regard to phishing attacks, especially those that claim to be from Amazon.