Amazon Wants You To Change Your Password Too

Since the internet exploded with the Gawker hacking fiasco, it’s become en vogue for everyone to change their passwords out of fear an identity thief will download their info and go after their money, as well as post lame comments under their names. Amazon has gotten into the act, resetting customers’ passwords and telling them all about it via email.

Jason forwarded this note from Amazon:

This is an important message from Amazon.com

At Amazon we take your security and privacy very seriously. As part of our routine monitoring, we discovered a list of email address and password sets posted online. While the list was not Amazon-related, we know that many customers reuse their passwords on several websites. We believe your email address and password set was on that list. So we have taken the precaution of resetting your Amazon.com password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your Amazon account.

To regain access to your Amazon customer account:

1. Go to Amazon.com and click the “Your Account” link at the top of our website.

2. Click the link that says “Forgot your password?”

3. Follow the instructions to set a new password for your account.

Please choose a new password and do not use the same password you used with us previously. We also highly recommend that you chose a password that you are not using on any other sites. We look forward to seeing you again soon.

Sincerely,

Amazon.com

How has the hacker hysteria changed the way you select and use your passwords?

Comments

Edit Your Comment

  1. YouDidWhatNow? says:

    “as well as post lame comments under their names”

    I post my own lame comments at home. Oh wait…

  2. Loias supports harsher punishments against corporations says:

    I got the Gawker e-mail and I have NEVER registered with them. At best I’ve been there from linked Consumerist posts. That part was actually scarier than having a potentially hacked login.

    • Raekwon says:

      I got a lot of Gawker emails… and Blizzard ones and more. It looks like most if not all the Gawker ones were fakes. In fact I didn’t even get one from Gawker even though my info was in the list leaked.

    • Loias supports harsher punishments against corporations says:

      And before someone asks, I’m also not affiliated with Lifehacker, Gizmodo, Jezebel,
      io9, Jalopnik, Kotaku, Deadspin, and Fleshbot either (the other sites hacked).

      How the hell did they get my e-mail address?!

      • larrymac thinks testing should have occurred says:

        How long have you been signed up with Consumerist?

        • jason in boston says:

          I think this is the correct answer. When consumerist got sold, perhaps they did not delete the email addresses from the database?

          • keepher says:

            I got the one from Amazon, problem is I’ve never bought anything on that site or ever registered.

          • Shadowman615 says:

            I think if you were registered with Consumerist or any other Gawker site when Consumerist was still part of Gawker, then you had a Gawker login. One login works for all of their sites, so the old Consumerist login still would have been valid for the other sites.

            You can search the md5 of your email address to see if it was on the list here:
            http://www.google.com/fusiontables/DataSource?dsrcid=350662

          • amuro98 says:

            That, unfortunately, is correct.

            And it’s pretty dumb if you ask me. It was not disclosed to me that by signing up with Consumerist (at that time) I was also registering with the entire umbrella of Gawker’s websites.

            Now that Consumerist has been sold, does that mean my login/PW is now part of another umbrella organization of sites that I am not aware of as well?

            Where do I sign up for the lawsuit? I’m being serious here.

      • sonnetfm says:

        Same thing happened to me, I’ve definitely never signed up with any of their sites.
        I lurked Consumerist before they left the Gawker family, but didn’t actually sign up till a few weeks ago.

    • Hooray4Zoidberg says:

      It’s a phishing email, I got one too and gmail didn’t catch it like most spam.

    • goodfellow_puck says:

      You can go to one of the Gawker sites and hit “forgot password”. If they actually have an email for you, you’ll get another email sent that tells you they reset your password and what it is.

  3. TalKeaton: Every Puzzle Has an Answer! says:

    Already changed, along with my eBay, PayPal, bank, email, and every other site I could think of at 6AM on a Tuesday.

    • IMoriarty says:

      I made the switch to Lastpass for all the password I never need to type, cutting down the total amount of passwords I’ll have to change next time this happens.

    • crashfrog says:

      Right, I did this too, and had just enough time to commit all those new passwords to memory before almost every single site did me the favor of resetting my passwords (even though I’d just done it.)

    • Tallanvor says:

      You use the same password for your bank that you do for sites like Gawker?

      Don’t get me wrong, I won’t claim to never reuse passwords (I do it too often, truth be told), but I always use separate and random passwords as complex as the site will allow.

      I use KeePass to keep everything organized. The master password is complex enough that it would take some time to crack, even with rainbow tables and other new cracking tools.

  4. DanRydell says:

    I make my own passwords at home

  5. KeithIrwin says:

    Well, as I use the Firefox plugin version of PasswordMaker from http://www.passwordmaker.org to make a different site-specific secure password for each site using a cryptographic hash function, it hasn’t changed the way I select and use my passwords at all. As someone with a PhD in computer security, I highly recommend that everyone else do this as well. It’s fairly easy to use and it gives you tremendously better password security.

    • Spellchk says:

      In that case I would be interested in knowing your thoughts on KeePass. (keepass.info) It is currently what I use for my passwords. Use the droid app for mobile passwords. Also do you have any other suggestions?

      • KeithIrwin says:

        From a perspective of information secrecy, Keepass seems perfectly secure. They use appropriate cryptography for the situation and seem to use it in a proper manner. If you’ve found that the program suits your needs, then feel free to keep using it. Do be certain that your password database is adequately backed up, though (and also your key file, if you use one). If your database gets lost or corrupted, you’ve just lost all of your passwords.

        The reason that I usually recommend PasswordMaker rather than systems like Keepass to people who aren’t already using something is that it doesn’t have that problem. All you need to generate the password for some site is the URL it uses, the master password, and your settings (and of those, only the master password needs to be kept secret). As a result, even if your house burns down you won’t lose your passwords (unless the trauma of having your house burn down causes you to forget your master password). Also, if you’re far away from your home computer and didn’t bring your database with you (as you certainly could on, for example, a USB stick), you can still have access to your passwords. So that’s why I recommend it. It’s upside is usability and guaranteed availability.

        There are two downsides to using PasswordMaker. The first is that the password it generates is fixed given a certain master password and site URL. As a result, this makes it a hassle to change your password for a given site. The best way is to append a number after the end of the site URL, but then you have to know which number is used for which site. Fortunately, in most situations this doesn’t come up much since most sites don’t make you change you password, but it can be a hassle if a site requires regular changes or if your password for one site is stolen. The fact that it’s fixed can also create problems if some websites refuse to accept some passwords. You can usually avoid problems with that by not including punctuation into the alphabet you use when generating the site passwords (this can be adjusted in the settings, although you’ll need to fix your settings in the beginning since changing the settings changes which password it will generate for given inputs).

        The second downside is that because there is some mathematical relationship between the master password and the site passwords, it’s possible for an attacker to try to guess the master password by trying different site passwords. This is a problem because although one site might only allow an attacker to try 5 passwords before getting locked out, the attacker can then move on to another site and keep trying. The best way to solve this is to use longer passwords which are hard to guess even when the attacker has several sites to try. What I do is to put two of my old 8-character passwords together to form a 16 character password. This squares the number of passwords they would need to try before they were likely to find mine. I can’t guarantee that no one will ever find out my master password, but I’ve made it sufficiently unlikely that I’m not worried about it.

        So, anyway, that’s why I recommend what I do, but there’s nothing wrong with the security provided by other solutions like Keepass.

      • BHall says:

        I find that LastPass fits my needs quite well. This way I don’t need to set up a ftp site to sync multiple computers.

  6. danmac says:

    I’m beginning to wonder how enterprising identity thieves will use this whole Gawker debacle to their advantage:

    “This is your banks websit…due to the Gawker debacle, we advice you to change your passwrod immediate…please click on *link* then entr you username old password and new password to reset. Thank you for you’re conveniences.”

    • outis says:

      I got an email, redirected to spam, telling me about the Gawker thing 12 hours before Gawker sent one. I thought it was a phishing attempt so I didn’t click on it, but it turns out that they were using the leaked addresses to warn people, shaming Gawker into doing the same. But my first thought was “wow, I just read about this on the Consumerist and someone’s already taking advantage.”
      Still, I’ve changed my password algorithm three times since Consumerist was affiliated with Gawker, but it’s nice that someone spoke up.

  7. pinkbunnyslippers says:

    I got an e-mail like this from LinkedIn – it scared me because they mentioned the fact that they took the liberty of changing the password since my login e-mail was on the list of compromised Gawker e-mails.

    Is that list public or something? Is that a dumb question for me to ask?

    • You Can Call Me Al(isa) says:

      I was wondering that as well.

      • larrymac thinks testing should have occurred says:

        It’s easily found in some of the darker corners of the ‘net. And some not so dark corners, like gawkercheck.com

    • outoftheblew says:

      Yes, the list of emails from people who’d signed up with Gawker is public.

    • valueofaloonie says:

      The list of emails was leaked online, as well as a lot of unencrypted passwords. Anyone can download it from Pirate Bay etc, etc.

    • eyesack is the boss of the DEFAMATION ZONE says:

      Very public. The whole thing is a torrent now. There’s a widget on Slate you can use to see if you’re on the list.

    • dangermike says:

      Public? Yes, very. There’s a list floating around with all 1.3 million email address and usernames in plaintext with the encrypted passwords and a few other smaller lists containing the 200,000 or so cracked passwords next to their screen name/email address. Be forewarned, though, even if your password is still encrypted, unless it was a particularly strong password with very unusual characters in it, if it’s not cracked yet, it most likely will be within a few days or weeks. What was really weird was that I found other accounts linked to other email addresses I use for other things and the usernames associated with them weren’t anything I’d ever come up with.

    • pinkbunnyslippers says:

      Thanks all, I obviously didn’t know that :)

    • markmark says:

      Others have answered correctly. All these sites are going through this list and deactivating your account even if you username only, is on their list. They all assume that we have used the same username/password on every site. LinkedIn hit me. Today, my employer sent me an email that my email address was on that ‘list’ that is circulating.
      Oddly enough, I wasn’t a member of the other Gawker sites until they were all combined a few years ago. Once that was done, being a member of Jalopnik lead me to be able to log on to sites such as this one. However, probably due to account migration issues, I cannot reset my account password or update/change my email address. (Yep, got a ticket open with HD at Gawker).

  8. humphrmi says:

    LinkedIn disabled my account, and made me go through the “forgot password”, and reset the password, to access it.

    I also got an email from my webhost saying, basically, “We’ve compared the Gawker list to our database, and since you used the same email address to register with us, we suggest you change your password.” In other words, they downloaded the stolen database from a torrent, and when my email address showed up, they emailed me.

    A few other sites have suggested changing PWs as well.

    • Hooray4Zoidberg says:

      Yes me too, in related news Linked In doesn’t support strong 32 character passwords. I tried to change mine to one I auto generated with keypass, it accepted it and said it was changed, but I couldn’t log in with it. I tried 3 times, finally I gave up and used a simple password and it was fine.

      • selianth says:

        Yeah, it seems like 12 characters is the LinkedIn limit. My new password was going to be 14 characters until I realized what the issue was and pared it down.

    • stebu says:

      My wife and I have been debating what linkedin did. I am very irritated, as my passwords are already unique, so I was safe. A warning email, great. Forcibly changing my password… not great.

    • bwcbwc says:

      This is stupid. They should be able to see if their hash matches the Gawker hash before they go resetting passwords spontaneously.

  9. jason in boston says:

    I like that some businesses are being proactive on this. Blizzard / LinkedIn did well with starting this policy (unless someone did it before them). Just lookup compromised account email addresses / vs active email addresses on the production server and force a reset.

    How do I protect my passwords? Lots of throwaway passwords and 1password.

  10. larrymac thinks testing should have occurred says:

    At least Amazon’s email is more informative than the one LinkedIn sent out. LinkedIn didn’t give any reason or background, just “hey we locked your account, change your password.” It was one link away from being a typical phishing email. They did subsequently send a more informative email, and apparently they tweeted about their “pro-active” actions at some point. Because yeah, everybody follows LinkedIn on Twitter….

  11. chiieddy says:

    I have changed nothing. I already used KeePass to maintain separate, unique passwords. However, I’ve been locked out of LinkedIn and Dreamhost suggested I change my password.

    • Joe User says:

      More people need to learn about Keepass, and the 15 character random string passwords it can save.

    • Hooray4Zoidberg says:

      Linked In didn’t work with my keypass generated password. I don’t think it handles 32 character passwords correctly.

      • Niphil says:

        You can set how long you want the passwords to be in Keepass

      • Mom says:

        LinkedIn is strange with keepass. You can set your linkedin password to be all kinds of complicated, and it will look like it worked, but then you can’t login. If you set it to be short and only letters and numbers, then it will work.

        • chiieddy says:

          LinkedIn has a password size limit. When you paste in your KeePass password longer than whatever it is (I haven’t figured it out), it truncates it. You need to use a shorter password. I think I’m using 12 characters atm.

  12. grucifer says:

    I guess it’s a good thing I’m poor and have no money for anyone to steal

  13. raydee wandered off on a tangent and got lost says:

    My info was not on the list, I checked under my username and email address and it looks like I’m safe… Gawker emailed me anyways as a just-in-case.

    It’s pretty cool of Amazon to take this step for its users. I know a lot of random folks are going to be pissed about it, but if my information *had* been compromised, I would seriously appreciate this extra step from any company to protect me–and themselves–from future headaches.

    Though at least my Amazon password is one of my unique passwords. I’m surprised I remember it at all, given how different it is from my usual password-mnenomic system.

  14. Quake 'n' Shake says:

    I recently changed my passwords on my amazon accounts. For some reason, years ago I inadvertently created a 2nd Amazon account, using the same email address as the first, but with a different password.
    When I asked them if it was possible to delete one of the two accounts, I was told no. Instead, I just deleted all credit card and address info on it. It’s still there however, as I logged into them both this week.

    • coren says:

      …how is that even POSSIBLE? I mean, I believe you 100 percent, but how is it possible to have two accounts with one email? What kind of crap is that on their part?

      • Noadi says:

        I don’t know, I have the same problem and I can’t even track down how or when the second account on Amazon was created since it never had any of my billing information in it at all. This REALLY shouldn’t be possible.

      • RokMartian says:

        It is pretty easy from a database perspective. It was done on purpose – At the beginning of time, some people would share the same email address (i.e husband and wife), so this allows multiple accounts using the same email in Amazon.

  15. HannahK says:

    I didn’t get one of these emails, but I definitely would have appreciated that they made the effort.

  16. missitnoonan says:

    I keep my financial and commenting passwords on two separate systems (each based on strong base password and a modifier) and use separate email accounts (one for finances and one for random websites). Even still I’ve been changing my passwords for everything I can think of, just a good thing to do once in a while anyway and this was a good reminder.

  17. StevePierce says:

    LInked In did the same thing and claims Gawker sent them a list of the affected email addresses. So it means Gawker violated my privacy again by sending my email address to LinkedIn. I never gave Gawker permission to disclose my email address to 3rd parties.

    Could this not get more screwed up except for Gawker simply publishing all the email addresses it has on their website, oh wait, they did that already.

    – Steve

    • halcyon22 says:

      Where is this claim made?

    • RandomHookup says:

      I received the same email from LinkedIn and it doesn’t even mention Gawker. As you can see in the thread above, the information is available on the innerwebs, so they took the initiative and matched user emails with Gawker hacked emails. If you matched, they changed your password.

      My only gripe is that they did this on the weekend they were having massive issues from migrating their data center. The site was horribly unstable all day Monday.

  18. kinickie says:

    I got the same email and had to reset my password. The funny thing is, the password I used for Amazon was completely different than my Gawker password. I have different sets of passwords for things that involve money and private information versus just commenting so I’m not terribly concerned.

    • aloria says:

      You probably have the same email address registered with amazon as is in the list of leaked Gawker accounts. They don’t check the passwords, just the emails. If amazon is managing passwords appropriately (storing only password hashes with a salt,) they wouldn’t be able to compare them, anyway.

  19. jesirose says:

    I use KeePass. I’d use it more if I could get the iKeePass app to work with DropBox, the way it’s advertised to.

    • cabjf says:

      I use it with DropBox, sort of. I prefer to keep local copies of my database file. So whenever I make a change, I upload the new version to DropBox, then download it when it syncs with my other computers/phone. As a result of this breach though, I have made sure that every account I can think of has a keepass created and managed password now. I also removed my email address from Gawker’s site. A little too late for that to make much of a difference, but no sense trusting them with it in the future, right?

  20. dolemite says:

    I got the Gizmodo notice, but also one from Deviantart. Apparently their system of email addresses was comprised at some point too.

  21. Brunette Bookworm says:

    This whole thing pisses me off. Thanks hackers! Now I have to change my passwords EVERYWHERE. I typically choose strong passwords that combine letters, numbers, upper and lowercase and special character, if allowed. Because my email was tied to my account on the Gawker network all these other sites have reset my password. I greatly dislike that users are bearing the brunt of the problem rather than the company. If the hackers had a problem with Gawker or their editors, go after them, not the commenters.

    • aloria says:

      Being pissed at hackers and not Gawker is like not being pissed at your bank if they leave the vault door open and robbers take all the money. Gawker’s security was abysmal; they obviously had a very ostrich approach to protecting their users before this happened.

      • Brunette Bookworm says:

        I am annoyed with Gawker but these hackers got all this info and then distributed it online. Yes, Gawker had security issues but that doesn’t make it okay for the hackers to do what they did. Just like if a bank left a vault door open, it doesn’t make the robbery legal.

  22. XianZhuXuande says:

    How has the hacker hysteria changed the way you select and use your passwords? Not much. My username/password was compromised along with everyone else’s, but all I had to do was reset my Gawker password. The username and password were not used on any other sites.

    I expect the reason why people don’t do this is just a matter of time, inconvenience, and laziness. For me the easy solution is 1Password for Mac (RoboForm works for Windows users). It manages all my usernames and passwords and allows me to enjoy a reasonable degree of security. It is also available for iOS so I can take them with me on the go.

    Definitely worth looking into those programs.

    • shockwaver1 says:

      Another vote for 1Password – I use the Mac version, as well as the Windows version on my windows PC – all synced up with DropBox. (I also use the iPhone version to keep a copy with me).

      It took me all of 2 minutes to reset my Gawker password to another 15 character string, saved and synced across two computers.

  23. Cantras says:

    I kindof wish I knew what my password on gawker was. I know my email address was on the list, and I *do* use a small subset of passwords — i know, shame on me, but at least they’re tiered in security a bit so it gives me an idea. I guess I’ll get to changing the ones in that subset.

  24. ap0 says:

    I unfortunately used the same (relatively strong) password on Gawker that I used for Amazon, Mint.com, PayPal, and others. All have been changed. I never got an email from Amazon, though.

  25. Scamazon says:

    Huh, was Amazon’s email database hacked too?

  26. MrsBug says:

    My account at Gawker was hacked. I rarely used it, but still it motivated me to change the accounts that used the same password as that one.

  27. CBenji says:

    I read Gawker, but have never signed up to comment. I get confused enough paying bills online with all the different password protocols where you have to have a symbol or you can’t have a symbol and you must have at least 10 characters or you can’t have 10 or whatever. I know there are programs to keep track for you, but I never use them.

    On Amazon they have this Pay Phrase thing which I don’t know what that is all about. Has anyone figured that stupid thing out?

    I also got a bogus email recently from someone pretending to be PayPal where they wanted me to send in all kinds of my financial information. I am lucky I didn’t fall for any of that crap. I think these people come out of the woodwork anymore.

  28. midwestkel says:

    LinkedIn and Hulu disabled my accounts and sent me emails because of this also. It’s nice that their tech people are downloading the file and cross checking to make sure people change their stuff.

  29. MsFab says:

    I even got an email from Gilt.com asking me to change my pw, along with LinkedIn. Everyone’s in on the party.

  30. Keter says:

    Darn, I can’t make the comments load on this article, although they are loading fine on other articles, so I hope I’m not repeating information others have posted.

    LinkedIn also forced a password reset, and if you have an Earthlink account, the reset emails from Gawker are getting caught in their overzealous spam filter and not even shown to you (this is why I no longer use Earthlink as my primary email…I had egg on my face too many times thanks to that spam filter). You have to reset your email to another email provider in order to get the password reset email from Gawker.

    • outshined says:

      Well that’s completely lame. Is that why I’ve asked Gawker like 10 times to send me a reset link? I have no idea how to do what you suggested (reset email?) but thanks for clearing up why I can’t reset. Ugh, I don’t even read Gawker anymore.

  31. Aeirlys says:

    Any site tied to financial activity, Facebook, Twitter, or shopping gets a unique password, but I have a standard password I use for commenting accounts (though never any of Gawker’s sites). I might have to knock that off, but I’m not really that concerned about someone impersonating me in a comments section.

  32. paleck says:

    This has actually been annoying me. A few sites/companies have done this to me…..

    The problem is that I already use a different password on each site I visit, usually set to whatever the max of the passwords will let me use. (IE max 16 char password, then the password I generate is 16 characters, if they allow symbols then I have symbols in the password). I understand them wanting to proactively protect their customers, but what about the customers that proactively protect themselves and don’t re-use passwords across multiple sites.

  33. framitz says:

    Hmmm, I use different logins for most sites. I was just on LinkedIn and had no problem, no password reset message or anything
    .
    I wonder if some sites like Amazon are slamming the list of usernames/passwords against their front end and just notifying those that succeeded. Would make some sense and avoid alerting those that are unaffected.

    I closed my Amazon account in protest a month ago. I’ll consider going back when they quit bothering me with Kindle ads and and Amazon MP3 on my phone.

  34. Levk says:

    Man people are outta control but i guess anything to get on the spot light

  35. coren says:

    Interesting – they haven’t contacted me, although I know my email was out there (my password was uncracked last I checked, although that was days ago). Battle net contacted me with a pair of confusing emails (one saying my pw was reset per my request, then another telling me about gawker and asking me to log on and follow the prompts – which there were none of.), and I’ve been making the rounds on other accounts I actually value, but it’s strange that I didn’t get this from Amazon

  36. MikeVx says:

    I use Spamgourmet.com and give every internet site that needs an address a unique one. This also has the advantage that if an address gets junk, I can give the site a new one and shut off the old one.

  37. Sonicjosh says:

    This whole thing got me started with LastPass. I’m loving it so far, I’ve started making random passwords. I’m ashamed of myself for using the same password over and over and for years and years, and it was the one I used for Gawker, this has finally got me off my butt to be a lot more secure.

  38. sponica says:

    it hasn’t changed the way I select my passwords, but it has made me glad that I have 2 email accounts and half of my stuff goes to one account and half the other….so only half my life has to be reset. none of which entailed my financial life.

  39. banmojo says:

    It was time to update my password system anyways. This forced my hand, which is not a bad thing this time ’round.

    Anyone think sites like LastPass could have been the ones to lift Gawker’s info in order to make more people use their service? Gizmodo sure licked their nether regions the past few days, so if so then it was an effective manipulation.

  40. Fafaflunkie Plays His World's Smallest Violin For You says:

    I also received the Gawker email, kind of bewildered since I don’t ever recall signing up for any Gawker owned site–I signed up here after the Consumers Union takeover. So how did Gawker get my email address? I checked the widget out that Slate offers, and according to it, I’m not in the Gawker database. So how did Gawker, or some phisher, get it? Of course, it did accelerate my changing passwords to all the sites I care about using Lastpass, so I guess that phony email may have been a good thing after all.

  41. Traveller says:

    “How has the hacker hysteria changed the way you select and use your passwords?”

    Mine was one of the anonymous posting accounts on Consumerist when it was part of Gawker. When CU bought the site, I got an email prompting me to change my password here. Gawker however kept the anonymous login. While I don’t give a rat’s ass about the Gawker login, given that I don’t bother with any of the sites in question, the fact that Gawker’s security got compromised compelled me to tighten up my security to hardcore levels.

    I was pretty consistent in the use of similar passwords on the sites, because it was easy. Not any more. I now use totally random passwords on all sites, and do not repeat a password. I have to rely on my browser’s password manager now, but in retrospect I did that anyway because it was convenient.

    It was four hours of my life I’d like to get back, but in the end, all done.

  42. HogwartsProfessor says:

    I haven’t gotten anything from Amazon or LinkedIn, but I did get the Gawker one, I’m assuming since I’m on Consumerist with that email.