Some old Amazon account appear to have a flaw in their password protection scheme that makes them more vulnerable to a brute force cracking attempt. For affected accounts, if you haven’t changed your password in several years, and it’s over 8 characters long, it looks like all people have to do is enter the first 8 characters correctly and they’re in. Even if after the 8 characters they just type gobbledygook.
So if your password was “PASSWORDSCHOOL” it will accept “PASSWORDdf234243″ or “PASSWORDsputnik” etc.
Several Consumerist readers verified that they were able to replicate the error on their accounts. Commenter Rodan wrote on this post, “Thanks. I had an old account and password. It was affected as described, I entered the first 8 characters then filled it with “1″s for the remaining characters. I was able to log into my account.”
Other commenters with old passwords said they couldn’t reproduce the error, including one with a 7-year old password. It’s not clear what determines which accounts are vulnerable.
Reddit commenters also say that the passwords have been “flattened,” so correct upper and lower case is not required either.
Why does this matter? If someone was trying to break into your Amazon account through a method known as the “brute force attack“, where all possibilities are tried out in succession, i.e. 0001, 0002, 0003, etc, it would take them a lot less time to do it, potentially weeks less. That’s bad.
We’ve reached out to Amazon via voicemail, email, and Twitter for comment and an ETA on a fix.
THE TAKEAWAY: To fix the issue, simply change your Amazon password. You should change your passwords on a regular basis anyway, so now is as good as time as any.