BuzzFeed News

Reporting To You

tech

Amazon Inadvertently Leaked Customer Information. Here’s How To Secure Your Account.

Amazon said only names and emails were exposed — but you should protect your account anyway. Here's the definitive guide.

Posted on November 21, 2018, at 4:50 p.m. ET

Anadolu Agency / Getty Images

A technical error on Amazon inadvertently revealed the names and email addresses of customers, according to an email sent to affected users in the US and UK on Tuesday. While Amazon said the exposure was not a breach of the website or any of its systems, the company did not reveal how many customers or share details on what the technical error was. The security lapse’s scope and who obtained the data remains unknown, so it’s a very good idea to secure your Amazon account immediately.

“Disclosure of email addresses alone exposes consumers to increased risk of brute-force hacking attempts, and targeted phishing attacks,” said Travis Jarae, CEO of data research firm One World Identity. Jarae also advised that consumers still change their passwords, and “remember to avoid using the same password across multiple websites, and to never enter account password information into links opened directly from emails.”

An email Amazon sent to customers said, “The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.”

See, the customer information wasn't *stolen,* we simply *posted it on the public internet* in error.

In a statement to BuzzFeed News, an Amazon spokesperson confirmed the leak and wrote, “We have fixed the issue and informed customers who may have been impacted.”

The full details aren’t known, and it’s a good idea to secure your Amazon account anyway — Amazon account hacking is more common than you might think.

Amazon recommends users change their password every one to two months.

Hackers can use your Amazon account to use your Amazon gift card balances or leave fake reviews on products, and get your ability to leave reviews suspended.

Also, your shipping information, phone number, the last four digits and expiration dates of your credit cards, and the last two digits of your checking account are vulnerable to anyone who’s able to hack into your Amazon account. Scammers can use this information to trick customer service representatives at other companies into giving them access to your other accounts.

Set up a password manager app on your phone.

Given the constant rotation of passwords you’ll be using, the first thing you need to do is use a password manager. There’s LastPass and Dashlane, which have a great free version, or 1Password, which is $3 per month.

You will need to remember one strong master password, which unlocks access to your password manager. You should also change this password every few months. Make it a phrase, and make sure the information isn’t available on social media or public records (like your birthday, a previous home address, or the names of your partner or kids). Also: don’t pick one of these common passwords, like “12345, “football,” or “password.” Add some symbols, numbers, and randomized capitalization to that master password, too.

Download the password manager app on your phone. You can also have your phone auto-fill passwords from your manager, which will make your life so much easier.

On iPhone, go to Settings > Passwords & Accounts > AutoFill Passwords > enable AutoFill and select the name of your password manager. You can even use Face ID or Touch ID to unlock the password manager apps on your phone.

Nicole Nguyen / BuzzFeed News

On Android, go to Settings > Autofill > and select “Autofill service.” If you have a phone running Android 6.0 or newer, you can use your fingerprint to unlock the password managers.

Then, install your manager’s browser extension (here are some quick links for LastPass, Dashlane, and 1Password).

Next, use the password manager app to generate a strong password for your Amazon account.

Go to Your Account on Amazon, and click on “Login & Security.”

Then, use the password manager’s browser extension to generate a password. Make sure it’s at least eight characters, and includes numbers, uppercase and lowercase characters, and punctuation.

Then, download an authenticator app, which you’ll need for the next step.

An authenticator app is an app that generates random, unique six-digit codes that can be used to provide security to your online accounts. The code is needed, in addition to your password, for what’s called “two-step verification.” Authenticator apps are a great alternative to receiving security codes via text message, because you can get codes while traveling and connected only to Wi-Fi, and it’s more secure.

I like the Google Authenticator app because it’s simple. Another option is Authy, which has more features. After Amazon, you should set up your authentication app with Facebook, Dropbox, and Twitter as well.

You should note that if you use this method, you need a safe space to keep backup codes if the website provides them (Amazon doesn’t). You can print the codes out and keep them in your wallet. Put extra copies in a secure place in your house or at your office, too. That way, you have plenty of backups to gain access to your account if your phone and/or wallet is ever stolen. (Just don’t mark the paper as “GMAIL BACK UP CODES” or anything!)

On Amazon, enable two-factor authentication.

On Amazon.com, under Login & Security, go to Advanced Security Settings > Get Started. On the “Choose how you’ll receive codes" page, select “Authenticator App.”

There, a QR code will appear. Open the authenticator app on your phone and tap the “+” to scan the barcode. A six-digit code should appear. Enter that code into Amazon’s website.

Unfortunately, Amazon doesn’t provide backup codes, but does require users to input a backup mobile phone number. Because phone numbers can be compromised, follow the next step!

Go to your mobile carrier account and add a PIN.

This guide has all the details. Essentially, you need to contact your carrier and add a unique passcode, which will be required every time you need to make changes to your account.

So to recap: password manager + authenticator app + two-factor authentication + mobile carrier PIN = secure account.

Phew! Now you can rest easy knowing your Amazon account is secure.

Why stop at Amazon? If you really want to protect yourself, you should generate strong passwords for all your online accounts and store them in the password manager you just set up. Then set up two-factor authentication everywhere you can. And if the service lets you use an authenticator app instead of SMS, always opt for the app.


ADVERTISEMENT