Photo via Christiaan Colen/Flickr (CC-BY-SA)
Netflix and Amazon are warning some customers their accounts may be at risk and are urging them to change their passwords in what appears to be the first major effects of the massive database breaches that have surfaced during the past month.
The emails, which have started to surface in more and more inboxes recently, warn the recipient their credentials may have been found in a cache of passwords and emails that made their way online. Both Amazon and Netflix assure their customers that neither company was directly breached—a fact a Netflix spokesperson confirmed to the Daily Dot.
"Some Netflix members have received emails encouraging them to change their account passwords as a precautionary measure due to the recent disclosure of additional credentials from an older breach at another internet company," the spokesperson said.
In both the cases of Netflix and Amazon, the services have created temporary passwords for users who have been caught in the leaks. The security step was taken because "many customers reuse their passwords on multiple websites," according to the email delivered by Amazon.
The presumption that users have reused passwords is likely correct; according to a survey conducted by internet security company TeleSign, 73 percent of accounts are guarded by duplicate passwords. Forty-seven percent of people use a password that is at least five years old, meaning they are likely to be left vulnerable even in cases where an old cache of credentials surfaces years later.
The precautions taken by Netflix and Amazon come following weeks of unprecedented amounts of usernames and passwords from major sites and services finding their way online.
A total of 167 million accounts from LinkedIn, the result of a 2012 breach, surfaced in May after appearing available for sale on a dark net marketplace. Just weeks later, 427 million credentials from MySpace appeared online, the result of an apparently unreported breach of the social network's databases. Sixty-five million Tumblr accounts that were stolen in 2013 were acquired at the end of May. In June, 32 million credentials from Twitter users were put up for sale on the dark web, though Twitter denies it was ever the victim of a hack.
Change your passwords
Even if you don't get an email from Netflix or Amazon—or any other company taking extra steps to protect their customers—suggesting a password change, now is the perfect opportunity to do it.
First, you can check to see if your account appears in any of the recent breaches by using the free tools offered by LeakedSource, an online database of stolen credentials, or Have I Been Pwned, a collection of compromised usernames and passwords maintained by security expert Troy Hunt. Regardless if you appear on either list, it never hurts to refresh your current protection.
When filling out the password form, make sure to use a unique combination that isn't in use for any other account belonging to you; a breach of one service can create a domino effect and compromise you later.
Make sure to use a combination of words, numbers, symbols, and upper and lowercase letters. Try to avoid anything easily guessable—anything on the list of most common passwords is a nonstarter—and keep away from publicly available personal information like your birthday.
Passwords suck, as does the task of remembering dozens of unique ones, so utilizing a password manager can simplify the process. Tools like LastPass, DashLane, and 1Password keep your passwords in the cloud and require you to memorize just one master password. If you don't trust the cloud (an understandable fear, as LastPass experienced a hack last year), you can choose a local password storage solution like Roboform, PasswordSafe, or Keepass.
The final step you should take to ensure your security is to enable two-factor authentication at every opportunity. This will require a secondary verification method beyond a password—often a short code sent to a device associated with you—to confirm the identity of the person logging into an account.
Many services offer a form of two-factor authentication—including Google, Twitter, Facebook, and Apple—that can be activated from within your account's security settings. TwoFactorAuth.org offers a searchable list of services that support the extra layer of account protection.
A screenshot of the email from Netflix and the full text of the email from Amazon prompting users to change their passwords can be found below:
At Amazon we take your security and privacy very seriously. As part of our routine monitoring, we discovered a list of email addresses and passwords posted online. While the list was not Amazon-related, we know that many customers reuse their passwords on multiple websites. Since we believe your email addresses and passwords were on the list, we have assigned a temporary password to your Amazon.com account out of an abundance of caution.
You will need to reset your password when you return to the Amazon.com site. To reset your password, click "Your Account" at the top of any page on Amazon.com. On the Sign In page, click the "Forgot your password?" link to reach the Amazon.com Password Assistance page. After you enter your email or mobile phone number, you will receive an email containing a personalized link. Click the link from the email and follow the directions provided.
Your new password will be effective immediately. We recommend that you choose a password that you have never used with any website.
You can also enable Amazon's Two-Step Verification, a feature that adds an extra layer of security to your account. In addition to entering your password, Two-Step Verification requires you to enter a unique security code during sign in. To learn more about Two-Step Verification, go to Amazon.com Help, go to Managing Your Account, and click More in Managing Your Account, and then click More under Account Settings.