Remember about four months ago when Amazon was resetting account passwords for some users in the US and UK?
They've started doing it again. Over the weekend a member of MobileRead Forums reported that they received this email from Amazon:
At Amazon we take your security and privacy very seriously. As part of our routine monitoring, we discovered a list of email address and password sets posted online. While the list was not Amazon-related, we know that many customers reuse their passwords on several websites. We believe your email address and password set was on that list. For your security, we have assigned a temporary password to your account.
You will need to reset your password when you return to the Amazon.com site. To reset your password, click "Your Account" at the top of any page on Amazon.com. On the Sign In page, click the "Forgot your password?" link to reach the Amazon.com Password Assistance page. After you enter your email or mobile phone number, you will receive an email containing a personalized link. Click the link from the email and follow the directions provided.
Your new password will be effective immediately. We recommend that you choose a password that you have never used with any website.
That email is similar to the one Amazon back in November 2015, and in fact similar emails date back as far as June 2011. I found a copy of that earlier email in a four-month-old Reddit thread, and both emails say basically the same thing.
It's not clear whether Amazon found another security issue, the same one cropped up again, if Amazon is simply recycling the email text whenever they want you to reset your password, or if some scammer copied that earlier email for a new phishing attempt.
In any case, if you get one of these emails you should take it seriously, and follow the appropriate steps:
- Do not respond to the email, and do not click any links in the email.
- Instead, open a new browser tab and visit Amazon.com to reset your password.
Scammers sometimes use this type of email to trick the unwary into handing over their login info, which is why you shouldn't click a link in or respond to the email itself.
In fact, that's exactly what might be happening here. This email was reportedly sent to an address not associated with an Amazon account, which suggests that this email did not come from Amazon.
But the email did not have any outbound links, so it's not clear what a scammer would gain.
I haven't gotten the email, so I can't comment first hand, but if I had would indeed take the steps to change my password from "Passw0rd" to "Pa55w0rd".
Better safe than sorry.
image by christiaan_008