20 comments

[ 0.24 ms ] story [ 55.3 ms ] thread
If this is true Amazon should force everyone to reset their passwords next time they visit the site
Forcing password reset on all Amazon customers will cost them $10s of millions, possibly more. If I were them I'd consider every possible alternative before doing that.
Any alternative is kind of an FU to customers IMO, but I get it.
(comment deleted)
The source post is from the 24th, am I wrong to be skeptical of the true severity of this?
> Until the scope of the problem is clear, you should also consider flushing your credentials on any AWS root or IAM accounts

Amazon and AWS auth was finally split late last year I think?

Which is weird, because now I have a vestigial Amazon account split from what was an account only used for AWS. I went to delete it on the Amazon side and it's like "you'll lose access to AWS!" and I don't know if that's real or they just didn't update the copy yet.
Probably just old wording? I didn't follow it that closely but I remember it being mentioned here that it had been a long-standing bit of tech debt that they were finally dealing with it, and I thought it was meant to be a clean cut.
If it was serious then Amazon would have a massive obligation to be issuing this advice.
Of course no vendor ever reneged/delayed on the obligation in order avoid disclosing anything until it's fixed.
First posted here, and correctly flagged because it's garbage.

https://news.ycombinator.com/item?id=35710854

also linked here https://news.ycombinator.com/item?id=35710854 also flagged.

Why is this garbage?
Because it's sensationalist fearmongering from a source with no particular credibility. There's no details on what the vulnerability is, where it is, or even what the risk of not clearing all the credentials is. Nothing in the original Mastodon thread suggests any actual competence on part of the reporter, a bunch of things suggest a lack of competence.

If there was a real and urgent issue, Amazon I expect would have had to make a statement by now or risk regulatory action. (E.g. the GDPR requires public disclosure of data breaches within 72 hours). They haven't done so.

Right now this is indistinguishable from some random dude complaining about a minor bug to Amazon, feeling Amazon is dismissing him, and hyping up the issue to try to put pressure on them.

It's not the case here, but I'd like to caution everyone that "your XYZ account was compromised, click here to change the password immediately!!" is a very common type of phishing attack. It's best to do your own due diligence and otherwise rely on official communication over random blog posts.
I got a strange ״change your password” message when I logged into my AWS root account yesterday.
(comment deleted)