Forcing password reset on all Amazon customers will cost them $10s of millions, possibly more. If I were them I'd consider every possible alternative before doing that.
Which is weird, because now I have a vestigial Amazon account split from what was an account only used for AWS. I went to delete it on the Amazon side and it's like "you'll lose access to AWS!" and I don't know if that's real or they just didn't update the copy yet.
Probably just old wording? I didn't follow it that closely but I remember it being mentioned here that it had been a long-standing bit of tech debt that they were finally dealing with it, and I thought it was meant to be a clean cut.
Because it's sensationalist fearmongering from a source with no particular credibility. There's no details on what the vulnerability is, where it is, or even what the risk of not clearing all the credentials is. Nothing in the original Mastodon thread suggests any actual competence on part of the reporter, a bunch of things suggest a lack of competence.
If there was a real and urgent issue, Amazon I expect would have had to make a statement by now or risk regulatory action. (E.g. the GDPR requires public disclosure of data breaches within 72 hours). They haven't done so.
Right now this is indistinguishable from some random dude complaining about a minor bug to Amazon, feeling Amazon is dismissing him, and hyping up the issue to try to put pressure on them.
It's not the case here, but I'd like to caution everyone that "your XYZ account was compromised, click here to change the password immediately!!" is a very common type of phishing attack. It's best to do your own due diligence and otherwise rely on official communication over random blog posts.
20 comments
[ 0.24 ms ] story [ 55.3 ms ] threadhttps://www.cnbc.com/2023/04/27/amazon-amzn-q1-earnings-repo...
Amazon and AWS auth was finally split late last year I think?
https://news.ycombinator.com/item?id=35710854
also linked here https://news.ycombinator.com/item?id=35710854 also flagged.
If there was a real and urgent issue, Amazon I expect would have had to make a statement by now or risk regulatory action. (E.g. the GDPR requires public disclosure of data breaches within 72 hours). They haven't done so.
Right now this is indistinguishable from some random dude complaining about a minor bug to Amazon, feeling Amazon is dismissing him, and hyping up the issue to try to put pressure on them.