Skip to main content

Flush your Amazon credentials now

Italian translation availiable here.

There is a well-credentialed security researcher who is going around telling people that they need to change their Amazon passwords, reset auth tokens, and sign out of all Amazon devices right now. He has apparently discovered that Amazon has been doing something really bad that puts everyone at risk, but he can't disclose exactly what it is yet while he discusses the issue with Amazon.

Your Amazon account is a high-value target. It is a good idea to follow this advice now, rather than wait for official confirmation that there is a problem.

This guide to flushing your Amazon account credentials is for non-technical users in America. However, the same steps should work on other regional Amazon sites such as Amazon Japan, Amazon UK, Amazon Germany, and so on. More advanced users may need to take slightly different steps, but they probably don't need this guide. Read on:

  1. Decide on a new password for your Amazon account.
    • This password must not be used anywhere else except for your Amazon account. You should never use the same password for more than one account, because if you did use the same password across multiple websites, and your password is stolen from one website, it could be used to log in to other websites. This is called "credential stuffing" and is extremely common.
    • The new password must be strong, which means that it it should be long -- at a guess, more than 16 characters -- and should also be entirely random.
    • Keep the new password safe somewhere, for instance, by writing it down by hand. Better yet, use a password manager like 1Password to generate strong passwords and remember them for you.
    • If you can remember the password, it's not strong enough. The only password you should be memorizing is the one for your password manager.
  2. Go to the "Your Account" page.
  3. Click on "Login & Security." You will probably be prompted to enter your current password.
  4. Go down to where it says "Compromised account?" and click "Start." Go through the steps and make sure to force logout of all other devices. Reset your password.
  5. After you're finished with this, go back to "Login & Security" and look for the "2-step verification" section.
    • If you are using a phone number for 2-step verification, you can leave the settings as they are.
    • If you are using an Authenticator App to handle 2-step verification, you will need to disable 2-step verification, making sure to delete your current methods when prompted, then re-enable 2-step verification.
    • If you're using a hardware token, you are probably already well-informed enough that you don't need this guide anyway.
    • On the other hand, if you don't have 2-step verification enabled at all, you need to enable it. You should always enable 2-step verification (or "two-factor authentication (2FA)," as it's usually called outside of Amazon) on every site you use that supports it.
  6. Since you forced a logout in step 3, you're going to have to log back in to your Kindles, your Kindle apps, your Echo devices, etc. using your new password.
  7. If you have multiple Amazon accounts in different countries, you will need to repeat this process for each of them.
    • You should use a different password for each Amazon account.
    • Until the scope of the problem is clear, you should also consider flushing your credentials on any AWS root or IAM accounts you may have; however, the process for managing those accounts is different from what is described here. If you don't know what this means, you don't need to worry about it.

This post was edited on 2023-04-27 to clarify that these instructions should also work on non-American Amazon sites.

This post was edited on 2023-05-04 to add an Italian translation.