Anyone getting emails from amazon saying, "your password has been reset"

[desura]

Something about there being a list floating around on the internet with a list of several usernames/passwords.

 

[z1ggy]

Nope just checked email.

 

[DaveSimmons]

Could be a phishing email.

 

[smackababy]

If you received that email, why wouldn't you just go to Amazon.com and check and see? If it wasn't actually reset, delete the email. If it was, call Amazon immediately!

 

[pwtzz]

Got it a few days ago. Most likely phish but changed my password in official amazon.com website anyway.

 

[jlee]

Nope.

 

[Imp]

Nope.

But I've been getting them from Facebook and Apple. I've replied back to all of them with my social security number and credit card number.

Oh, and they really want me to have a bigger penis.

 

[PokerGuy]

Surely it's legit. Better give them your login credentials as well as social security, date of birth and credit card info to be sure they can verify your information and prevent your account from getting hacked

 

[amddude]

It *is* legit, it just means your passwords were part of that leak a while back. Go to amazon.com, reset your password, move on with life.

 

[videogames101]

yeah, looks legit, all it asks you to do is go to amazon and change your password, no links involved - would be a pretty complex phishing scam if it is one

 

[Virge_]

yeah, looks legit, all it asks you to do is go to amazon and change your password, no links involved - would be a pretty complex phishing scam if it is one

Not at all. The e-mail I got was to an old e-mail address, specifically one no longer associated with my Amazon account - however it was an old e-mail address I verified was contained in the Russian leak a week or so back.

The e-mail contains no links, and instead instructs you VERY specifically to go to Amazon.com, and click the "I forgot my password" link on the website. Note that it never asks you to log in and change your password, which is what an actual official Amazon.com e-mail would do.

Basically, this is a targeted e-mail to ALL users who's username/password was released on the Russian leak, in the hopes that users who's e-mail and passwords have been compromised would go to Amazon.com, click the "forgot password" link, and then the link itself would be intercepted by the attacker and they would reset your password and log in with the new one they create and purchase goods/etc.

Odds are very low they will get anyone with this, but it's still a pretty admirable attempt at some social engineering.

Pretty easy to validate this since the e-mail I got very specifically said my password was disabled and that I needed to hit the "I forgot my password" link, but instead I just went to Amazon.com and logged in with my actual username and password and it still worked fine. The e-mail address they e-mailed me on was also an old e-mail address, almost 7 years unused, and I updated the e-mail address on Amazon about 3 years ago.

It's a very interesting and complicated phish, but I doubt they will nail many people with it.

 

[Bateluer]

I get phish emails for my Amazon creds every other day. :/

 

[RossMAN]

Nope, no e-mail.

 

[Ichinisan]

Got one that was a definitely a phish. Gmail put it in the Spam folder. Plenty of obvious signs even before viewing source.