I’ve had to change a lot of passwords in the last two weeks.
I had a Macbook stolen one weekend and then this weekend my login data was among the 1.3 million usernames and passwords compromised when hackers broke into Gawker Media’s servers and stole everything they could get their hands on. The hackers were able to access and download user data, CMS source code, and more from the servers and then posted it to torrent sites for anyone to download. If you’ve ever commented on any of Gawker’s hugely popular sites such as Gizmodo, Lifehacker, or Deadspin your credentials are most likely in there. (Find out for sure using Slate’s checker.) This is a huge security breach and could impact Gawker Media’s industry dominance as they must work to regain the trust of their readers and commenters.
Meanwhile, a few other companies are taking this opportunity to not only protect their customers’ accounts, but also demonstrate that they’re concerned about data security and grab some positive PR as well. Companies such as LinkedIn and Amazon have mined the stolen Gawker data for email addresses matching their customer accounts and automatically reset their passwords. This proactive step not only protected customers but will also reduce a lot of upcoming customer service hours needed to handle and fix hacked accounts or return fake orders. It also prevents customers unaware of the incident with Gawker from misplacing blame if their accounts were compromised.
An excerpt from the email Amazon sent to affected accounts:
At Amazon we take your security and privacy very seriously. As part of our routine monitoring, we discovered a list of email address and password sets posted online. While the list was not Amazon-related, we know that many customers reuse their passwords on several websites. We believe your email address and password set was on that list. So we have taken the precaution of resetting your Amazon.com password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your Amazon account.
Also within the email Amazon clearly stated that security was important to them, that no security breach occurred on their site, and then gave instructions for resetting your password. Both Amazon and LinkedIn included a recommendation on general password security and encouraged users to choose a password that they are not using on any other site, which is of course much more secure than using 123456, password, or any of the other other top 50 passwords revealed in the data leak.
If you deal with customer data on the Web, maintaining customer confidence in the security of that data is critical. Transparency and quick actions such as the ones taken by Amazon and LinkedIn go a long way in maintaining that confidence even when a negative situation occurs.