I just got either a helpful security update from Amazon or an advanced phishing attempt by an Amazon impersonator falsifying the email origin. The title is "Your Amazon password has been changed".
There seem to be mixed claims about the validity of this online. One of the articles I'll cite mentions that in his version of this email, each mention of "Amazon.com" is formatted as a link. The article doesn't mention verifying the target of the link and unfortunately (or fortunately) my email client (Yahoo mail) seems to have removed this link from the text, perhaps to combat such phishing attempts.
I'm not worried about being in danger myself, but I thought it would be good to create this question for people searching Google about this email today to learn about the validity of it or lack thereof.
The email reads:
Hello,
At Amazon we take your security and privacy very seriously. As part of our routine monitoring, we discovered a list of email addresses and passwords posted online. While the list was not Amazon-related, we know that many customers reuse their passwords on multiple websites. Since we believe your email addresses and passwords were on the list, we have assigned a temporary password to your Amazon.com account out of an abundance of caution.
You will need to reset your password when you return to the Amazon.com site. To reset your password, click "Your Account" at the top of any page on Amazon.com. On the Sign In page, click the "Forgot your password?" link to reach the Amazon.com Password Assistance page. After you enter your email or mobile phone number, you will receive an email containing a personalized link. Click the link from the email and follow the directions provided.
Your new password will be effective immediately. We recommend that you choose a password that you have never used with any website.
You can also enable Amazon's Two-Step Verification, a feature that adds an extra layer of security to your account. In addition to entering your password, Two-Step Verification requires you to enter a unique security code during sign in. To learn more about Two-Step Verification, go to Amazon.com Help, go to Managing Your Account, and click More in Managing Your Account, and then click More under Account Settings.
Sincerely,
Amazon.com http://www.amazon.com
This e-mail was sent from an address that cannot accept incoming e-mail. To contact us, please visit the Help section of our website.
A quick Google search of the first paragraph returns one article claiming the email is a valid security measure from Amazon, while the other claims it to be a phishing scam. Which is it?
One comment reports they contacted Amazon about the email and received this response:
Hello,
The e-mail/SMS message you received wasn't from Amazon.com. For your protection, do not respond to it, and do not open any attachments or click any links it contains.
We recommend that you send a new e-mail/SMS message and attach the e-mail/screenshot of the message you suspect is a fake, then send the e-mail to stop-spoofing@amazon.com.
However another comment claims:
My wife got this email also. I contacted amazon through my account and we were able to confirm that this was indeed really from amazon and that they did scramble passwords.