Warning to reset Amazon account details ahead of possible ethical disclosure

[Output]

I can't say I've ever heard of Dick Morrell before myself (though his profile states he is "Ex RedHat, co-founder SmoothWall, Ex director Cloud Security Alliance, Ex CTO Gartner Group"), but he is warning everyone to sign out of all devices (including Echos) and reset passwords, as well as deleting 2FA and its tokens and remaking them afterwards.

The quickest way is using the 'Account Compromised' settings in the 'Login & Security' section. No idea if that bit handles the 2FA part too, as I disabled and removed that first before using it.

https://sackheads.social/@Cloudguy/110256209708866473

A couple of later posts gives the impression that it's the devices in particular that are the reason for the warning, but I could be misinterpreting an overall rant on Amazon security (or possible lack thereof) as that rather than it being as specific as I think.

https://sackheads.social/@Cloudguy/110256237666529640

https://sackheads.social/@Cloudguy/110256340277871563

[AGTDenton]

Exactly the reason I don't own any IoT or 'smart' home devices. I'm guessing an official press release will be announced in due course from somewhere.

[[GSV]Trig]

Walks into the room, takes off jacket, makes a cuppa, grabs popcorn, waits for Saracen to arrive

[ik9000]

When he says sign out of devices does this have to be done on a device by device basis or is it supposed to be done by logging in to the account online and changing something there?

He wants average users to follow his advice but then gives no clear instructions for average users to follow.

Who is this guy anyway? Why is he so important to listen to?

[[GSV]Trig]

Told Amazon to log out of all devices, reset password, reset 2FA, got a message from the missus wanting to know WTF was going on lol

She works from home

[Saracen999]

Walks into the room, takes off jacket, makes a cuppa, grabs popcorn, waits for Saracen to arrive

What? No toasted marshmellows?

When he says sign out of devices does this have to be done on a device by device basis or is it supposed to be done by logging in to the account online and changing something there?

He wants average users to follow his advice but then gives no clear instructions for average users to follow.

Who is this guy anyway? Why is he so important to listen to?

Good questions.

I trust Output to not be a nervous Nelly and to have at least some reason to suspect this is serious. If I didn't, then because I know nothing of sackheads I'd be .... sceptical. I still am, to a point.

BUT .... not liking the way his 'hints' are suggesting this is going.

AND .... if this Dick Morrell does know something, then not acting could have serious repercussions.

I'm kinda in a mindset of balancing "consequences of acting" v "consequences of ignoring it" multiplied by probability of warning being real. It's the last part that is being a rear-end pain.

For he record, I've always known "smart" devices were a risk, and possible a risk too far. They do have convenience, though. I do have mine on a segmented section of network, for what it's worth.

[AGTDenton]

When he says sign out of devices does this have to be done on a device by device basis or is it supposed to be done by logging in to the account online and changing something there?

He wants average users to follow his advice but then gives no clear instructions for average users to follow.

Who is this guy anyway? Why is he so important to listen to?

You should be able to log out of everything here:
https://www.amazon.co.uk/gp/mas/your...ps/yourdevices

and here
https://www.amazon.co.uk/hz/mycd/dig...ole/alldevices


Don't forget to delete all voice recordings as well...

P.S. I asked ChatGPT but their only recent known Amazon breaches was 2021 regarding Twitch and in 2022 regarding Amazon Webservices AWS

[ik9000]

how do i delete voice recordings from website?

[Jonj1611]

I am still unclear what the threat is?

[Saracen999]

how do i delete voice recordings from website?

There seems to be several ways.

1) Tell Alexa "Delete All Voice Rcordings". It'll ask for confirmation, then allegedly do it. I've neve been quite sure if that does it for THAT device, or all devices.

IIRC, you have to go into the Alexa app on your phone FIRST, and enable deleting voice recordings by device voice command. I think it's under privacy settings.


2) In the app on your phone, there's an option in there, too. I think under Privacy settings again, says something like Edit Device History. Haven't got the phone to hand right now to check. You can review the stored commands, and delete some or all, as well as setting default storage time.


3) In your account, via a browser, go to "Accounts and Lists".

In the header bar, there are four tabs :- Content, Devices, Preferences and Privavy Settings. Select Devices.

Then pick a device that has a voice recording/control capability (Echo do, Kindle (or my version anyway) don't. In the Device Summary, you'll see two buttons :- Deregister device, and Delete Voice Recordings.

That certainly seems to require you to do it device by device.

4) Earlier, I saw a "Delete all voice recordings" for all devices. I think it was in the "Login and Security" section (in "Accounts and Lists"), where that "Compromised Account" option is. Not sure though.

[Saracen999]

I am still unclear what the threat is?

Reading between the lines, Amazon have done something truly moronic in their device security settings which seems to expose user credentials via device connection, presumably letting someone breach your account. I assume that's why they suggest changing account password (I've done that, it was due anyway), resetting 2FA (I use Yubikey which apparently isn't affected), and removing re-adding devices.

Again, merely inference by me, but something's probably been compromised, like wifi security/passwords, hence the focus on DEVICES.

As far as I know, the bloke that issued the warning hasn't yet (that I've seen) stated quite what the issue is. I'm guessing, from what he says to do.

[Jonj1611]

Ok thank you. Well he seemed awfully angry about it whatever it was.

[AGTDenton]

As I understand it there is a level of etiquette with security breaches, the company that's had the breach is granted time to sort out the problem before it's made public.
Otherwise if details of the breach are released before the company has had time to address it, it creates a lot of panic, confusion & anger.
Also in certain cases the breach can be far outreaching to 3rd parties that also need to play a part in fixing it.

Of course this is only if a reputable security company/expert has identified the problem. Which in this case looks like Dick Morrell or someone he knows in the industry has, but rather than tell us what it is just yet, he's decided to tell us to be proactive and suspect what he's telling us to do manually fixes the problem. I suspect right now Amazon is working very hard on fixing the issue and we'll know about it within a month or so.

In a previous case I vaguely recall, and suspect it was Microsoft, they were given 90 days to sort a particular security flaw before the person who found whatever it was, was going to go public.

how do i delete voice recordings from website?

On the pages mentioned, I had two buttons on some devices, 'Delist' and 'Delete Voice Recordings'.
So I deleted the recordings before delisting. This includes Phones & TVs and according to The Sun, Alexa is always listening...

[Output]

When he says sign out of devices does this have to be done on a device by device basis or is it supposed to be done by logging in to the account online and changing something there?

He wants average users to follow his advice but then gives no clear instructions for average users to follow.

As I said, the quickest way to achieve that seems to be using the 'Account Compromised' option in the Login & Security section of 'Your Account'.

Who is this guy anyway? Why is he so important to listen to?

As I said, I wasn't familiar with him myself, but if his profile and what he says in his post is true, he supposedly has the experience and trust of many to know what he's talking about.

A lot of the infosec community is said to have migrated from Twitter to the Fediverse, with many being on the infosec.exchange Mastodon instance but as people can choose whatever instances (whether Mastodon-based or not) they like, whether choosing one of the bigger ones (such as the main Mastodon-developer owned & run mastodon.social and mastodon.online) being on a small instance a friend of theirs might own & run for example (the sackheads.social instance only has 9 active users according to the sidebar itself), or even setting up their own instance (even the EU has their own official instance at social.network.europa.eu for example).

The closest there is to verification of people on the Fediverse (or at least Mastodon instances as I'm unaware as to how the other Fediverse software may or may not do it) is a link to a website (in a profile field, rather than just stated in the bio) that is reflected on their actual sites, which is obviously even more important for more well-known people (Stephen Fry for example is officially on mastodonapp.uk/@StephenFry as it shows that his own site reflects that with a link to it and the Mastodon instance detects that reciprocal link and shows the link is verified), but doing that verification isn't actually required (just recommended, which is why George Takei - at universeodon.com/@georgetakei - doesn't show as verified but is known to be him due to him linking to it in a Twitter post).

Although that doesn't apply in Dick Morrell's case anyway (the tick in the actual name doesn't really mean anything, it's possible to put various things, including more Twitter-like verification icons, like that in the name area anyway) for those of us who have never heard of him.

My point is however, knowing that much of the infosec community is said to have migrated over, and then seeing that first post by browsing https://mastodon.social/explore, where it showed his post was Boosted (akin to Twitter's ReTweeting) enough times to have shown up there (currently at 643 boosts and 389 favourites, although unlike Twitter nobody else other than the user themselves and the person whose posts were favourited get actual notification of the latter) certainly made it seem likely to me that there could be some legitimacy to the warning.

At the same time, I also thought that even if it turned out to be a false alarm, it was at least better safe than sorry and that as such it's best to pass on that warning.

I was actually surprised when I went through the 'Account Compromised' process that my account showed me as signed in to 30 devices, which made no particular sense to me as I don't even have anything near that number (and I don't own any Amazon devices either), but which I can only assume was from mostly long-ago unused versions of applications or mobile app/web browser logins that I would have thought would have been automatically cleared by their systems by now.

EDIT: He seems to have made some more recent posts to back up his expertise (partial quote after the links, the posts linked to contain their own links to other sources).

https://sackheads.social/@Cloudguy/110260763217539253 "Tesla spent $2.6bn dollars and took 135,000 cars off the road when I found a hole in their platforms."

https://sackheads.social/@Cloudguy/110260851407996226 "Well the last company I founded in the Infosec arena in my back bedroom sold for $100m cash ... Here's me and Mikko from F-Secure putting the world to rights..."

[CAT-THE-FIFTH]

So is this all Amazon accounts or those connected to an Amazon Echo? So if your account is not connected to an Echo is it fine?
Does it include accounts that are not connected to an Echo but are connected to the Amazon app on your phone?

[CAT-THE-FIFTH]

https://sackheads.social/@Cloudguy/110258325673636744

And here's why the Amazon Echo / Alexa ecosystem is broken

RFCs.

In the rest of tech land we have RFCs for SMTP for IMAP for every protocol and packet we use, we think about routing if it's BGP, or signing certificates if it's SSL.

When you are managing a walled garden of a myriad of devices many from vendors who you simply allow to connect to an API as a trusted token or device it becomes so so so much harder to do.

And the solution isn't easy, it becomes one of enforced housekeeping.

https://sackheads.social/@Cloudguy/110256384409075973

If you are divorcing or leaving an abusive relationship or even a flatshare, and have Amazon devices (can't speak for Google) reset all your accounts and deregister everything.

Start from scratch. New router or SSID, if you run Windows rebuild it or use Linux or a Mac.

Deprovision and regen software keys or Auth tokens and think about your housekeeping.

Start afresh, think sanctity over sanity.

You will thank me, you get one reputation.

https://sackheads.social/@Cloudguy/110256340277871563

Companies who send secure confidential information that includes enough research data to have anyone within 400m of your home, or a bad person, to own you, for the sake of automation and being able to have lots of smart speakers....

If you work in Silo mentality based organisations and are fixated on numbers and user experience, not security, then I can't have you in my home.

Am so so so angry its untrue.

For the sake of good product companies create little gated communities of disparate folk

Example in 2018 you may have had an Android or iPhone and you installed Alexa client on it, Audible and Kindle and Amazon Shopping app. It broke, you put it in a drawer or worse you reset it and sold it.

Amazon doesn't know you still don't own it and even though you have reset your account password did you remember to purge your Amazon account entirely? No of course you didn't.

Amazon still keep sending notifications to the devices which never arrive. There is no way, today, to sort this.

He wants people to get a new router? Surely just unplug the Echo,delete any data and change the password?