A well-known security expert advises users to sign out of their Amazon devices and reset their authorization keys.
Dick Morrell, known as “Cloudguy,” has significant tech and security credentials. He formerly worked at Red Hat, co-founded SmoothWall, was the director of Cloud Security Alliance, and was the CTO of Gartner Group. As a result, When Morrell gives a dire security warning, users ignore him at their peril.
Posting to Mastodon, Morrell says users should sign out of all their Amazon devices:
For those who trust me:
Goto your Amazon account, sign out of all your devices, everything, everywhere all your Echos (yes I know it’s a pain), reset your password, delete 2FA and any tokens and reset them. Now.
That doesn’t include Fido / Yubikeys but does include Auth tokens.
Do it now.
As much a pain as it is to reset Echo and all smart devices, trust me, please do it.
I can’t tell you more yet, but I am being ethical and you need to actually realise I have a clue.
It’s been a scary day
Despite being pressed by other users to elaborate, Morrell refused to give much more detail, indicating it would irresponsible to do so. The only other detail he gave indicated that whatever security issue he found was the result of ‘a retail company pretending to understand security.’
Am being ethical and responsible.
Anyone who knows me knows how seriously I take security. I had to wade through 2Gb plus of event data and JSON files today. What I found is a siloed retail company pretending to understand end user security
As much a pain as it may seem to go to your Amazon security settings and sign out of all devices
Yes it’s a pain. Yet it’s a ball ache. Remake your 2FA Auth tokens and when I can go public we will just laugh nervously
We will be monitoring this story and updating it as more information becomes available. In the meantime, it’s probably a good idea to do as Morrell says.