Amazon Account Hacked

[SumDay]

Last week I tried to sign on to my Amazon account and it didn't recognize my email address. Long story short, I called customer service and someone had taken over my account.

The strange part is they changed the name and address to theirs, and used THEIR credit card, and were going to have all my auto-ship (Subscribe & Save) items shipped to them, and paid for by them. They placed no other orders. WTH?

When I was on the phone with Amazon Support as they walked me through returning everything to the way it was, I could see this person's email, physical address, phone # and credit card info! What's the point of hacking my account to only have MY stuff shipped to them, and billed to their acocunt?

I called the police department in her town (I found her on Facebook!) and lo & behold - they were "acquainted" with her. I sent them screenshots of all the info I found on her in my Amazon account.

My account is mine again, and I now have multi-factor authentication enabled, so I get a text whenever I sign in, with a code. I have all so installed Google Authenticator on my phone as an extra step.

I'm out nothing except a few days of frustration and some piece of mind. I'm changing passwords, and getting a new email address for more sensitive accounts. All my banking and investing seems to be safe, for now. I download everything from Quicken everyday, so I'm always keeping an eye on all of it - for just this reason!

Edited to add: Our credit has been frozen for years...

 

[MissMolly]

Some people are just idiots You would think if the authorities are "familiar" with her that she would have planned this out better. I guess if you are going to be hacked, you got lucky that it was done by an idiot than someone who knew what they were doing. Sorry this happened. I wish there was a fool-proof method to prevent this, but sadly there is not.

 

[zinger1457]

Something doesn't sound right, Amazon should have sent you a notification to your old email address when an attempt was made to change it.

 

[SumDay]

Something doesn't sound right, Amazon should have sent you a notification to your old email address when an attempt was made to change it.

They did - left that part out. It was included in the "long story short"...

 

[CaptTom]

Somehow Amazon signed me up for Prime - even though I already had Prime through my wife's account.

They couldn't explain how it happened. I just buy stuff; no video, music or any other "premium" Prime offerings. One Amazon phone support person suggested it had something to do with signing on to Roku (I never did) while another suggested maybe I clicked on the wrong thing on the Amazon site (I never do anything buy products.)

I don't see how it could benefit a hacker to sign me up for something I already had, so I don't think it's that. It's interesting that I didn't get any kind of confirmation, although among the usual spam from them, there was one "Welcome to Prime" e-mail which I'd ignored, since I was already a long-time prime member.

The only real fact I have is that Amazon's own staff admits it's possible to sign up for something you don't want or need without knowing it, and without any confirmation.

That's good to know.

It's also interesting that they were able to remove my Prime membership, and my wife could re-add me as a "household" Prime member, without impacting my order history, saved items, etc. In fact, I would never have seen any change if I hadn't noticed the extra credit card charge for the membership.

 

[GrayHare]

They did - left that part out. It was included in the "long story short"...

Do you know how the hacker accomplished it? Was your password weak? If it was a strong password you might have a virus or similar on your device(s) that is leaking your info, including passwords.

 

[SumDay]

Do you know how the hacker accomplished it? Was your password weak? If it was a strong password you might have a virus or similar on your device(s) that is leaking your info, including passwords.

No clue. My virus protection says all is well. I have her phone number. Maybe I'll call & ask her. lol

 

[Beach Gal]

This happened to me too. My Amazon account was hacked. The only way I was alerted is the hacker was returning legitimate purchases I had made. Amazon sent me an email each time my refund was processed. The refunds were put on a giftcard the hacker used to make Amazon purchases. My credit card was never affected. I believe the hacker got my email and password information from the Yahoo email data breach.

 

[SumDay]

This happened to me too. My Amazon account was hacked. The only way I was alerted is the hacker was returning legitimate purchases I had made. Amazon sent me an email each time my refund was processed. The refunds were put on a giftcard the hacker used to make Amazon purchases. My credit card was never affected. I believe the hacker got my email and password information from the Yahoo email data breach.

Which reminds me, in my research on this topic, I discovered this website: https://haveibeenpwned.com/

It tells you if your email address has been breached and if it was "pasted" anywhere (which would give hackers easy access to a list of all the emails.

Read more about this here: https://www.digitaltrends.com/computing/best-websites-for-finding-out-if-youve-been-hacked/

 

[cbo111]

I have absolutely no hard data to back up this claim, but I believe more scams and thefts have occurred since the birth of the internet than in the entire previous history of mankind.

 

[CaptTom]

I have absolutely no hard data to back up this claim, but I believe more scams and thefts have occurred since the birth of the internet than in the entire previous history of mankind.

Maybe. But I do know that 78.4% of all statistics you read on the internet are made up.

 

[Beach Gal]

Thank you Sumday for the links. Great way to see if your email address and passwords have been compromised before your accounts get hacked.

 

[Chuckanut]

The OP's story almost sounds like the data base that hold the customer's account information or the software that accesses it got messed up and somehow showed another person's info when displaying his account. Having worked in IT I know that these things can and will happen.

 

[Scrapr]

I had a hack on Amazon as well. A Kindle died. Would not charge or turn on. We can't put them in the garbage so I dropped off at the local e cycle. A few months later I would get a small charge for a movie or something. I would dispute it & go on. A bit later I get a credit card charge 2x's for I phones. $$$ I go to my Amazon account and don't see anything. Then I look in a different folder called archive and there they are. I disputed with Amazon and they start investigating. I typically don't open my CC statement until the due date. So only 30 days or so until the CC dispute rights run out. Amazon was slow in getting a refund so i disputed with the CC.

I should have done a lot more before the big charges. But amazon was not very helpful either.

 

[easysurfer]

Yes, go with 2FA for sure on Amazon.

Should have asked if he hacker made any Amazon reviews on your behalf .

I'm glad that you got things straightened out.

 

[Ian S]

I have not been able to figure out 2 factor authorization for Amazon. No problem with putting my mobile phone number in but then it requires a second authenticator device to which only a text message can be sent! I don't actually have a second device capable of texting although I could use hubby's cell phone when he gets back from caring for his dad. The help says I should be able to opt for a phone call instead of text but when I try only a text OTP is offered. They also offer an authenticator app option whatever the heck that is.

 

[GrayHare]

I download everything from Quicken everyday, so I'm always keeping an eye on all of it - for just this reason!

Keep in mind your info can't be stolen online if it is not online to begin with. Consequently the more often you log in or download personal information the more often that info has the potential to be spied upon.

 

[SecondCor521]

No clue. My virus protection says all is well. I have her phone number. Maybe I'll call & ask her. lol

Call her up and pretend to be Amazon. "Hi, Miss Hacker? This is Natalie from Amazon customer service. We've noticed some anomalies on your account. All you have to do to fix it is mail some gift cards to the following address: (SumDay's address). Thank you so much and have a nice day!"

That would be funny to me, but you probably don't want this person knowing your physical address.

 

[braumeister]

I have not been able to figure out 2 factor authorization for Amazon. No problem with putting my mobile phone number in but then it requires a second authenticator device to which only a text message can be sent! I don't actually have a second device capable of texting although I could use hubby's cell phone when he gets back from caring for his dad. The help says I should be able to opt for a phone call instead of text but when I try only a text OTP is offered. They also offer an authenticator app option whatever the heck that is.

Only the primary phone needs to get SMS messages. The backup phone number can be one that just receives voice calls.

 

[easysurfer]

I have not been able to figure out 2 factor authorization for Amazon. No problem with putting my mobile phone number in but then it requires a second authenticator device to which only a text message can be sent! I don't actually have a second device capable of texting although I could use hubby's cell phone when he gets back from caring for his dad. The help says I should be able to opt for a phone call instead of text but when I try only a text OTP is offered. They also offer an authenticator app option whatever the heck that is.

I use an authenticator app for Amazon. The authentication code gets requested only for an unrecognized device. I avoided using this method of 2FA earlier on. Now I'm a collector with authentication for 10 places and counting .

A youtube discussion on what is an authentication app.

 

[Ian S]

Only the primary phone needs to get SMS messages. The backup phone number can be one that just receives voice calls.

That's my problem, I'm only offered a text message OTP for the second device:

 

[braumeister]

That's my problem, I'm only offered a text message OTP for the second device:

It's possible you're just anticipating things.
That looks like where you put in your mobile number to get the one time code. Once that's set up, you should get another screen to put in your backup number which can be a phone that only takes voice calls.

Try it.

 

[CaptTom]

One problem with two-factor shows up if the second factor is your phone.

If you your phone is lost, stolen or damaged, you're unable to use Amazon (or whatever you've set up two-factor for.)

 

[Ian S]

It's possible you're just anticipating things.
That looks like where you put in your mobile number to get the one time code. Once that's set up, you should get another screen to put in your backup number which can be a phone that only takes voice calls.

Try it.

I put in my landline and it sent a text. No option for a phone call.

 

[audreyh1]

One problem with two-factor shows up if the second factor is your phone.

If you your phone is lost, stolen or damaged, you're unable to use Amazon (or whatever you've set up two-factor for.)

Temporarily. Most people replace their phone quickly with the same number.