Protect Your Amazon Account

I spent a big chunk of the day helping someone who got their Amazon account hacked. They lost a significant chunk of change when a malicious attacker used their account to purchase Amazon gift cards with the debit card saved in my friend’s Amazon account. The attacker then immediately archived the orders so they were not readily visible.

Amazon says they won’t be refunding because it doesn’t appear that there was malicious action on that account. My friend will be escalating.  

It’s still unclear how my friend got hacked, we’re investigating. Two-factor authentication (2FA) is on and my friend is using a complex 20-character password.

Until we figure it out, I have some thoughts about securing your Amazon account that I wanted to share. These recommendations would go for any of your eCommerce logins.

Because Amazon seems to be initially entirely unhelpful in resolving these types of things, the responsibility is in all of our hands to protect ourselves from fraud.

Recommendations for Securing Amazon Account

🔒 Put 2FA on your Amazon account. Your Account > Login & Security. Do this now. 

💸 Remove any payment methods on your Amazon account that aren’t backed by fraud protection, such as debit cards. On your Amazon account, go to Your Account > Your Payments. Click “edit” then remove the payment method. It makes sense to only have one credit card with good fraud protection on your account. For the best protection, remove all credit card numbers from your Amazon account.

🧐 Doublecheck your email address that you use for Amazon. Make sure you have 2FA on that email account. In my research I am seeing reports that this is a common vector. 

There is an interesting Reddit thread here about this Amazon attack pattern.

🔎 Periodically audit your Amazon account and your email account to look for signs of malicious activity. On Amazon, check for archived orders (under Account > Archived Orders) as this is what happened to my friend.

📧 If you’re using Gmail, periodically go through the security check and look for signs of malicious logins. Scroll to the bottom of your inbox and click “Details” in the small print to look for unfamiliar logins.

🔐 And of course, set up passkeys for your Gmail account. When Amazon offers passkeys, set that up as well.

👩‍💻 Make sure you have some kind of anti-virus protection on your computer. There are some stories of people who had 2FA set up on both Gmail and Amazon and still had their account compromised, which of course could happen if you have your browser cookied to bypass 2FA and your computer is compromised.

Don’t give up

If Amazon initially pushes back on your fraud incident, push back harder. Reports show that they initially do not respond favorably, but you need to find the right department in order to get some resolution.

Stay vigilant, friends.

My friend is wondering if this is related to the LastPass incident, which is why they reached out to me. Thus far, I don’t have any evidence that this is related to that breach of customer vaults.