Amazon account hacked

Page may contain affiliate links. Please see terms for details.

BTB 500

MB Club Veteran
SUPPORTER
Joined
Aug 7, 2005
Messages
22,792
Location
Shropshire
Car
R129 SL500, W639 Vito 120, S205 C300
Woke up to a series of emails this morning confirming that my Amazon account had been hacked and used to place an order at around 3AM. The perp had tried to get the vendor to deliver to a different address, which they refused to do. Then changed the email address on the account. Amazon detected something dodgy going on, changed the account password, reversed the email address change and deleted the order.

Called the bank who confirmed the charge against my credit card (only £28!) which they were happy to refund, card cancelled and new one on the way. Old card deleted from Amazon and PayPal and new (different) strong passwords set on both.

So it could have been much worse, but a bit of a pain nonetheless.

How did they do it? My Amazon password was unique (i.e. not used for any other accounts) and I only ever logged in from my home PC (which I've confirmed today is virus and malware free). I've definitely not responded to any phishing emails or similar, and the account is only used by me.

:dk:
 
Could you have you entered your login details into a spoof Amazon site at some point?

If you entered details and got a login error and then the site switches to the real Amazon then you might have assumed that you misentered your password.
 
^ this, does anyone else in your family use the same account? Could your other half have clicked on a dodgy email? Do you use the same passwords across multiple sites?
 
Maybe they got lucky? - The £28 was probably just to test whether they'd found a working account, then they got greedy and Amazon noticed and put a stop to it.
 
What did you use to ensure your computer is malware and virus-free?
 
Too much porn :)

Was your password easy to guess and related to your username?

Tbh it's probably fairly easily done these days, you may have just been unlucky
 
Woke up to a series of emails this morning confirming that my Amazon account had been hacked and used to place an order at around 3AM. The perp had tried to get the vendor to deliver to a different address, which they refused to do. Then changed the email address on the account. Amazon detected something dodgy going on, changed the account password, reversed the email address change and deleted the order.

Called the bank who confirmed the charge against my credit card (only £28!) which they were happy to refund, card cancelled and new one on the way. Old card deleted from Amazon and PayPal and new (different) strong passwords set on both.

So it could have been much worse, but a bit of a pain nonetheless.

How did they do it? My Amazon password was unique (i.e. not used for any other accounts) and I only ever logged in from my home PC (which I've confirmed today is virus and malware free). I've definitely not responded to any phishing emails or similar, and the account is only used by me.

:dk:

I was asking the OPs about the strength of his old password.

Dec
 
I agree a spoof site is the most likely explanation, but can't see how I'd have ended up on one. It's not like I would ever search for Amazon.co.uk :confused: If I type "am" into my browser (Chrome) it's the first link that comes up, and there are no dodgy ones below it.

As mentioned the password wasn't used for any other sites, and it was never known by anyone else. It wasn't a super-strong string (e.g. including upper and lower case, numbers and special chars.), but it wasn't anything simple and guessable.

I've got the latest version of Win10 Defender which is pretty reasonable, but also did a full scan with Malwarebytes.

Latest twist is that I've now had an email saying the order has been dispatched ... despite there now being no record of it on my account, and the bank refunding me the card payment! What's interesting is that it's a camera mount for a multirotor (drone :rolleyes:), and I do fly those. I've never bought anything for them on Amazon though, and the mount is for a specific model and specific camera and I've never owned (or considered owning) either of them.

To be on the safe side I also changed my email, eBay, PayPal, and Facebook passwords (all to different - strong - values ;)).
 
It's not a wife or significant other buying a gift for you?

Because the PayPal account it my name, I randomly get emails associated with purchases my wife has made. - Sometimes it's obvious what she's bought, but other times its just "Yum Cha trading company" so then I need to check that it's genuine with her.

As she's got a Kindle, my wife maintains a separate Amazon account... or I'd probably see all her purchases on there too.
 
The unknown element here is Amazon's own security. I.e., there is always the possibility that issue is not on your end.

The fraudsters may have exploited an Amazon vulnerability. It's unlikely that Amazon will tell you that it was due to a problem with their system.... so you'll never know for sure.
 
Wife has completely separate accounts (on the computer, Amazon, Paypal, etc.).

Yes it could possibly have been an issue at the Amazon end ... partly why I posted, in case anyone had experienced (or heard of) anything similar. They had my account account locked down pretty quickly (in less than 2 hours) after a single low-value purchase and an email address change. I know vendors etc. are hot on pattern recognition these days but that almost seems suspiciously fast?

I looked back btw and have only made 2 purchases on Amazon this year, with the last one being 2 months ago.
 
Unless things changed - and I haven't check for at least a year - Amazon wasn't working with secure verification by Visa and MC (as in ignoring the facility), and didn't require CVV to setup a card, so I disabled One Click and removed my card details ... And I have a separate (normally empty) account and card, for online purchases from the likes of eBay, Amazon, AliExpress et al.

With online transfers pretty much instantaneous nowadays, there's no need to risk one's main bank account ... Just my opinion of course.
 
With online transfers pretty much instantaneous nowadays, there's no need to risk one's main bank account ... Just my opinion of course.

Agree 100% I have a MasterCard with the credit limit set as low as they will allow, and I use that for anything 'risky' including 99% of online stuff. That's the card that was linked to my Amazon account, but given how rarely I buy there I won't be adding the new card details.
 
A few weeks ago I had my bank account hacked and someone managed to withdraw 3 transactions of £3,800 in 2 days. The bank's checks did not trigger that anything was wrong and it was only spotted by me when i logged in a couple of days later. I have had no explanation on how the hackers got in, the bank just gave me advice on not divulging my log on details to anyone, which I have never done, ensure I have anti virus and anti malware on my PC, which I do, and to only access the account from a known safe source, which I also do. Anyone logging in to my account would need to know my 13 digit key-code, 8 digit password and 8 digit pass code, not likely. The bank has no idea how the hackers got in, so they tell me, which I find hugely worrying.
 
I'm paranoid enough not to use online banking at all.

A few years back someone in Hull still managed to set up a direct debit for their broadband from one of my accounts though!
 
A few weeks ago I had my bank account hacked and someone managed to withdraw 3 transactions of £3,800 in 2 days. The bank's checks did not trigger that anything was wrong and it was only spotted by me when i logged in a couple of days later. I have had no explanation on how the hackers got in, the bank just gave me advice on not divulging my log on details to anyone, which I have never done, ensure I have anti virus and anti malware on my PC, which I do, and to only access the account from a known safe source, which I also do. Anyone logging in to my account would need to know my 13 digit key-code, 8 digit password and 8 digit pass code, not likely. The bank has no idea how the hackers got in, so they tell me, which I find hugely worrying.

Did you lose any money?
 
A few years back someone in Hull still managed to set up a direct debit for their broadband from one of my accounts though!

There's nothing that stops that from happening, hence the Direct Debit guarantee. All that's needed is the same information as on your cheques.

It famously happened to Jeremy Clarkson when he published his bank account information in an article.
 
Agree 100% I have a MasterCard with the credit limit set as low as they will allow, and I use that for anything 'risky' including 99% of online stuff. That's the card that was linked to my Amazon account, but given how rarely I buy there I won't be adding the new card details.

I had one card hacked/cloned or whatever three times before I stopped using it, yet no issues with the other three cards I continue to use. One of the fraudulent sets of transactions involved currency exchange in a bank and the purchase of flight tickets - things you'd think would be secure and traceable.

The card company didn't seem to care less. Just credited back everything and sent me a form to sign confirmed they weren't my transactions. These have got to be inside jobs.
 

Users who are viewing this thread

Back
Top Bottom