Author Topic: Amazon Account issues  (Read 4980 times)

  • Offline neXus

  • Posts: 8,746
  • Hero Member
Amazon Account issues
on: January 11, 2022, 23:10:54 PM
Looking into this to see if anyone else has experienced this.


I got an Amazon account, the wife has one.
Wife had it locked out recently because of orders placed not us etc. Amazon canceled them and locked the account and we had to do the recovery process. Now its a wife so you always on your toes about what they used their password etc on but I update her password regularly and she only logs in on ipad and iphone and recent passwords are all the complicated Apple ones you unlock with face ID. She has the PTO two step authentication on the amazon account as well.

This happened after she did xmas shopping buying presents and she uses the Amazon app for that.


I bought something yesterday and that night/early hours someone logged in and did gift vouchers, phone case before amazon picked that up, locked the account etc as well. I recovered access and there were other items in the cart, new password etc.
I ONLY use the IOS app for amazon and also two step authentication with the code to text.


I am waiting for the right account support to get back to me but I am really interested being a careful tech minded developer on what is going on.
I changed my wifes email password, my email for amazon is on a office365 setup white listed devices so you cant just login from anywhere even if you had the password details.


I can only think Amazon have some sort of flaw passing details to 3rd parties selling on Amazon that are then using details to get into peoples accounts or sell those on? Or API issues?
Amazon seem pretty quick to react and throw the "We do not know" hands up when contacting support.


Anyone else experienced this?

  • Offline zpyder

  • Posts: 6,946
  • Hero Member
Re: Amazon Account issues
Reply #1 on: January 11, 2022, 23:13:06 PM
Haveibeenpwned.com your email address see if anything comes up?

Its horrifying how many of my oldest accounts have been compromised now!

Sent from my SM-G998B using Tapatalk


  • Offline neXus

  • Posts: 8,746
  • Hero Member
Re: Amazon Account issues
Reply #2 on: January 12, 2022, 00:41:49 AM
Haveibeenpwned.com your email address see if anything comes up?

Its horrifying how many of my oldest accounts have been compromised now!

Sent from my SM-G998B using Tapatalk


Even if we secure its the companies getting compromised themselves which is the pain in the ass. For my main email the ones that are shown there I know of and were emailed by said companies and updated my passwords when they did their process. Some were forced. Nothing new on there and some like foodora do not even exist.

    • Tekforums.net - It's new and improved!
  • Offline Clock'd 0Ne

  • Clockedtastic
  • Posts: 10,937
  • Administrator
  • Hero Member
Re: Amazon Account issues
Reply #3 on: January 12, 2022, 09:58:32 AM
I've never heard anything like it, it must be something to do with 3rd parties as you say as their security is generally top notch.

  • Offline neXus

  • Posts: 8,746
  • Hero Member
Re: Amazon Account issues
Reply #4 on: January 12, 2022, 23:17:45 PM
I've never heard anything like it, it must be something to do with 3rd parties as you say as their security is generally top notch.


They sent email saying they found no activity or access outside me in an automated email. Went on the chat and said that is not right and they said they would contact again. And then got another email saying the same thing.
I am leaning to their is a flaw or security issue in their system they fully aware off and have a detection process in place for but just trying to hide it till what ever it is gets properly sorted.

    • Tekforums.net - It's new and improved!
  • Offline Clock'd 0Ne

  • Clockedtastic
  • Posts: 10,937
  • Administrator
  • Hero Member
Re: Amazon Account issues
Reply #5 on: January 13, 2022, 05:38:13 AM
Through the grapevine I have heard that AWS are being hit pretty hard lately with attacks (DoS mostly) but it's not inconceivable that a vulnerability has recently been found and you're one of the first unlucky victims.

  • Offline matt5cott

  • Posts: 3,198
  • Global Moderator
  • Hero Member
  • I had a wheelbarrow, the wheel fell off.
Re: Amazon Account issues
Reply #6 on: January 13, 2022, 23:02:32 PM
2 separate household accounts suggests something awry at your location, first thoughts are MITM or a compromised device.

  • Offline neXus

  • Posts: 8,746
  • Hero Member
Re: Amazon Account issues
Reply #7 on: January 14, 2022, 02:02:20 AM
2 separate household accounts suggests something awry at your location, first thoughts are MITM or a compromised device.


Different devices. Each device does not have the details of the other.
Both Iphones through Amazon app - IOS. So I doubt compromised.
Both with Amazons two step authentication OTP so you can not log in without the code from the text.

Amazon support keep dodging me. I am still very strong (without looking) that Amazon data info send two 3rd parties about your details may be flawed or compromised. They got to send them your address details and I wonder if they are sending your whole object data. Either that or some other token that can just go into the apps that purely just attempt logins or use details to get in buy vouchers or sell details to the black sites that allow people to pay x amount to get an account to buy vouchers etc.


Amazon and eBay other than monthly services of course are the only system we have account card details saved on. My wifes is the one with PRIME so I may remove mine for manual entry.
I changed my Gmail email just in case but my main one is on office 365 and white listed devices. You can not get into my email account even if I gave you my password unless I add your device first.


    • Tekforums.net - It's new and improved!
  • Offline Clock'd 0Ne

  • Clockedtastic
  • Posts: 10,937
  • Administrator
  • Hero Member
Re: Amazon Account issues
Reply #8 on: January 14, 2022, 06:03:52 AM
That's a point actually, have you ever authorised any apps with something like Amazon Pay? You should be able to check in your account if there are any third party authorisations. Once your tokens are in the wild they could be abused.

I also don't think Amazon support are dodging you, I think you are getting first line support intended for dealing with cretins, its unlikely its been escalated far enough for someone technical to investigate and as such they basically haven't a clue.
Last Edit: January 14, 2022, 06:05:32 AM by Clock'd 0Ne #187;

  • Offline neXus

  • Posts: 8,746
  • Hero Member
Re: Amazon Account issues
Reply #9 on: January 17, 2022, 07:05:30 AM
That's a point actually, have you ever authorised any apps with something like Amazon Pay? You should be able to check in your account if there are any third party authorisations. Once your tokens are in the wild they could be abused.

I also don't think Amazon support are dodging you, I think you are getting first line support intended for dealing with cretins, its unlikely its been escalated far enough for someone technical to investigate and as such they basically haven't a clue.


I do not do those either for that reason.
It is rare I have my card details saved. As a developer and you may. come across this mate with PCI Compliance. If you want your hight level security certs etc and have PCI high level Compliance they do not want you storing card details in your system. You have a token save and com with your merchant gateway.


Amazon and like may do this but I think more often than not they are big enough not to care about that and store your card details and just encrypt it and salt it themselves with a field for last 4 digits. But if someone gets into account they cant purchase.
My MS account once I remember when I moved to NZ something happened and someone got in my GOLD was never auto renew and I would pay each year or use the gift cards and they went to buy stuff but could not check out as no card details.

Like I said, Amazon convince got me at the moment but I normally only have my pay monthly services with those.
I can not seem to get past first line support, its probably something they are aware off and the process for this support is telling them to do this.
I have had no further issues or attempts to access (I wish Amazon notified you a bit more like other systems) But considering I also seem to got more spam I think what ever they do with 3rd party order I think a bit too much info is provided OR these simply get your email and other details, look up exposed password black market API systems, try all known passwords linked with that email they just got from placing the order But I still do not know how they got passed the two step authentication. I am still leaning on that there is a flaw in fetching details API and too much is exposed or just info crappy simple base64 encrypted or something.


APPLE is awesome in some ways I do try lean on the password generation from Apple as much as possible and two step authentication. Even just having passwords saved in apple IOS settings. That requires face ID to access so its enclaved and safe there.

    • Tekforums.net - It's new and improved!
  • Offline Clock'd 0Ne

  • Clockedtastic
  • Posts: 10,937
  • Administrator
  • Hero Member
Re: Amazon Account issues
Reply #10 on: January 17, 2022, 09:25:02 AM
All of the two step auth still has to go via some kind of frontend and I'd imagine the APIs behind the scenes can be used in such a way to bypass this, there is clearly a loophole and it is simply a frontend illusion of greater security. Someone hitting the APIs directly probably has an authentication workaround. I had the same thing a few years back with my M$ account where someone tried to login from Singapore but they were stopped. Changed my password and never had a problem since.

  • Offline neXus

  • Posts: 8,746
  • Hero Member
Re: Amazon Account issues
Reply #11 on: January 24, 2022, 00:03:37 AM
All of the two step auth still has to go via some kind of frontend and I'd imagine the APIs behind the scenes can be used in such a way to bypass this, there is clearly a loophole and it is simply a frontend illusion of greater security. Someone hitting the APIs directly probably has an authentication workaround. I had the same thing a few years back with my M$ account where someone tried to login from Singapore but they were stopped. Changed my password and never had a problem since.


I ultimately got "We can not discuss security concerns with customers".
I got a feeling Amazon has some issues.

    • Tekforums.net - It's new and improved!
  • Offline Clock'd 0Ne

  • Clockedtastic
  • Posts: 10,937
  • Administrator
  • Hero Member
Re: Amazon Account issues
Reply #12 on: January 24, 2022, 10:14:11 AM

I ultimately got "We can not discuss security concerns with customers".
I got a feeling Amazon has some issues.

To be fair I think that is a valid business stance, they are not going to suddenly start disclosing business confidential things to customers just because it appears they could have a vulnerability somewhere, especially from low level support.

  • Offline neXus

  • Posts: 8,746
  • Hero Member
Re: Amazon Account issues
Reply #13 on: January 24, 2022, 22:50:03 PM

I ultimately got "We can not discuss security concerns with customers".
I got a feeling Amazon has some issues.

To be fair I think that is a valid business stance, they are not going to suddenly start disclosing business confidential things to customers just because it appears they could have a vulnerability somewhere, especially from low level support.


As a developer I get that part but I would like to know if there is anything I could do.


There is the other one I am not sure if anyone is getting with the Russian google with some Russian thing trying to get access to your google account through a verified app. That is annoying as well, If I did not have the 2 step authentication setup there apparently is a means they can just get access without any actual login through how the google app process works, which is crazy. So many loop holes in big systems now you would think they would close off. Amazon just seems to have automated handling when it happens rather than actually fixing theirs which is kind of annoying.
Last Edit: January 24, 2022, 22:52:53 PM by neXus #187;

    • Tekforums.net - It's new and improved!
  • Offline Clock'd 0Ne

  • Clockedtastic
  • Posts: 10,937
  • Administrator
  • Hero Member
Re: Amazon Account issues
Reply #14 on: January 24, 2022, 23:22:12 PM
Long lived JWTs are the problem usually, like tokens that go unvalidated with no expiry, especially if someone hasn't encrypted the payload at all and left user identifiers, etc in there that can be exploited. You'd be surprised how many dev teams don't appreciate even the basics of security, its pretty scary. I doubt that applies so much at Amazon but no system is going to be flawless as its built by engineering teams that are not infallible.

0 Members and 1 Guest are viewing this topic.