That's a point actually, have you ever authorised any apps with something like Amazon Pay? You should be able to check in your account if there are any third party authorisations. Once your tokens are in the wild they could be abused.
I also don't think Amazon support are dodging you, I think you are getting first line support intended for dealing with cretins, its unlikely its been escalated far enough for someone technical to investigate and as such they basically haven't a clue.
I do not do those either for that reason.
It is rare I have my card details saved. As a developer and you may. come across this mate with PCI Compliance. If you want your hight level security certs etc and have PCI high level
Compliance they do not want you storing card details in your system. You have a token save and com with your merchant gateway.
Amazon and like may do this but I think more often than not they are big enough not to care about that and store your card details and just encrypt it and salt it themselves with a field for last 4 digits. But if someone gets into account they cant purchase.
My MS account once I remember when I moved to NZ something happened and someone got in my GOLD was never auto renew and I would pay each year or use the gift cards and they went to buy stuff but could not check out as no card details.
Like I said, Amazon convince got me at the moment but I normally only have my pay monthly services with those.
I can not seem to get past first line support, its probably something they are aware off and the process for this support is telling them to do this.
I have had no further issues or attempts to access (I wish Amazon notified you a bit more like other systems) But considering I also seem to got more spam I think what ever they do with 3rd party order I think a bit too much info is provided OR these simply get your email and other details, look up exposed password black market API systems, try all known passwords linked with that email they just got from placing the order But I still do not know how they got passed the two step authentication. I am still leaning on that there is a flaw in fetching details API and too much is exposed or just info crappy simple base64 encrypted or something.
APPLE is awesome in some ways I do try lean on the password generation from Apple as much as possible and two step authentication. Even just having passwords saved in apple IOS settings. That requires face ID to access so its enclaved and safe there.