Why my Amazon account being hacked turned out to be a good thing.

Marc Belle
7 min readJun 24, 2020

--

A couple of days ago my Amazon account got hacked. It turned out to be a good thing.

You’d think I’d be worried, someone could buy almost anything with a single click, my credit card could be rinsed, and the truth is I was worried at first but in fact, I discovered something much more worrying about Amazon in that there are gaping security flaws in their system.

Let me explain.

Monday 4:27 pm

Amazon email me to report a sign in from a new device, an iPhone (I’m on a Pixel 3) in China (I’m in the UK, in lockdown during the middle of a pandemic).

New device sign-in email from Amazon

Red Flag 1: A few days prior I placed an order to be delivered to my billing address in the UK and suddenly I’m now in China during a pandemic when I can’t fly.

Monday 4:28 pm

1 minute later I get another email telling me that Two Factor Authentication has been set up on my account.

Monday 4:35 pm

7 minutes after that I get a 3rd email telling me my email address has been updated.

Red Flag 2: After the first red flag is raised someone is allowed to go change security settings within seconds of signing into the account from a new device in a new location. Amazon don’t cross-reference the first red flag with this unusual behaviour and block the account or even temporarily disable security changes.

2 account update emails from Amazon

Monday 5:12 pm

Like most people I’m busy doing something else so didn’t see these emails until about 30 minutes later at which point I rang Amazon because I’m worried about someone spending on my card.

😱

Red Flag 3: Bearing in mind there is no red flag when the details were updated, Amazon hasn’t taken into account that there can be delays on emails arriving when determining how quickly to let a user change something after the first flag is raised for the unusual login. There can be delays on emails arriving, either because the user’s mail server is busy or queuing, or like I was, the user simply not being in front of their email at the time.

After a near 30-minute phone call I manage to get my card removed from the account (well, the one that I could recall the last 4 digits of) and told that a “specialist” will be in touch to handle fixing the problem within 24–48 hours. They’ve got all the details they need including my old (real) email address so they can contact me, not the hacker. I was also told that as of that moment no purchases had been attempted on the account.

Red Flag 4: 48 hours? To sort a security breach?

Monday 8:07 pm

Just over 2 hours after I got off the phone I get an email off Amazon…

Email from Amazon

“I’m sorry but I couldn’t find an Amazon.co.uk account under the e-mail address from which you’ve written.

You can change your e-mail address by visiting Your Account, https://www.amazon.co.uk/your-account and selecting ‘Login & Security’.”

😓

I don’t know if the information wasn’t passed on correctly but no Amazon, of course, you wouldn’t find my email address on the account because someone changed it, I gave you the email address they changed it to as well when you verified who I was on the phone. And if I could log in and change it then we wouldn’t be having this problem, would we?!

Red Flag 5: Over 3 and a half hours after the account was hacked, 2 hours after alerting Amazon to it, the account is still compromised and Amazon have basically said they won’t do any more about this.

And that email address! Does that look real to anyone?

Tuesday 7:35 am

Woken up by the builders outside I check my email but no further response from Amazon, so I get on Twitter and rant at them for help. Amazingly I get a reply within 2 minutes.

Twitter, if you didn’t know, is amazing for dealing with complaints.

I get told to ring Amazon (again) to get a “specialist” to resolve because they can’t do that on Twitter. So following my morning meetings I ring again.

Tuesday 9:57 am

The incident is written down again and will be passed over to be dealt with by a “security specialist”. This time I am told I will be contacted within 12 hours. I’m also told that there still had not been any attempt to spend on the account.

So at this point, you’d typically imagine I was slightly relieved knowing I hadn’t been rinsed, but this is when I discovered why this was a much bigger problem.

Here’s why.

Someone gains access to an Amazon account and over the last 18 hours not once have any purchases been attempted. So what was the point? Data. Personally identifiable data.

You say, but it’s only your mailing address and name that you give to people anyway and the last 4 digits of your card, what’s the real issue? The real issue is that unlike many e-commerce websites with 1 or 2 addresses that get replaced when you change them, Amazon don’t delete old addresses. Or old bank cards either. In fact, they don’t even send you emails to suggest that you check and remove any old details. And how many of us have moved address and just add the new one without thinking that you should probably delete the old one.

So why is that a problem? Because one of the primary ways to verify who you are, the same way credit lenders like Experian do, for example, is to keep a record of all your past addresses and get you to confirm the last 3, 4, 5 years.

Red Flag 6: So Amazon is storing data on the same level of a credit lender with the ability for someone to just login with a password, change security details, no red flags go up, no verification and the user can be locked out of their account.

You might be saying well it’s my fault I didn’t set up Two Factor Authentication or maybe my password wasn’t strong enough. But the fact remains Amazon have a duty of care to put security in place to ensure that if there is a breach that that level of data is not at risk. That red flags for suspicious activity are put in place to minimise risk and actioned, and when a breach is reported that they act swiftly to resolve. None of that happened.

So I waited the 12 hours to be contacted.

Tuesday 10:30 pm (or thereabouts)

Back to Twitter

No email, no phone call, nothing. So back to Twitter it was and again I get a quick reply telling me to continue detailing with “our Account Specialist” whom of course I’m no longer in contact with because I’m waiting on the “Security Specialist” who hasn’t got in touch. In fact, as I write this more than 24 hours after I got off the phone I still haven’t been contacted by anyone from Amazon.

Tuesday 10:40 pm (or thereabouts following my rant)

I decide let me go to the account and try again and just see if I might be able to log in. Surprisingly I wasn’t actually logged out! I could see past orders, old cards (expired), my addresses (fortunately I only had my current one in there, no previous ones, phew!), in fact I could navigate anywhere and even buy if I wanted. The only thing I couldn’t do is change the login or email details because I had to reconfirm the password.

Red Flag 7: So you can update your security settings on Amazon, changing the password, adding Two Factor Authentication and at no point is any other logged in account tested to check it should still be authorised to be kept in.

The moment the hacker took control of the account all other active sessions should have been terminated, I should have been booted out on all other devices and given an identity-check when I tried to navigate to a new page on a previously signed in device. In fact, none of this happened and I was able to go ahead and delete my current address and the old cards. Even though technically I was now unauthorised to be in the account!

Now, fortunately, I was lucky in the end because I didn’t have any useful historical data in the account, but following removing some old info, I realised I did have old Amazon accounts and when I checked those did have historical addresses, so I removed those and deleted the accounts.

So if you are reading this I‘d suggest that you do the same. Go check. Remove all old cards and addresses and leave only the bare minimum you need to make a purchase on Amazon. If you can setup Two Factor Authentication. Tell your friends and family too, because many people don’t have Two Factor Authentication turned on. In fact, when I mentioned this had happened to about 10 people, only 1 had it turned on, and over half of them had 10+ years worth of addresses left in there.

If you are Amazon and reading this, then…well, to be honest, I haven’t got much else to say on the matter.

--

--

Marc Belle

I am a Creative Director, Design Lead, Mentor & Problem Solver based in the UK. Product and Service Design lead for GOV.UK orgs