We discovered today that my husband no longer has access to his Amazon account. Apparently someone with an email address ending in .ru changed the email address on the account and removed his cell number from the account. They also changed the address associated with the account—all, presumably, to keep him from recovering the account. This was all done yesterday. Then the account email was changed one more time, I am guessing so that we would not be able to give Amazon the email address currently associated with the account. However, as my husband was still logged into his account on our computer, he was able to read the current email address. He couldn’t, however, change the password.
Apparently a number of people have had their Amazon account hijacked by people with .ru emails. What I can’t figure out is what they’re after. The full credit card number doesn’t display, and to ship to a new address, you have to enter the whole number. Is this done to gather information for identity theft? Anyone have any thoughts or experience with this?
I think I can ship to another address if I want to. It doesn’t ask me to verify my credit card. I think it is especially the case if I have a gift card. At the same time if someone were to charge something to my CC without my permission, I wouldn’t be responsible for it.
Mine doesn’t require anything more than clicking the card shown with the last 4 digits, xxxxxxxx1234. And you said there’s already an alternate address?
Did he call Amazon? I’d guess he can likely verify via recent purchases, prior email, addresses, etc. Main thing is to deactivate his card on the account and tell the card company not to pay Amazon charges until resolved. May need a new card issued.
They could, at worst, charge things to him and have them shipped to a 3rd party site that re-ships internationally.
You can ship to an address already in your account’s address book. But if you put in a new address, they require you to verify the card information.
My husband has no idea how many cards he has stored in that account, hoping there are no surprises. Amazon said they will disable the account while they are investigating but will take 24-48 hours to do so. I guess it’s the banks that would eat those losses?
It is too late for you, since your account was hijacked. Based upon advice received years ago at a cyber security presentation, I have an internet only credit card which is only used for online purchases and typically doesn’t leave the house. It has a relatively low credit limit (although high enough for me to purchase travel). This is the only credit card attached to my amazon account. If that card is compromised, I don’t have to worry about the ones I use everyday that are in my wallet and visa versa. I wonder what amazon’s policy will be about use of gift cards that are attached to your account when an account is hijacked?
Wasn’t my account but my husband’s . He is the stubbornest person I know. He refused to use even the most basic security practices, and reused the same passwords everywhere. When I insisted he use a unique password for his email, he apparently changed his usual password by one digit. It is amazing that no one has hacked his email or bank account… yet. Today he let me change his most sensitive passwords to something more secure.
I am not especially worried about using cards on the internet; I don’t think it’s any less secure than handing my card over to someone in a store. If a card is compromised, the bank can overnight a new one. But I don’t like to store cards on websites. Ironically, Amazon is an exception — I do have a card stored there.
I am feeling a little paranoid about what a hacker might try to do with the information taken from my husband’s account.
My credit card was recently used by someone other than me. They charged two cell phones, a trip on Expedia, and an Airbnb. I asked the CC company where I was going on vacation…they were not amused.
My card was immediately frozen, and a new one was sent but it took about a week to arrive.
Yeah, I have always been asked, too. Found it incredibly annoying until yesterday!
@thumper1 - I have found the occasional test charge on a credit card, but nothing more than a few $. Oh, and once or twice a credit card has refused a charge until I confirmed that it was mine, usually because it was being made from somewhere that I wasn’t.
Scariest thing that ever happened to me was that a cell phone account that I share with a friend was hacked. Someone went to a Best Buy in a neighboring state with the account information, upgraded the 4 phones that were eligible to the newest iPhone model, and activated them… so they stole our phone numbers. We hadn’t had a passcode on the account until then, but I have read that asking for the passcode isn’t a requirement, but something the employee has to remember to do. Fortunately in this case the person just wanted the phones, but once they had our numbers, they could have reset all our passwords and stolen our assets.
Yes, phone numbers can be ported to a new carrier with no security by default on most carriers. It is optional to put a security PIN on the phone number to resist unauthorized porting.
It would be better if carriers would only port in a number with a PIN (which has to be correct), and required setting a PIN before allowing the number to be ported out.
Huh, I never really thought about someone stealing our numbers and upgrading to new phones. I do have a pin on my account even though I don’t recall ever setting one up. I usually buy our phones at Sam’s Club with my provider being Verizon. Sam’s always asks me to enter my pin code. I never remember it and then I have to call Verizon to get it. Now I understand why that measure is in place.
The main reason to have a good PIN on your cell phone account is to prevent SIM swapping. Any accounts you have 2 factor authentication for are vulnerable then. I’d think someone buying new phones is pretty easily reversed.
Can’t someone buy digital gift cards without having Amazon confirm the CC #?
Someone buying new phones IS easily reversed; we had our service back within hours, and the new iphones were bricked. But I assume they were either already sold or the buyers didn’t know they were bricked.
But what is worrisome is how easy it would have been for hackers to take that swindle one step further and invade our financial lives.
Did not hear back from Amazon today, so my husband called again and spoke for about 30 minutes to a customer service rep. She asked him his email address 3 times, asked him for a past order number 3 times, kept asking him for the current address on the account (added by the hackers). At this point I’m not even sure that it’s worth the effort to get the account back, because the only thing in there that can’t be recreated is the purchase history. What worries me is that the hackers are looking for information more than credit cards, in which case they have had days to pull anything they wanted from the account. I would think that stealing an Amazon account would be more useful to help with identity theft than theft of merchandise and gift cards.
@OHMomof2 I think you are probably right that they could buy gift cards without inputting a credit card number. But it doesn’t look like anyone tried to do that.
T-mobile has all accounts now linked with pin numbers BTW.
My identity was stolen after buying a car and doing a credit check. Hmm mm.
So the suggestions are to file a report with the fcc that you can do online and takes a few minutes for a paper trial. Also do two part authorization on your email accounts.
They opened three accounts and one was an in-store purchase of 5 expensive phones at Sprint. Like over $5,000…I don’t even have a Sprint account… Like no one is going to question that many phones or charge to someome that doesn’t even have an account???
Personally, I would start a new Amazon account. You have already upgraded your passwords.
So… When my wife’s email was hacked several years ago the hacker emailed her
My wife told him she needed something really important and needed to get back in and she didn’t care about the account… Get this… He let’s her back in…she got what she needed. Changed the password (they can still have keylogging software on it) and closed the account.
Did your DH use Amazon to log in to anything? They offer that as an option on some sites, as do google, facebook, etc. - “Log in with Amazon”.
Another thing to check - do you have Alexa-enabled devices? Security system, lights, any other “smart home” stuff? That would all be linked to the Amazon account.
Do you have kindles, or kindle apps? I’d lock those down too. A kindle is like a phone without the phone part…a lot of people allow their kindles to access email accounts, facebook, other stuff.
They did get your address and those of your friends/family/whoever you’ve sent Amazon stuff to, which is an identity theft concern, also something I’d let those friends know - their personal info (address, phone anyway) were effectively in a breach.
So my phone… Pixel 3A/Gmail. .just flagged this thread as a phising thread when @OHMomof2 just responded and got the CC notice in my email… Very strange as we are all not new. Hmmm
Something similar happened on my Amazon account. It wasn’t necessarily hijacked but suddenly there were a lot of digital downloads for video games. I had to change the password and it stopped and Amazon refunded the games.
But I had the strangest thing happen to my Netflix account. One night it suddenly forced me to log in. I tried multiple times and then finally called them. Someone in Malaysia had gotten into my account somehow and changed the password. Luckily I was able to cancel my account and open a new account with different user ID and password. Guess they are desperate to watch Netflix in Malaysia