Amazon & Password Hygiene

Part 1: What’s going on?

Amazon accounts are under attack by hackers. Passwords are bought and sold on the Dark Web — the shady underground hacker forums where you can buy things like drugs and hitmen. Why Amazon? Why now? It’s simply a get-rich-quick scam. Here’s what I think their MO is — their method of operation.

Once they get an email address and password they check to see if they can get into

  1. Your Amazon.com account
  2. Seller Central — Amazon’s third party marketplace for sellers
  3. Vendor Central (and Vendor Express) — Amazon’s portal for selling directly to Amazon

If they can get into your Seller Central account, they change your banking details and throw up a bunch of bogus listings they don’t plan on fulfilling. Amazon pays on a 14 day cycle, so they’re hoping they can cash out before the customer complaints rack up.

Similarly, if they get access to your Vendor Central account, they “sell” Amazon a bunch of bogus stuff they don’t plan on sending in. I suspect in some cases, they may even be shipping empty boxes to Amazon to fulfill.

If they just get access to your Amazon.com account, they go through your old orders and start messaging with phishing attacks — trying to get you to log in to a bogus website that looks Amazon’s Seller Central.

Part 2: How can I prevent it from happening to me?

Enable Two-Factor Authorization

The first thing you can do is to turn on Two-Factor Authorization. This means when you log in to Amazon, in addition to your password, you’ll have to enter a random code that appears on your phone. Don’t worry, you can disable it on a per-device basis so it won’t be literally every time you log in.

Since Hackers will be logging in from a new device, and they won’t have access to your phone, they wont be able to log in to your account.

Practice Good Password Hygiene

Use random passwords, and don’t use the same email + password combination on multiple sites. Especially don’t use easy-to-guess passwords on your email accounts, since those can be used to reset all your other passwords.

One of the main ways hackers get access to passwords is by hacking sites — Yahoo and Adobe are recent examples of high-profile sites that have been hacked that have large databases of email +password combinations. If you repeat passwords across multiple sites, it’s much easier for hackers who gain access to your password on one site, to use it on another site.

This means you have to use a password manager to keep track of all your different passwords. Lifehacker has a summary of the “Five Best Password Managers” as voted by their readers.

I use a random password generator + password manager — all of my passwords are like y2eH&Cu#6ezHcV— impossible to guess. It’s a pain in the ass typing that into my phone every time I change a password but it’s worth it knowing my accounts are secure.

Don’t fall for Phishing attacks

Phishing is when someone sends you an email with a link to a malicious site that looks just like the usual site you log in to prompting you to enter your credentials (username & password, credit card details, whatever). Or calls you on the phone asking for your details. Don’t fall for it.

If you spot one of these scams, report it instead — to Google (if it’s in your gmail inbox), to Amazon (if it’s in a message on Amazon’s website) so they can recognize & fix these problems. Whenever you log in to one of your accounts, do so by your usual means — type in the site into your browser, don’t click on the link in an email. Always check the domain name in your browser to make sure it’s — for example www.amazon.com and not www.amazon-com.com.

Show your support

Clapping shows how much you appreciated Mark Wieczorek’s story.