Skip to main content

The key to ‘hacking’ Amazon accounts? Persistence

It turns out if you want to break into someone else’s Amazon account, you don’t need to know their password, mother’s maiden name, or what their first pet was called. You just need to keep asking for information. That’s what happened with the case of Eric Springer, who found that Amazon customer support had handed over his personal information with just some gentle prodding.

Although Springer describes himself as a security-conscious individual, using long passwords and two-factor authentication where possible, he recently discovered that his Amazon account had been “hacked” when the retailer emailed him as a follow up to a support chat. Knowing that that hadn’t taken place, he looked into it and was able to recover a chat log between someone claiming to be him and an Amazon employee.

Although that support worker did ask for information on Springer to confirm it was really him, for some reason they accepted an address that was merely near to where Springer was located, cribbed from a Whois lookup of his website. The phony customer then pressed the support worker for more information and was quickly told the real address and phone number of Springer, as well as the balance of any gift cards on the account.

“The attacker gave Amazon my fake details from a Whois query, and got my real address and phone number in exchange. Now they had enough to bounce around a few services, even convincing my bank to issue them a new copy of my credit card,” Springer broke down on his blog, after expressing sheer amazement that such a security hole could exist in the Amazon support system.

That wasn’t the end of it either. Despite letting Amazon know that his account was at risk of being socially engineered, Springer found several months later that another incident had taken place, when his personal information was coaxed out of an Amazon support rep. They even tried (albeit unsuccessfully) to discover the last few digits of his credit card.

Perhaps catching on to the fact that Springer was aware of their actions, the nefarious individuals going after his account then contacted support by phone and seemingly were able to acquire his credit card details.

As well as providing a number of strongly worded recommendations to Amazon, Springer also encourages everyone to be very careful with any information shared with any service, as you never know how it could be used to compromise other data.

Editors' Recommendations

Jon Martindale
Jon Martindale is the Evergreen Coordinator for Computing, overseeing a team of writers addressing all the latest how to…
Destructive hacking group REvil could be back from the dead
Person typing on a computer keyboard.

There was a period in 2021 when the computing world was gripped by fear of a dizzyingly effective hacking group fittingly named REvil -- until its website was seized by the FBI and its members arrested by Russia’s security services, that is. Yet like a malevolent curse that just can’t be dispelled, it now seems the group’s websites are back online. Has the group returned to spread discord and wreak havoc once again?

In case you missed them the first time around, REvil came to global attention by hacking into various high-profile targets, pilfering secret documents, then threatening their release unless a ransom was paid. In a notable case, the group stole and published files from Apple supplier Quanta Computer, including some that spilled the beans on unreleased product designs.

Read more
Experts found a record number of zero-day hacks in 2021
A digital depiction of a laptop being hacked by a hacker.

Google has published the 2021 review of Project Zero, revealing a record amount of zero-days exploits (labeled as “one of the most advanced attack methods”) exhibited by some of the world’s largest technology companies.

Project Zero is an initiative started by Google in 2014 aimed at detailing security defects known as zero-day exploits. These vulnerabilities are dangerous as they essentially remain undetected unless a mitigation system has been implemented, thus leaving systems, databases, and the like completely exposed to hackers.

Read more
Major Twitter hack in 2020 results in another arrest
A lot of white Twitter logos against a blue background.

Police in Spain have arrested a 22-year-old British man in connection with a major Twitter hack last year that targeted high-profile accounts as part of a Bitcoin scam.

Joseph O’Connor was picked up by police in the resort town of Estepona about 280 miles south of Madrid following a request by the U.S. authorities to detain the alleged hacker, the Department of Justice (DoJ) revealed on Wednesday, July 21. O’Connor’s detention follows other arrests made last year in connection with the case.

Read more