My daughter’s amazon account has just been hacked for the second time and the password and email address changed.

Stuff I got her to do after last time;

1) Use a complex password – it’s now initial letters from the first line of a song plus a random 4 digit number
2) Use a different password on all her online accounts (she’s adopted the same approach for password structure on all of them but with different songs).
3) change her email password.
4) get a new back card – it was linked to her amazon acct.

So, now someone using Amazon.de has managed to change her account email to a .ru email address.

Do they need to have access to the account to do this or is there some way of changing the email address on an Amazon account without having online access?

she uses Apple devices plus a kindle to access Amazon – are these likely to be compromised and giving access?

We’re going to switch 2 factor authorization on her amazon account and email (although no evidence her emails compromised).

anything else we should look at doing? Get another card (there’s been no purchases through Amazon, she rarely has more than £20 in her account)?

I’d be checking for keyloggers etc on all devices she logs in from.

Yes, it’s possible one or more of the Apple devices etc are compromised. Rogue app perhaps.

They’ll only be able to change email with access to the account.

Email might be compromised, even though the password has been changed. Might have set something up to intercept the mails, or again something on one of the devices is harvesting the mails.

Is there some kind of recovery option set up on Amazon? i.e. where if you forget your password you can use a phone number, memorable word, or a secondary email etc. Not sure what Amazon offers here.

If they can intercept the recovery, then they can reset the password and get in.

Other thing is does someone else have access to the devices?

Two-factor authentication would be the best option, and reset passwords again.

Yes, it’s possible one or more of the Apple devices etc are compromised. Rogue app perhaps.

That, I’d have thought, would be highly unlikely, as are keyloggers, at least on mobile devices, but not impossible; I’d look at email being the most likely vector, possibly the Kindle, but I reckon Amazon would be the most likely route, keyloggers may be a culprit on a computer that’s being used, or some other bit of malware that’s found its way onto a computer via an email attachment, there’s some remarkably sophisticated ‘ware out there, and getting even more so all the time.

Are you using 2 factor authentication? Need a code sent to mobile..

That, I’d have thought, would be highly unlikely, as are keyloggers, at least on mobile devices, but not impossible;

very tricky on iOS as most apps are heavily sand boxed, so they’d need a zero day exploit to snoop on another app.

It’s weird, I’ve had mine done a couple of times but they only seem to put pre authorisations through and the bank pick them up.

Hacking emails is easy enough, you only need to hack an email, request a password reset link for numerous common sites and delete them afterwards and you’d not notice. (Amazon may want more security info than this).

Song initials and 4 digit number isn’t that secure, evidence is there that a long combination of words is better than shorter more obtuse passwords for brute force hacking. 4 letters gives a lot more combinations than 4 numbers. Turn on 2 factor too.

Did you revoke permissions for everything signed on at the time you recovered the account?

Not sure if Amazon does that automatically when you change a password…

Is she clicking on emails from Amazon could be she’s been logging into Phishing emails.

evidence is there that a long combination of words is better than shorter more obtuse passwords for brute force hacking.

Hasn’t that now been shown not to be secure either?

Phishing emails seconded. All they have to do is send an email asking to you review a recent purchase, or that she has been charged for something she wasn’t expecting, click to login and it goes to a fake site where she enters her password.

Always ignore and log in via your browser manually, if the email is legit you should be able to resolve without clicking a link.

They sent out a fake phishing email at work last month, I was stunned at the number of colleagues who clicked, and unwittingly registered themselves for an online course on the hazards of phishing! There were some key clues, such as spelling mistakes, dear employee rather than a named email, bad English and lots still fell for it…

Phishing or her email account being compromised sounds the most likely scenario. Could be malware on the iOS device but that’s not a common situation, make sure she’s running the latest iOS version on all the devices + update the Kindle (no clue about Kindle security in general though).

Definitely turn on 2-factor authentication as a first step and change her email account password again (from an iOS device that’s been updated).

If the Kindle is a Fire that’s running Android, then there’s a whole load of security concerns there compared to iOS. Although if only using it as supplied and the Amazon store, then less so. Don’t know what the malware state is in the Amazon store.

But good call on the phishing emails, that sounds more likely.

It’s a kindle book reader, not a fire.

Will get the 2 factor done, make the changes and offer some advice on following links (although she’s pretty savvy).

re: random number and letter sequence v lots of words – I understand the distinction but I can’t believe that they’re using brute force tactics to try and unlock a 15 year olds Amazon account or email.

re: random number and letter sequence v lots of words – I understand the distinction but I can’t believe that they’re using brute force tactics to try and unlock a 15 year olds Amazon account or email.

It’s time for that XKCD:

https://xkcd.com/936/

But you’re probably right – maybe they’re not doing that.

What’s more likely is that there are just enough details available on the open web.

If you read this article:

https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/

You can see how cross over in security policy between organisations leaves you open to having enough information available to socially engineer into services.

I’d be asking Amazon how/when/where the emails and passwords were changed. Phone them up. Ask them if someone else phoned up to ask the email to be changed.

I’d also make a completely new email address just for Amazon (make it from another computer you know is secure) – just to prove if that’s the vector at this point. It might be that she has an email public (facebook etc) and that combined with Age/Address/obvious secret question is enough to simply log in.

He apologised for getting that wrong.

As I said, I understand the reasoning *but* the maths only comes into play with a brute force ‘millions of attempts’ approach to hacking an account and I can’t believe that Amazon wouldnt; detect a 1000 guesses/second attempts to login for 3 days and do somethign about it?

Amazon wouldnt; detect a 1000 guesses/second attempts to login for 3 days and do somethign about it?

You’d be surprised. Even small companies receive massive DDoS/brute forcing/security probing on a daily basis. I can’t imagine the number of connections a second amazon receives. 1000 is a drop in the ocean.

I also updated my comment with more practical advice.

That last part is pretty good advice polyphon.

Drac – Moderator
He apologised for getting that wrong.

That was the person who came up with the idea of bizzare password criteria (1 upper case, 1 lower case, 1 number and at least 8 characters long) apologising for starting that trend. The XKCD is correct!

What’s odd is that they’ve never attempted to buy anything. You’d think you’d hack it then immediately try and get as much bought as possible – they’re not to know she’s only got a few kid on the card linked to her account.

Phishing emails seconded. All they have to do is send an email asking to you review a recent purchase..

Seems likely to me too. I must get a dozen of them a week (mostly caught by my junk mail filters) promising Amazon vouchers or free gifts as a reward for my recent purchase etc.

I’ve suggested a new email account created from a different device and have 2factor on both the email and amazon accounts

thanks for the advice, all 🙂