Amazon account 'hacked'

Kiyoshi

Kiyoshi

Kiyoshi

Associate
Joined
10 Nov 2003
Posts
1,671
Has anybody else experienced this recently?

I received this e-mail yesterday entitled 'Revision to Your Amazon.com Account':

Amazon.com <[email protected]> said:
Thanks for visiting Amazon.com! Per your request, we have changed the e-mail address associated with your account

The e-mail address associated with your account has been changed. The old address was <my email address>. The new address is [email protected].

Visit Your Account at Amazon.com to view your orders, make changes to any order that hasn't yet entered the shipping process, update your subscriptions, and much more.

Should you need to contact us for any reason, please know that we can give out order information only to the name and e-mail address associated with your account.

Thanks again for shopping with us.
Click to expand...

I live in the UK, and use Amazon.co.uk, I don't think I've ever bought anything from Amazon.com. I automatically thought it was spam - capitalisation of Your, capitalisation of Account, no branding. Although the e-mail didn't ask me to do anything, and came from [email protected] - I deleted it (needless to say I didn't ask for an e-mail change).

Today I log into Amazon.co.uk via Google Chrome, still logged in. However when I try to change anything in my account, it wants me to log in again like my cookie has expired or something, but notice this:

qlKbs3v.png


Don't know how this got in my browser history/cache, when I change it back to my e-mail address and Amazon.co.uk password I get this:

qCjyOz8.png


I call Amazon on 08081453760 and spoke to an Indian lady, and I explained the problem a few times. Struggled to explain to her why she couldn't find an account with my e-mail address, but we got there in the end. I confirmed my name and address, and she confirmed that information was present for the account with this other e-mail address (my account). She didn't seem concerned about the issue from a security side. Or the fact that there seems to be several people experiencing the same thing at the moment:

https://www.amazon.co.uk/forum/deal...Page=1&cdSort=newest&cdThread=Tx3Q144BX3RMWB5
https://www.reddit.com/r/amazon/comments/6cstcz/my_account_was_hacked_email_changed_without_my/

Or that my credit card information is stored in the account, Amazon Prime, etc. Or that she wasn't able to supply me with any sort of call reference number for me calling and speaking to her (?!).

My experience is exactly the same as the Reddit link above. She was reading from a script and I should expect contact via e-mail from an 'account specialist' within 48 hours.

I can't see any charges on the cards linked to my Amazon account, my e-mail address and all my important passwords for accounts haven't been changed - it's only Amazon.co.uk.
 
Fake in what way, my account doesn't exist on Amazon.co.uk anymore. That's pretty convincing :)

Header below:

Received: from HE1EUR02HT135.eop-EUR02.prod.protection.outlook.com
(2603:10a6:4:a5::29) by DB6PR0901MB1528.eurprd09.prod.outlook.com with HTTPS
via DB6PR0202CA0043.EURPRD02.PROD.OUTLOOK.COM; Mon, 22 May 2017 13:41:35
+0000
Received: from HE1EUR02FT033.eop-EUR02.prod.protection.outlook.com
(10.152.10.55) by HE1EUR02HT135.eop-EUR02.prod.protection.outlook.com
(10.152.11.79) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.1075.5; Mon, 22
May 2017 13:41:34 +0000
Authentication-Results: spf=pass (sender IP is 54.240.13.23)
smtp.mailfrom=bounces.amazon.com; hotmail.com; dkim=pass (signature was
verified) header.d=amazon.com;hotmail.com; dmarc=pass action=none
header.from=amazon.com;
Received-SPF: Pass (protection.outlook.com: domain of bounces.amazon.com
designates 54.240.13.23 as permitted sender) receiver=protection.outlook.com;
client-ip=54.240.13.23; helo= a13-23.smtp-out.amazonses.com;
Received: from SNT004-MC3F32.hotmail.com (10.152.10.55) by
HE1EUR02FT033.mail.protection.outlook.com (10.152.10.152) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
15.1.1075.5 via Frontend Transport; Mon, 22 May 2017 13:41:33 +0000
X-IncomingTopHeaderMarker: OriginalChecksum:1B9EB9A63074E30C2D13FEC012E065B218E8B39339F296BCC6E2394B79C71166;UpperCasedChecksum:D83CD235C1E89A4F26955E22A4943E8F987FDF210A6F8A6ECFE5D8441102CFD6;SizeAsReceived:2093;Count:19
Received: from a13-23.smtp-out.amazonses.com ([54.240.13.23]) by SNT004-MC3F32.hotmail.com with Microsoft SMTPSVC(7.5.7601.23143);
Mon, 22 May 2017 06:41:32 -0700
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=jvxsykglqiaiibkijmhy37vqxh4mzqr6; d=amazon.com; t=1495460491;
h=From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:Date;
bh=Sao4KaMcSxICrk5/w5Jc8OJAo2oFO3MW9UorLMz/7Ts=;
b=aEUH4PqCT+4JwwhH8ivPyLRz0P/qE5Ley761R1b2EoS3k9200paWbjBVTqBCrJrn
AAD4lthX7KUmRmJ0mynG03dZSV1HE33gQ2VSzvdi4qDi8gH71odJKEoAq+Rj8xKtf4Q
r5vyURLHYvrIbZiLMYmHlsFPQEaZzzuWRIRB9sh0=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1495460491;
h=From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:Date:Feedback-ID;
bh=Sao4KaMcSxICrk5/w5Jc8OJAo2oFO3MW9UorLMz/7Ts=;
b=YvgftVG5/Q3FM8ZyZPK78bHrMx7aPqXMYqyy36gJoMSxlgysFhr+qKqP/wd9adGZ
cTlmRCgwFHCaHf+3KJ9uc/khCz0Dyeap/vfwnIsFFQ3RxhoNU5URltWBsTvxBjkuCrP
lGPg9tsMcGYQNhDqgGECJRauH1zzLqv5NkB9WmqM=
From: "Amazon.com" <[email protected]>
Reply-To: [email protected]
To: <my email address>
Message-ID: <0100015c30642f26-57d9edbb-1103-4be2-a1c7-b524606f9abd-000000@email.amazonses.com>
Subject: Revision to Your Amazon.com Account
Content-Type: multipart/alternative;
boundary="----=_Part_2022104_632139299.1495460491042"
X-AMAZON-MAIL-RELAY-TYPE: notification
Bounces-to: 20170522134130f88f8f9d027e47b78c6f168ad630p0na@bounces.amazon.com
X-AMAZON-METADATA: CA=C3D5CT3SUOOMIG-CU=A11RZN9CZ3BYZQ-RI=A25WWEOPH30WAU
X-Original-MessageID: <urn.rtn.msg.20170522134130f88f8f9d027e47b78c6f168ad630p0na@1495460491042.rtn-svc-na-1d-1e1a8ab3.us-east-1.amazon.com>
Date: Mon, 22 May 2017 13:41:31 +0000
X-SES-Outgoing: 2017.05.22-54.240.13.23
Feedback-ID: 1.us-east-1.ZHcGJK6s+x+i9lRHKog4RW3tECwWIf1xzTYCZyUaiec=:AmazonSES
Return-Path: 20170522134130f88f8f9d027e47b78c6f168ad630p0na@bounces.amazon.com
X-OriginalArrivalTime: 22 May 2017 13:41:32.0141 (UTC) FILETIME=[1F5751D0:01D2D301]
X-IncomingHeaderCount: 19
X-MS-Exchange-Organization-Network-Message-Id: 809fe6a3-f0ed-4039-0dc5-08d4a118432e
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
CMM-sender-ip: 54.240.13.23
CMM-sending-ip: 54.240.13.23
CMM-Authentication-Results: hotmail.com; spf=pass (sender IP is 54.240.13.23;
identity alignment result is pass and alignment mode is relaxed)
smtp.mailfrom=20170522134130f88f8f9d027e47b78c6f168ad630p0na@bounces.amazon.com;
dkim=pass (identity alignment result is pass and alignment mode is relaxed)
header.d=amazon.com; x-hmca=pass header.id=[email protected]
CMM-X-SID-PRA: [email protected]
CMM-X-AUTH-Result: PASS
CMM-X-SID-Result: PASS
CMM-X-Message-Status: n:n
CMM-X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0xO0Q9MTtHRD0xO1NDTD0w
CMM-X-Message-Info: 12l2I64mAZSWFhQ0inhVxFjH2+04CLY9YIVMkcHb72K8/RNU6NGIljR85z4yAK39yQWg5+2w2fAxKCUGhUUeJQFH0EK2BCIbg2SudFs5KUqWpuZa9OyuD2/Gu3X1LJREyRSSgbm1mVjYAbvE4/Hxal5yLjyxX92szXpw7e/Uv5EAacGZnodo5FXgNRgDMi6hKOs7J8oGyUuLpl3kyDsYMbje/+2UN23hXbYrJr/gWAJLbfW0Auh6oUQDLMQedqyJ
X-MS-Exchange-Organization-PCL: 2
X-Microsoft-Exchange-Diagnostics: 1;HE1EUR02FT033;1:lEIPtI8a1t3fNAUCZgqOhL8TeSNXznIq9CyXuhlEHP3FcE3V3wGNwi936TMM5RAQKNOEjj3we3m/4ftLbzNv6vAyCbSaUbAFlEjPa1iPMrCxhySoqwr7WBqgEEb551VdxXZI01y9dmWSU5E0AGHb0U6EFAIL3pFKA55MhkZa8FJFVWt0qgC6zX/UPeM/Wf2pxrvWHz5RU/ocuus+Vwi3Q41L8w6vVr8+HxrMlHJ5yeM=
X-Forefront-Antispam-Report: EFV:NLI;SFV:NSPM;SFS:(98901004);DIR:INB;SFP:;SCL:1;SRVR:HE1EUR02HT135;H:SNT004-MC3F32.hotmail.com;FPR:;SPF:None;LANG:en;
X-MS-Exchange-Organization-AuthSource: HE1EUR02FT033.eop-EUR02.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 809fe6a3-f0ed-4039-0dc5-08d4a118432e
X-Microsoft-Antispam: BCL:1;PCL:0;RULEID:(22001)(8291500097)(8291501071);SRVR:HE1EUR02HT135;
X-Microsoft-Exchange-Diagnostics: 1;HE1EUR02HT135;3:S9iz5z+iv2eBYv98EUjb4BpPBb5m9Jcfe5rBrKYQ7dnnVlVwKmoqVdy0wCHl42j2yflNBqgIZwAbA/bKrGzzTN1PivBYa8BjRuJY+vuAl7DlyGxAb1LHiwBkWYYktXfF4rihARWRmYBl+ITJIPM6UiAKsBPSyJVC47RjrVxD3YqPFTr/t4pjeESVnkqfzOXGOO2RSxAK5k4cmvwq2pKxi0/9mgEbWZt8o1NQ8ap42sUFUJZ0TZeIEgI9FCkJZqoJrxNsd2fHS3ecn6MDBb+YjnWr5BnZLDrG0mVFY5nsfd2fmUePTUzDvLQuy4YXbhjQOjFIy8FOBxD39MRjQOpLQ33HVrazuLlXUlsGHNFJb5GASKc5G12J/CErxkf/IRNi;25:msgTKq2koN8tcMpQzCJbbc3uNninMkWxzbHvEaYfbyLPFBj4FKyrLzYGJJY0bqo2LGgxwm50BnY9v+bcVPceMbfdrVXosiyaeFb2sG1XK/iZ6GaOL8XOxgc/rTsNLXrpSvGrFGpXRKejVViMkHURUSvd7NnnLbmjUsrEPK5vBstvlbZlZECIzadkZu78c1nDphh2lvBwMkkNh+ZIJzyk1vn1/sFt2XgWS+PVp//K97BT1Sv/ykkIXW/bGP+dxbJf3EIQTG5A+X9JLnrIFnwVBU6l9Lv9x5F0hz8eazOblMXVgfNA4Sq6tgElA4gp4pwDjc54tWpIEFCSFKx0XdLPOolrlKcv8Op5NSWsh4Hbfylj+Eo4qRq4xZySxArCV6Tn1MOTjB4XrbgrMxgxkOmlMp52zrnyKNkuM5o262dk8NksJz8ZNgICmA7H6PINvXI55sXy+yIhzMoPBV3ubtpYOUB8Zqc6ddpDIbdrugAzVrc=
X-MS-Exchange-Organization-AVStamp-Service: 1.0
X-Microsoft-Exchange-Diagnostics: 1;HE1EUR02HT135;31:egNsvvczRRKXESA8N+A4ryonU7GPMXcBDZ+z3ROQ0TtvOvB2jAwPBPi4dm5+mw/pCMK3IcBxRFuyz9eCv8aTEublTmYof010erPS7/FaHWOgN9G3yDmk496GymnjPLP+ATZlNYiCCAIQ4J57Q/SU0o2NpCO7Mn6//ya8GLPhNJ69c/sglVBcubWps9gLqPBF4d+4GT7aM5o/DFG7NZehSj48e/T/xz30HiN8SFowKeYcGSISBZADGA1FkttQV/ihBP5rsqx2RMG2dHP68YBxTIpM3wSzzdjDGd4fewNMpCQ=;4:fnXUSGy08ZfOhPB/llZIE3bZ3YFq9SqyPTcmyudp8r9DKjXv915IG4nalxCd663bl5HnmRHPM3PWqneeV6oqGJc6JChU912Y2vJ/nEAbK0OaY5UPzSZ7nIVpWk6ff18IzlXk1S/I/mlrCtpc5w7KxsBqeOZb9iFeay82HScXAFH1axS+lAhgiGvKOAaFUAgbfbLG+TlOdXw9n7aLR+9rg0EnuNCTw/Pe5XO9Cz90f/CLz0pD3nWHc2A8Cq2Uq849QACZEGu5cQuVH/g5659GUHrqBQijinL63KIR1l0Y65pkMRFAxd4PaQCTK7GZp3DYWLOw69lT5XVZ2FbrnG2zZlcw/ivslgw7EHHbiK2+XTamY/k6CbtGdBpqVnLaQq2QUL4ZeNwbsPhr8hdwx+xNWA==;23:brpx0LTchy0MjjbuXS9XhIGjCctryFkMlG9kw7+SCl+aQdPKFM3FTWVwulip0Z6GQiPNYfZZ26I933rex9QeZoDBGniCRDPB6/QFhl16h5zyPPpLFxTtbyrLggZqIXQIqjqCrB8zuXMu3GidfJqwwD+l6FKok8RbtMvhvcgyLyo=
X-Exchange-Antispam-Report-Test: UriScan:(220697853802784)(47284530071512);
X-Exchange-Antispam-Report-CFA-Test: BCL:1;PCL:0;RULEID:(444111535)(595095)(82015058);SRVR:HE1EUR02HT135;BCL:1;PCL:0;RULEID:;SRVR:HE1EUR02HT135;
X-MS-Exchange-Organization-SCL: 1
X-Microsoft-Exchange-Diagnostics: 1;HE1EUR02HT135;6:Z0srRKH+BpLjsLPDs53Gid/oc/bj4Oa5FZe38rMbBA9Um4uIC9H9ACgs6GmuPHOWYIoc85fS0gTVlRsHhIQ1RSdn35aceQlV6GDeHAoXs576ey2z+8J8jg9b9bItXBLAkudg+z4FZS1g6QDPRps+07ULNZFIYD59YSj7Ry3dliDMwUA/Vd9zT8sWB9XVkLbEtLUvFLn1sRbYudVWsmvE376XY/C+FObMGS5md5LJykuanfJRhooamy0jbZrY1NYBPORrz8qILY7AfNFHmkNqKwn/JWZAiA7eRe5TFoI21ZWmY7xp5ZmwRKc9VARt0rr/IWWAdbhZO+6H210ZDuaF8ITztwCR9jeE+3CRYrpXFo2zzDcWP8AgbF+RY7rNYFlwzxI/mfX9JcCKsmI/gjBY6Q==;5:rdF/cXtx/UCKc4WXiv8twqL6ppqATXHsS/zUuhX3i1z0NxbgSnD51SrXbFtasgIxCelHY+sAjSPJmXN9NhL+GORaUaF69O5tkDZ7O7+ald0PdGGI+hIVTXS/Z3d8Bs/9Vn32SrpvDY2ZQLVpYveL0+PtVWOnHsC8reRNSYEpLfM=;24:M8tFQkFAjoLpFEv+eRcf5hqk4r/givcRiip2uExvUwAk7Mak59XyJ/qiZsFhlg3xX+d+HrxS/lDRDKoElFlDzX1AzZ75F4Aw9LyFroOIqU0=
SpamDiagnosticOutput: 1:5
SpamDiagnosticMetadata: Default:1
X-Microsoft-Exchange-Diagnostics: 1;HE1EUR02HT135;7:8sCLfxAee0fFIqRX3NwCEr892vxD+Flcloh8X0xhUuZVLkts1UsCt0IqdaprMaW1Km+Rq38jdmq5sIK5pnm0elQ2LrAF90tjRI6bUO9ykqP3sUkIIXJYkR6ROZwMP4od3Bdbwzl0txd6W16L4kNw8skL4WZLgwgcprMoyUoY5orc4VToK7Ks6MqYwbsJcdR/DQtlZ/hBa3qlVpizUPdPoFmQZ0S0fKtXhgD+sJN8ephUDXH+F7cBoBQEnsaBqWTMLtw1ZSgEpSxLDCrr8Vo+x7OKIV+PvX1XP2GYUijTjstH4xtSgQeYrTdwiqJJxgP7FJgjZqH5nqfcLeLehtKTVA==
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 May 2017 13:41:33.4461
(UTC)
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1EUR02HT135
X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.6509713
X-Microsoft-Exchange-Diagnostics:
1;DB6PR0901MB1528;27:0MI6Mh50MeDxzrAGD6SLmlKOywjVkn9lFWo1bW1gA97fFmBI70Wx3l36fOI4NhN1+1O7qIzWo40GfJZazJvqSObpRjauZRthLOO2sBBxfMDzUqGXrCUN49KSx7b3FZInk4wgTkEo2YpPSlCw+WcZ6g==
X-Microsoft-Antispam-Mailbox-Delivery:
abwl:0;wl:0;pcwl:0;kl:0;iwl:0;ijl:0;dwl:0;dkl:0;rwl:0;ex:0;auth:1;dest:I;WIMS-SenderIP:54.240.13.23;WIMS-SPF:bounces%2eamazon%2ecom;WIMS-DKIM:amazon%2ecom;WIMS-822:account%2dupdate%40amazon%2ecom;WIMS-PRA:account%2dupdate%40amazon%2ecom;WIMS-AUTH:PASS;ENG:(5061607094)(102400140);
MIME-Version: 1.0

------=_Part_2022104_632139299.1495460491042
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Microsoft-Exchange-Diagnostics:
1;DB6PR0901MB1528;27:0MI6Mh50MeDxzrAGD6SLmlKOywjVkn9lFWo1bW1gA97fFmBI70Wx3l36fOI4NhN1+1O7qIzWo40GfJZazJvqSObpRjauZRthLOO2sBBxfMDzUqGXrCUN49KSx7b3FZInk4wgTkEo2YpPSlCw+WcZ6g==
X-Microsoft-Antispam-Mailbox-Delivery:
abwl:0;wl:0;pcwl:0;kl:0;iwl:0;ijl:0;dwl:0;dkl:0;rwl:0;ex:0;auth:1;dest:I;WIMS-SenderIP:54.240.13.23;WIMS-SPF:bounces%2eamazon%2ecom;WIMS-DKIM:amazon%2ecom;WIMS-822:account%2dupdate%40amazon%2ecom;WIMS-PRA:account%2dupdate%40amazon%2ecom;WIMS-AUTH:PASS;ENG:(5061607094)(102400140);

Thanks for visiting Amazon.com!
 
Last edited:
Thanks Zefan that's helpful, you are probably right.

I am guilty of using this password elsewhere (although not for any e-mail account). I can't find that e-mail, although I could have well deleted it and not changed my password.
 
Rroff said:
I think I misread the 2nd part of his post - if its showing the username on his end in the store I'd start to suspect some kind of malware.
Click to expand...

Possibly, I run Windows 10 with patches up to date, firewall enabled and anti-virus updated, I don't click random links, etc. Never say never though I guess, these things happen.

The reason why I think it's (probably) not malware is that my PC at work (different network) is also still logged into my Amazon account. When I click to change any settings I'm asked to log in again there, and the pre-filled e-mail address in Chrome is that other e-mail address - the same as my home PC. So if it is malware, it's on two different PCs not linked in any way.

I wonder if it's something along the lines of what Zefan said, either I've not changed my password when asked to or like an idiot I've reset it back to what it was before because I'm lazy. I have also used this password for other sites (not e-mail or any form of banking) so again, my own stupid fault :)
 
Just to provide an update, Amazon contacted me yesterday (within 24 hours of me raising it) and restored my access. They sent me a copy/pasta e-mail, but had disabled the password to the account, reversed any changes made and cancelled any pending orders - I can't tell if there were any made. I was able to log in and select a new password, all is well again. Thanks for all the comments, cheers.
 
You must log in or register to reply here.
Back
Top Bottom