Serious Security Problem with Amazon; How Is This Even Possible?

This morning, I went to my Amazon account to turn on two-step verification. This system offers an additional layer of protection, and requires that, when you sign into your account, you enter a six-digit code that is sent to you via text message. You can trust devices, so you don’t need to enter the code each time, but at least no one can log into your account from a new, untrusted device without a code.

I have three Amazon accounts. I have been shopping with Amazon.com in the US since it was launched. I lived in France for a long time, so I have an account there. And I now live in the UK, and have an account with Amazon UK. I use the same password for each of the accounts, and Amazon stores my addresses and payment methods for all of them; if I change any of these on one country account, the changes are made on the others. As such, turning on two-step verification on Amazon.com also turned it on for Amazon UK and Amazon FR.

So I went to check my Amazon accounts in the three countries, and in different browsers. (A trusted device is not just a computer, but a specific browser on a computer, so if you use more than one browser, then you need to enter a code for each one, or trust each one after entering a code the first time.)

When I went to Amazon FR in Firefox, I saw something very surprising. I was not logged into my account, but into someone else’s.

Amazon fr p

It turns out that the someone else is my son, but this is very worrisome. My son lives in Paris, and while he has visited me in the UK several times since I moved to the country, he confirmed that he has never used my computer to log into Amazon; when he visits, he brings his laptop. In addition, I don’t know his password, and, when I checked Firefox’s saved passwords, no passwords of his show up for any site. While I don’t use Firefox often, I’m sure I’ve logged into Amazon FR in Firefox at least once since I’ve been in the UK.

Note that I can view my son’s shopping cart, but I can’t access any of his account info, or place an order. When you do that, you need to sign in. Amazon displays this screen when I try to access any further information about the account:

P amazon login

There is a link between us: we each have the other’s address in our address books. But there is no other link. We did share an Amazon Prime account several years ago, but, while he still uses Amazon Prime, my Prime account ran out a few months before I left France, or about three years ago.

I tried calling Amazon FR to find out what happened. The first time, the call got cut off while I was waiting for my case to be escalated. The second time, a person told me to just sign out, as if it wasn’t a big deal. I explained that it was a big deal, that I shouldn’t be able to see someone’s account in any way, not even their shopping cart. After several minutes, I was put on hold for a long time, then the call got cut off.

I’m quite worried about this. I now have two-step verification set up, but I don’t understand how I could be logged into someone else’s account. At least it’s my son’s account, and not some stranger’s, but this simply shouldn’t happen.

14 thoughts on “Serious Security Problem with Amazon; How Is This Even Possible?

  1. I have also had a somewhat interesting experience recently with different Amazon accounts. I live in the US, so have an Amazon.com account, but occasionally buy stuff from Amazon.ca and Amazon.co.uk and have a different account for each. Same login but different passwords. I haven’t bought anything from either the .ca or .uk accounts in quite a while, but just did last week. When I tried to log in my passwords were rejected, but I was able to log in to both .ca and .uk using my .com password. Seems like they have merged the accounts and combined them under my .com password without telling me

      • Yes, but if he had different passwords, Amazon shouldn’t have changed the passwords for some of the sites.

        • Amazon didn’t change your password, it lets your use the same account on different sites, so you were using your Amazon.com account on all the sites. Check your order history to see if that is true.

  2. I have never set up different accounts for different countries. My original amazon.com account I had set up when living in the US has worked in Canada (amazon.ca), Germany (amazon.de), and the UK (amazon.co.uk) without me having ever to sign up again (as a matter of fact, I really enjoy looking at my address history, because it pretty much shows all the places I have lived at).

  3. If you ask me, your son must have been logged in once on this browser, as the last logged in amazon account is saved in a local cookie for convinience, but as soon as you try to make some important changes, you’re asked for your password again. I know this very well from using my mother’s account from time to time to buy some stuff for here. If you don’t force log of, the user is shown again next time opening up the browser…

    • Its simply not possible, as I say in the article. I’ve used the browser with Amazon FR at some point. He always brings his laptop when he visits.

      • Yeah, I’ve seen that, but it’s such a big coincidence, that it’s your son’s account and not some stranger. I really can’t imagine why the website should behave like that otherwise, but hell yes, you never know for sure…

      • Perhaps you can prove me, if I’m wrong, if you restore your firefox state to the point where your son’s accout was logged in using time machine and see if he’s logged in again. But I could imagine, that the cookie is now invalidated after you switched the accounts on amazon.fr.

  4. I’m having similar issues with Amazon UK at the moment. Last week I ordered an expensive (£130) item from Amazon that was delivered next day with prime. All is fine with the item but a few days later I received an email thanking me for ‘changing my delivery address and delivery option to express’ on a request for a replacement of the item. The address was for a man in Essex (I live in Oxfordshire). I looked in my account and sure enough there was a new address next to the request for a replacement. I contacted Amazon via the call back service and the operator told me she would forward the issue to the security team and that I should change my password. I did this and awaited an email from security (they only communicate via email apparently). I heard nothing and tried to log into my account but was told that I couldn’t be identified by my log in email. I couldn’t find a phone number for Amazon (to be honest I didn’t try very hard) and without being able to log in to my account, I had the bright idea of doing it via my Dad’s account (he’s 70 so I have access). That’s when things really started to become fun. The operator again told me that she’d pass on my details to the security team. My dad then started receiving emails to his address but addressed to me and about my order history. He also received an email pertaining to be from security about unauthorised activity on his account. It wasn’t personally addressed though so I was suspicious of it. Anyway, a third call to Amazon, this time via their call back for account log n issues the operator told me he wasn’t authorised to access my locked account but could take my dad’s, now associated, email address off the account. Again he said my details would be passed on and I’d be contacted within 24hrs. I’m still waiting. Meanwhile it’s a week to Christmas and I can’t order anything from Amazon. As an aside, my dad and I share a prime subscription. It’s on his account and I’m in his address book to allow me to order items via prime. Sorry this is so long winded but I wanted to share it in case anyone else has had a similar experience. It all started with someone being able to fraudulently order a replacement item from my account.

  5. Someone hacked into my Amazon account and changed my email address while I was out of the country on June 18th. Tried to
    Log in to my account when I got back, but the account was not found! The customer support was horrible, and told me that since I did not know the email address (I gave them address and latest order number from 6/13) they could tell me nothing! They wouldn’t even tell me if there were charged since the 18th. These agents were in the Philippines. I finally got one in W VA who told me that there were many charges and that the email address changed again while we were on the phone. He filled out a form, but still have heard nothing from Amazon, except a terse email today saying my account is fine. Suggestions?

  6. We have had a really stressful time over the last 5 days trying to solve a similar issue with Amazon with an e-mail change that was not authorised. When you give step by step instructions for them to understand they still reply with an answer that has nothing to do with the problem that you are trying to solve. Due to the amount of stress involved, we have reluctantly decided to settle for account deletion and even that is quite a challenge for Amazon. We have been recommending people to stay well away from them. We have also had problems with E-Bay and PayPal. Two or Three of the biggest online shopping platforms and they are not able to solve a simple issue. Welcome to the new world of customer service. They say that if you delete your account then you will not be able to return items etc. This is actually a breach of consumer rights. Sorry to see that you and many others have had to go through this too.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.