My Amazon Account was hacked

[Russell]

I started receiving emails from Amazon.com titled "Revisions to your account" with the contents as below:

Thanks for visiting Amazon.com! Per your request, we have successfully changed your password.
Visit Your Account at Amazon.com to view your orders, make changes to any order that hasn't yet entered the shipping process, update your subscriptions, and much more.
Should you need to contact us for any reason, please know that we can give out order information only to the name and e-mail address associated with your account. Thanks again for shopping with us.

I didn't worry overly as they looked like spam and in any case I don't have a .com account.

Then I received one that said:

Thanks for visiting Amazon.com! Per your request, we have changed the e-mail address associated with your account
The e-mail address associated with your account has been changed. The old address was russell@russell.com. The new address is zhaonian560631@163.com.
Visit Your Account at Amazon.com to view your orders, make changes to any order that hasn't yet entered the shipping process, update your subscriptions, and much more.
Should you need to contact us for any reason, please know that we can give out order information only to the name and e-mail address associated with your account.
Thanks again for shopping with us.

This worried me more so I tried to log onto my account and was told it didn't exist.  I then checked my credit card statement and found a transaction that was not one I had initiated - an ebook in German.

A phone call to Amazon started the process of recovery and one to the bank to cancel the card and now all is back to normal.

The moral of this story is that these types of hacks are all too common and it is highly recommended to put the Two-Factor Authentication process in place.

This website explains it better than I can.  My experience was virtually the same as Fritz'.

http://jeffreyfritz.com/2018/01/my-amazon-account-was-hacked-and-how-i-made-it-more-secure/

Amazon state that "We do not know how this person got your sign-in information because that happened away from our websites".  Not sure I believe this.

Anything that is ordered fraudulently is archived (or hidden) on the orders page.  They can be revealed by finding the hidden option under the past orders dropdown.

Oh, and the sign in details for .com are the same as .co.uk!

[Greenbank]

Glad it is being sorted...

Amazon state that "We do not know how this person got your sign-in information because that happened away from our websites".  Not sure I believe this.

Have you used that password (or a similar one) for any other websites?

[Russell]

Have you used that password (or a similar one) for any other websites?

Similar yes, modified for the specific site.

[Russell]

Oh, and also recommended is to delete all payment cards on the account.

[Greenbank]

Have you used that password (or a similar one) for any other websites?

Similar yes, modified for the specific site.

Most likely is that another site you've used in the past was hacked, your username/password for that site was obtained and then they've guessed what you use as a password on other sites.

i.e. if people use:-

blah98ebay
blah98amazon
...

then it's quite easy for a computer to guess what your password might be for another site and it's trivial for computers to try this on many sites..

Stick your email address in here: https://haveibeenpwned.com/ and see if another site you've used has been hacked.

(This site is perfectly safe [it is run by a renowned security researcher], all it asks for is your email address. I get told my email was part of one breach [Dropbox] but luckily I'd used a unique password on that site.)

[Greenbank]

Oh, and also recommended is to delete all payment cards on the account.

You might also want to cancel all your payment cards and get new ones.

[Russell]

Results of the Have I been Pwned are below:

Oh no — pwned!

Not pwned on any breached sites and found 1 paste
Pastes you were found in

A paste is information that has been published to a publicly facing website designed to share content and is often an early indicator of a data breach. Pastes are automatically imported and often removed shortly after having been posted. Using the 1Password password manager helps you ensure all your passwords are strong and unique such that a breach of one service doesn't put your other services at risk.
Paste title    Date                      Emails
No title    30 Jan 2018, 01:01    11,518

Clicking on the No Title link reveals that the page on paste bin has been removed.

[Plug1n]

Oh, and the sign in details for .com are the same as .co.uk!

And indeed other Amazon enabled countries, "amazon.fr" for example.