Connect with us

Hi, what are you looking for?



Cybercriminals Target Amazon Third-Party Sellers With Password Reuse Attacks

Cyber criminals are re-using stolen passwords to access the accounts of third-party sellers on Amazon. They then change the bank account details and simply redirect customer payments to their own bank accounts. Where they find an old and disused account, they promote non-existent deals with heavy discounts, and again divert the proceeds to their own bank account.

Cyber criminals are re-using stolen passwords to access the accounts of third-party sellers on Amazon. They then change the bank account details and simply redirect customer payments to their own bank accounts. Where they find an old and disused account, they promote non-existent deals with heavy discounts, and again divert the proceeds to their own bank account. It should be noted that this is not an attack against Amazon users, but against Amazon third-party sellers.

It would be wrong to say that Amazon is being hacked. Legitimate passwords are being used to access legitimate accounts. These passwords come from the billions of stolen passwords available on the internet. Where there is a fault, it is in users’ continued tendency to use the same password across multiple accounts; and to rarely, if ever, change them.

The only real difficulty for the criminals is matching the stolen and reused password to the Amazon account — and this is not hard. Since almost all services employ the user’s email address as the username, it is merely a question of locating a third-party seller, finding the seller’s email address, and trying the associated password from the list of stolen passwords. “The attackers are mining the rich seam of stolen credentials publicly dumped or traded in underground forums,” ESET senior research fellow David Harley told SecurityWeek. “That way, they only need to match known credentials to Amazon account holders.”

Even if the seller’s email address is not known, it could possibly be obtained from Amazon itself. “If Amazon is the weak spot, perhaps the registration page?” suggested Sean Sullivan, security advisor at F-Secure. “The ‘Create account’ page looks like something that could be targeted with a list of addresses, from which could easily be noted those to result in a message of ’email is already in use’. Then you have addresses to try on the sign-in page.”

The basic password problem was highlighted in a recent study by Thycotic, which found that even security professionals reuse passwords, use weak passwords, and don’t change them over long periods of time. A password stolen from Yahoo years ago might well provide access to other accounts today — including Amazon.

The result, according  to the Wall Street Journal, is that some sellers are losing thousands of dollars. “CJ Rosenbaum, a New York-based lawyer who represents Amazon sellers, says that more than a dozen of his clients have recently called to tell him they were hacked, a number of whom lost about half of their monthly sales of $15,000 to $100,000. They are asking Amazon for their money back, Mr. Rosenbaum said.”

WSJ also reports that “some sellers say the hacks have shaken their confidence in Amazon’s security measures.” This isn’t entirely fair — all users should do more to protect their passwords: strong, unique passwords that are regularly changed. And wherever possible, two-factor options should be employed.

“It is critical for Amazon resellers to take advantage of Amazon’s two-factor authentication to prevent this type of hijacking and phishing activity,” comments Sophos’ principal research scientist Chet Wisniewski. “All Amazon users should take advantage of this feature, but considering what third party resellers have at risk it is even more important. The easiest method to enable uses a time-oriented token you can load for free on your Android or iOS smartphone. The most popular app to use for this is Google’s Authenticator app.” Sophos has its own option that can be installed on Android or iOS and enabled in the Amazon or AWS account.

Advertisement. Scroll to continue reading.

This is not to say that Amazon could not do more to protect its customers. In the desire to make things as easy as possible for customers, services like Amazon (and including almost all services from other ecommerce sites to social networks) do not enforce good password practices. Two-factor authentication is rarely required, and users are not forced to change passwords regularly. The bottom line, however, is that users need to better understand how to generate strong, unique passwords; and to regularly change them.

“There are several steps sellers can take to protect their accounts, including monitoring their account on a frequent basis, updating their password regularly and by using two-factor authentication,” an Amazon spokesperson told SecurityWeek in an emailed statement. “If anything looks suspicious, sellers should reach out to Amazon immediately so we can investigate by contacting Seller Support via our urgent help feature in Seller Central. For more best practices, sellers can visit:

“There have always been bad actors in the world; however, as fraudsters get smarter so do we,” the spokesperson said. “Amazon is constantly innovating on behalf of customers and sellers to ensure their information is secure and that they can buy and sell with confidence on”

*Updated headline and added commentary from Amazon spokesperson

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...