PSA: Amazon Hack

[tzrider]

You may recall a kind of vague news item from this fall that Amazon exposed a large (but unknown) number of customer emails. The company hasn't been terribly forthcoming about what was compromised.

This morning some of my Amazon connected devices went offline and I couldn't get them back online. When I tried to log into my Amazon account, it showed the primary email address as being from a Russian domain. My own credentials didn't work.

I've notified Amazon and an associated credit card company but noticed that a lot of followup email correspondence from then was going straight to my trash folder. The email account I use is a Comcast account.

It turns out that whoever did this also compromised my Comcast email account and placed a rule in the email application to send any messages from the Amazon domain to trash. The name of the rule was simply, "r."

Why would they do that? Well, it kept me from seeing (in my inbox anyway) messages from Amazon indicating suspicious activity. There were also messages from Amazon customer Service confirming a refund for items I never ordered.

It's hard to say for sure, but it looks as if the original breach was Amazon and then the hackers followed the email trail to hack my email account. The play seems to be to get Amazon to issue fraudulent refunds, probably to an account that is not mine.

If you are an Amazon customer, I would suggest changing your password and that of any associated email accounts.

 

[Reli]

Wow, shitty. How do you think they were able to hack into your email?

 

[tzrider]

I've been wondering the same thing. It was a reasonably complex password and I think Comcast would temporarily lock an account after a few bad attempts, making a brute force attack impractical, but perhaps not.

 

[budman]

Wow... first barf now Amazon...:laughing

 

[rodr]

A couple of thoughts.

If you had reasonably good passwords for both accounts and they were not the same, it's time to see if a keylogger might be installed. In that case anything you do online is at risk. At a minimum malware scanning is in order.

Dunno about Comcast but Amazon and other popular services offer 2-step verification. You should take advantage of whatever they can do.

 

[ThumperX]

Yikes!
Changing everything now. God help me, I will never remember all these new passwords :wtf

 

[boney]

https://haveibeenpwned.com/

I have a rotating set of passwords that evolve but are easily remembered (for me). Still, I recently blew up an email account I'd had for 20 years because of the sheer number of places that I'd used it having been hacked. I think having your own domain and the ability to make an infinite number of aliases would be perfect, as then you'd know who lost your info and it would be easy to change.

 

[AbsolutEnduser]

^^^Good info in this thread

You may recall a kind of vague news item from this fall that Amazon exposed a large (but unknown) number of customer emails. .

I don't really. ... so you're not saying was it just "emails" or "emails + passwords/salt etc"

I've been wondering the same thing. It was a reasonably complex password and I think Comcast would temporarily lock an account after a few bad attempts, making a brute force attack impractical, but perhaps not.

there is another angle to comprimizing accounts and that is guessing / knowing backdoors and security questions v.v. 'lost password'. Maybe that happened to your Comcast?

 

[Reli]

For most e-commerce stuff, I give them an email that's simply an alias, and I tell my email provider to not accept login attempts from that alias.

 

[tzrider]

It's hard to say what the entry point for all this was, but Comcast has had breaches where email/password pairs were exposed in plain text.

I do use a password manager and scan all systems regularly. Most of my personal passwords have been cycled in the recent past, but I think the Comcast one is older. It may have been caught in the last breach.

The extent of the Amazon breach isn't known outside of Amazon. From what I've read, it sounds like internal systems were penetrated and users could not have done anything about it.

 

[Linty]

I'm actually surprised at a program/app called dashline. Password manager that works really well on both pc (Chrome & Firefox) and Android. Very strong credentials can be created.

Also, wherever possible, enable two factor authentication. I have it for about everything that has anything to do with money or credit cards - Amazon, banking, PayPal, investments, etc. This way, if you get a random text with an authentication code, you'll know immediately somethings up.

 

[tzrider]

Dashlane is great, as is 1Password. I’m currently using the latter but have used both.

 

[Climber]

If you use the same email/password combo in more than one place, you're putting yourself at HUGE risk!

It would only take me minutes to write a script that could go to numerous sites and try to log in with a given email/password combo.

It would only take another minute to try different combinations of numbers at the end.

You've been warned.

Personally, I keep a password protected (heavily encrypted) word file with my login info and every password is a combination of unrelated characters and none repeated.

Note: This wasn't necessarily pointed at the OP, I don't know what his login habits are, this was just a PSA on logins.

 

[tzrider]

Agreed Brett. FWIW, this username password combo wouldn't exist on more than one site for the past couple of years, though depending on what got breached an old version of the password could have turned up.

I'm slowly chewing through all passwords for hundreds of sites and changing them now. Knowing my own habits, I'm surprised they were able to pull this off, though Comcast has had a spotty security record, with username/password combos being exposed in clear text.

As rodr mentioned, 2FA is the way to go at this point. I've resisted because I don't always carry a mobile device, but in the scheme of things, being hacked is more of a pain in the ass.

 

[Reli]

Also the issue with 2FA is, there are some sites you wouldn't really want to give your phone # to, because of what they'd probably do with it one day. And in cases where you're trying to keep your identity anonymous, well you're not so anonymous anymore once you give them your phone.

 

[rodr]

I'm disappointed that more sites do not support U2F or TOTP protocols for 2FA. These are not tied to a phone number, and in particular U2F is highly secure and uses a dongle that you can keep on a keychain (Google uses this for their staff). Some cheap examples:

https://www.amazon.com/Feitian-ePass-NFC-FIDO-Security/dp/B01M1R5LRD/
https://www.amazon.com/Key-ID-FIDO-U2F-security-key/dp/B01N6XNC01/
https://www.amazon.com/dp/B07BYSB7FK/

 

[RightCoastBias]

Also the issue with 2FA is, there are some sites you wouldn't really want to give your phone # to, because of what they'd probably do with it one day. And in cases where you're trying to keep your identity anonymous, well you're not so anonymous anymore once you give them your phone.

Text/phone number based 2FA is useless, very very hackable.

 

[tzrider]

Text/phone number based 2FA is useless, very very hackable.

How?

 

[AbsolutEnduser]

How?

I suspect he's talking about the fact that the "text/SMS" of the 2FA is easily eavesdropped on. And even spoofed towers are available. (For heavy hitters )
if your phone is stolen/compromised to begin with also it's a lost cause.

But I havent heard anything graver about the 2FA other than the fact that the phone itself is easily spoofable.. and that, I say, is not for small-time hackers.

 

[UDRider]

Only way I know of is social engineering. Calling the provider and hijacking the number. Then all the SMS with verification codes go to attackers phone.

Maybe this