Hackers Count on Password Reuse in Amazon Third-Party Seller Campaign

Written by

Amazon’s ever-growing community of third-party sellers is being targeted by hackers, who are using stolen credentials to steal tens of thousands of dollars from the victims.

Amazon has more than two million sellers on the site accounting for more than half of its sales, according to the Wall Street Journal—and more than 100,000 of those gross more than $100,000 annually.

Hackers are using stolen credentials bought on the Dark Web from earlier data breaches to break into seller accounts. Once in, they can change the bank-deposit information for the account to siphon off sales. They’re also post “deals” on Amazon that are anything but—the merchandise advertised is nonexistent. The bad guys offer four-week shipping, hoping to get paid before Amazon (or the recipient) cops onto the fraud.

“The Amazon hack is an example of how identity has become the new attack vector, and hackers are all over that fact—taking stolen credentials from one breach and using them to access another website, all because a person chose to reuse a password across multiple sites,” said SailPoint president and co-founder Kevin Cunningham, via email. “This illustrates an interesting ‘chaining’ or ‘domino effect’ that data breaches can have across multiple organizations.”

An Amazon spokesman told the WSJ that the fake goods scams don’t get very far, since the company withholds payment to sellers until customers have received their orders. It also guarantees a full refund if a product doesn't arrive. Amazon "is constantly innovating on behalf of customers and sellers to ensure their information is secure and that they can buy and sell with confidence," he said and “there have always been bad actors in the world who try to take advantage of consumers for financial gain; however, as fraudsters get smarter so do we.”

That said, a number of sellers have contacted lawyers and the WSJ with tales of woe, including a company called Lightning X Products, which had $60,000 disappear from its Amazon account last month. Amazon is returning the money, but the hassle and the headaches involved in not only dealing with the evaporation of that much cash—not to mention that petitioning Amazon to be made whole—can be significant.

Victim Margina Dennis, who alerted Amazon to fraud on her account when she began receiving shipment notifications for nonexistent Nintendo Switch videogame consoles, put it succinctly: "This has been a nightmare.”

Amazon declined to comment on individual sellers’ stories.

Sellers can protect themselves by using strong passwords and avoiding their re-use, and enabling two-step verification.

“To avoid needless risk and to protect their identity in the event of a breach, people should take a minute to adhere to some password management best practices to help avoid potential dangers,” said Cunningham. “Some simple measures that people can easily implement right now include using a unique password for every application or account, and making sure the password is long and more complex—the longer and more complex the password, the safer it will be. After all, protecting identity is key to the safety of your own personal data but also to the security of sensitive company data and files, too.”

What’s hot on Infosecurity Magazine?