7 comments

[ 300 ms ] story [ 781 ms ] thread
Ultimate account protection.

Force password reset? Disable login until a rep contacts you by phone? 2FA?

Nah. If it leaks (or we think it has), just nuke it and start over.

Yeah - crazy extreme. I didn't even know until I tried to log in and my password was "invalid", and reset didn't work.
I thought I'd add a timeline of events in case it's of interest to anybody in the same position.

30th June

- Attempt to login to complete checkout of an Amazon order I am trying to make, password invalid

- Attempt a password reset, I get the same password invalid error when trying to log in after the resetting my password

- Raised the issue with @amazonhelp on twitter https://twitter.com/colinmeinke/status/880794726911356928

- Eventually received a link that got me to a support phone number

- Called the support phone number, and was told that my account was ON HOLD, and would receive an email within 24 hours

1st July

- Within 24 hours I did receive an email stating my account had been CLOSED because of an "indication that an unauthorised person has logged in" to my account (see https://twitter.com/colinmeinke/status/881814337140248576)

2nd July

- I opened a new Amazon account as per the instructions in the email

- I tried to reply to the email with the new Amazon account's email address that I just set up

- The email bounces as the reply address could not be found (see https://twitter.com/colinmeinke/status/881443024580079616)

- I log in to my new Amazon account and chat to customer support. They can't really help and tell me they have spoken to another team and I will receive an email within 24 hours

3rd July

- I do not receive an email within 24 hours

- I continue the conversation on twitter, and get varying responses from different customer support agents, including a suggestion to contact AWS support

- I contact AWS support via a form on their website

- AWS support says the root issue is with my retail account, however, it has impacted my AWS Account as the login is the same, and that I need to email cis@amazon.co.uk who will provide me with further information

- I email cis@amazon.co.uk

Despite Amazon's efforts to ease the commonly escalated problems while shopping, when there's an actual problem they're still remarkably opaque. I would give up hope of communication until at least Wednesday; most of the people who may be able to help you are probably on holiday.

Sadly, individual consumers are ultimately not valued by Amazon, especially when they are determined to be more trouble than they are worth. You get some of the best customer service in the industry until some algorithm calls your login/purchase/return patterns abusive, at which point your account is closed and questions are responded to with "this is the last contact you will receive from us."

Know why you needed to make a new account with a new email address? To get around the automated filters put in place to bit-bucket your messages. That new account will probably be closed too (especially if you attempt a purchase with it), when the algorithms determine it to be related to a closed account.

This is probably the greatest irony from Amazon - as long as you don't stand out from the crowd, you can get amazing customer service from them - I've returned defective products long after the normal periods and had very quick resolutions from them for minor problems, but all it would take is someone picking up on my account and trying to brute-force their way in for Amazon to decide I am 'too much trouble' to deal with any further.

It's not just Amazon who do this, of course, but the boilerplate reply that simply cites 'violation of T&Cs' with no option to query exactly what you have done, if it was you at all, shows the dark side of private companies with all this control. The rough equivalent of picking up the football and going home. Notice it's all carefully worded to imply the problem is with you, not with Amazon - their protection scheme kicked in because the OP's account may have been compromised, so it was closed for his benefit.

Usually a Twitterstorm is enough to get the companies to acnowledge they were wrong (cos heaven knows it's impossible to get a straight answer one-on-one, without raising such a fuss). Hopefully Trial By Twitter will complete by the end of the week.

Yup. They do this often, sometimes citing non-existing policy, sometimes not. I doubt the author will get access back, but you never know. As far as I can tell, he has zero recourse against Amazon. The lesson should be not to use Amazon's services for anything critical like running a business or sites with users without being aware of this risk. The risk is not Amazon-specific at all, although it is higher with Amazon than with most providers as they have been closing accounts at will for well over a decade and don't seem to be on any path to slow down or stop.
Tip for people using AWS: It's nowadays very easy to create and manage multiple accounts using AWS Organizations. It helps you get into the habit of grouping your services across different Amazon accounts. (I'm not sure what happens if the master account is compromised, but probably the other accounts can still be used if they have individual passwords set.)

Another good habit is to use CloudFormation (and Serverless Framework) to deploy services, so they can be fairly easily re-deployed to any account. That doesn't solve data migration though.