Ask HN: Locked out of Amazon accounts for a month

12 points by nikolay ↗ HN
Suddenly Amazon Shopping asked me to change my password. I got authenticated, including with my 2FA, and picked a new password, but I keep getting server errors that something went wrong and asking me to retry later. I attempted on different browsers, the mobile app, incognito mode, etc. I kept trying this for weeks, hoping somebody would attend to the logging errors. Finally, I opened a ticket with Amazon Shopping, which has not been worked on for a month after being on the phone with them twice. Yesterday, I tried to use my AWS account and have a support plan for it but encountered the same issue. My IAM users and root user also experiences the same problems, and a password reset is mandated without explaining why. For whatever reason, Amazon has flagged all my accounts and IAM users as needing a password reset, and their password reset system does not work, and I'm locked out of everywhere! Their support pretends that they care, but nothing has changed! At least I managed to ask them to refund my Prime subscription, which I cannot use - I can't tell if it got canceled as I got no emails confirming that. I need a purchase receipt - I don't have access to them for the same reason. This is turning into a huge nightmare. I cannot do anything with my useless support subscriptions as, obviously, to get a good case into the system, you need to be able to log in. I pinged their Twitter support, and they again pretended they cared, but nothing different happened. I can't even cancel the useless support subscription.

I am pretty sure this is some software change issue, given how old my Amazon Shopping and AWS accounts are. They've flagged my account for some reason, although I have received no notification about this.

Given how much of my online shopping life relied on Amazon Shopping and AWS, which, even with paid support nowadays, seems useless, this is not acceptable for a modern technology company! I tried purchasing certain products directly, but many manufacturers work exclusively with Amazon.

At the end of the day, Amazon is losing revenue, not me. And sends a clear message that something's wrong with their system, which used to provide quality support and considered the logging process sacred - we all know the original Amazon Shopping, which even allowed people to create multiple accounts with the same email so that they can still complete their purchases. This is no longer the chase! A forced password reset goes against what made them big!

I am looking into alternatives such as Walmart+ and Amazon will lose loyal customers spending thousands every month. For supplements, for example, I'm trying to move my business to iHerb - I've already canceled all my Subscribe & Save subscriptions thru their customer service (that they can handle, but they can't remove the requirement to reset the password).

5 comments

[ 3.2 ms ] story [ 33.6 ms ] thread
Could the first password change request have been malicious? The subsequent resets may not work because the email has been changed. Check your credit cards they have on file to make sure you're not getting massive AWS charges.
No, I did not receive any emails - just visiting amazon.com required me to reauthenticate and then required to change the password. The good thing about 1Password and other password managers is that you can't easily get tricked as the password prompt won't match the hostname and this will make you more suspicious.
I feel like I should attempt to reach out to Werner Vogels, their CTO, who I respect greatly. I'm sure this is some data migration that went rogue, etc., but a simple mechanism of "remind me later" to a password reset would have fixed the issue. You must not twist the arms of a customer with 2FA enabled to change their password! Also, if the mobile app asks me to change my password, it would be inconvenient as I still prefer desktop browsers for this type of activity. Also, the app on my phone, which has been installed and activated for ages, is effectively another form of 2FA - why was I logged out from there, too?! In general, they are violating many of the modern-day best practices!
The unfortunate thing is that something like a Tampermonkey script that was loaded in your browser could cause that kind of event, and capture your new password and transmit that to a third party, where the e-mail address and everything else could be changed.

But tools like Greasemonkey and Tampermonkey are the good guys. They tell you when scripts are updated, etc.... Malware versions of comparable tools could operate entirely below the surface, without your ever knowing.

That's why I don't use any such tools and I'm extremely careful when I approved the few extensions from verified sources I use in the browser. But I am fully aware of the supply chain attacks so Grammarly, for example, and 1Password could also potentially inject malware.