What To Do If Your Account Has Been Hacked


#1

For some time now hackers have been targeting Amazon seller accounts. Some symptoms of a hacked account are:

  1. Your account has numerous products listed which you do not sell.

  2. Customers are inquiring about transactions which you do not recall conducting, or you receive emails from Amazon which do not seem to correlate with your actual sales.

  3. Your bank transfer has not arrived, and/or your bank information has changed.

  4. You cannot log into your account.

If any of the above circumstances obtain, your account may have been hacked. Here are the steps to take in such a situation:

Change Your Password

Assuming you can still log into your account, do so, preferably from a different computer or device than you normally use, and change your password (Seller Central, Settings / Login settings and then the “Edit” button next to “Password”). You want to log in from somewhere other than your normal location in case the hacker has installed a keylogger on your system that records your keystrokes.

If you cannot still log in, contact Amazon (as described below under Notify Amazon) and explain that to them.

Remove Any Added Users

The hacker may have added users to your account. Those users will still be able to log in even if you change your main password, so you must remove any such users. In the current (2017-04-06) version of Seller Central, you would do so by going to Settings / User Permissions and deleting any “Current Users” or “Pending Users” that you do not recognize. You may also want to “Revoke access” if there are any “Amazon MWS Developer Permissions” set up that you cannot explain.

Set Your Account to “On Vacation”

This is particularly important if hackers have added bogus products to your account, but I would take this step in all cases, if only to calm the situation down. In the current (2017-04-06) version of Seller Central, you put your account on vacation by going to Settings / Account Info, then selecting “Going on a vacation?” next to the words “Listings Status”, then on the next screen select “Inactive” and “Save”.

Of course, if a hacker continues to have access to your account he can take it off vacation again, so this may need to be monitored and repeated.

Notify Amazon

DO NOT EMAIL AND WAIT FOR A RESPONSE. Rather, call Amazon Customer Service at 1-888-280-4331 (if that number has changed, Google a new one) and ask to be transferred to Seller Support. Tell Seller Support that you believe your account was hacked. Ask them to take the following actions:

  1. Place your account on vacation and take whatever other action they would normally take for a hacked account.

  2. Cancel any sales of bogus products made by your account, and to remove products you do not sell.

  3. Tell you if your bank information has been changed, and to check into the status of any bank transfers, to see if monies have been transferred to accounts other than your own.

  4. Recover any transfers that went to a bank account other than your own.

  5. Remove any additional users that may have been added to the account (in case the hackers are somehow re-adding them as you delete them).

Amazon is known for its sluggish responses to calls for help on these matters, so be persistent.

After that, send an email to seller-performance@amazon.com saying something like (edit and elaborate as appropriate):

On April 6, 2017 I determined that my Amazon seller account (email address of account) had been hacked. Items have been listed that I do not sell, sales have taken place for products that I do not offer for sale, and money has been transferred to a bank account that is not my own. I have notified Seller Support and taken action to secure my account. Please take appropriate action on your end to secure my account, and please note my account with these facts.

Try to Determine What Happened

Your account may have been hacked by an outsider. Some of the attack vectors for that sort of hacking are:

  1. Malware-laced “phishing” emails that fooled you into installing malware on your system, including emails where you may have clicked on attachments.

  2. A malicious website that installed malware on your system.

  3. A fake “Amazon” website, possibly one you reached by clicking a link in an email, that accepted your login credentials and saved them for use by bad actors.

Think back and see if you can remember what action you might have taken that could have led to the installation of malware on your system.

It is important to understand that your problem may also be the result of an inside job. Consider who else may have physical access to your computer and account, or who may know your username and password. You may want to keep all other users off of your account while you sort things out. Don’t get unnecessarily paranoid, but one should consider all possibilities.

Take Steps to Remediate

If your account has been hacked it is possible, perhaps likely, that it is because malware has been installed on the computer you use to access it. You should take steps to eliminate any installed malware. Those steps range from draconian to relatively mild.

The most severe step you can take is to purchase a new computer and use it. Generally I don’t recommend that, but it will fix the problem.

The next most severe step is a complete reinstall of your operating system. Most people would prefer to avoid this, as it involves re-setting up the system in its entirety, including reinstalling any software you had been using, reconfiguring everything . . . it’s a pain. However, this is the only action short of purchasing a new computer which is virtually guaranteed to eliminate any malware. (One does read about super-sneaky malware that hides in disk controller firmware and such . . . those would not be eliminated, but they also do not seem to be common.)

Next on the list and less severe than the above would be to roll back the operating system to a previous point in time. On Windows, this is accomplished using System Restore. Assuming your system has been creating restore points, you can tell Windows to roll back to a previous date, which you would select to be one from well before you believe the hacking occurred. This has a decent chance of eliminating the problem. This step may also roll back some changes you made to the system that you still want, but those are probably easily reinstated.

The least severe step, and one which you can take in combination with the rollback step, would be to run a scan of your system to eliminate any known malware. For Windows, I recommend installing and running the free edition of Malwarebytes. Unfortunately, although this is a very effective step to take, there is no guarantee that taking this action will eliminate whatever caused the problem in the first place. That is true even if the malware-eliminating software finds and eliminates some rogue program or programs on your system. It may still have missed the one that caused the problem, and there is no real way to know. The chief advantage of this step is that it makes no substantive changes to your system. That advantage may outweigh the uncertainty issue.

In addition to those steps, you will want to delete from your Amazon inventory any bogus items that hackers may have added.

Be Careful Out There

In order to prevent this issue from recurring in the future, it’s a good idea to practice sound Internet/Amazon hygiene:

Regularly (every two days) check your bank account, credit card, and user permission settings in Seller Central to make sure they have not been changed without your knowledge. Checking these regularly should enable you to report any unexpected changes to Amazon before money is exported from your account to that of a hacker.

Consider dedicating a computer to your sales activities. An old computer with a browser is usually sufficient; there is no great need for speed. (I do not do this due to the inconvenience, but it would provide greater security.)

Don’t open email attachments from people unknown to you.

Don’t open email attachments that appear to be from people known to you if you weren’t expecting them and the accompanying text does not ring true.

Don’t visit sketchy websites, or if you must, do it from a different computer than the one you use for your selling activities.

Don’t install software you don’t need.

Always be skeptical. Emails that in any sense say they want you to log into an account, or whose instructions if followed would result in you doing so, should be regarded with extreme skepticism. If you were to receive, for example, an email purportedly from Amazon.com that asked you to log into your account to check or verify something, do so by going directly to the Amazon (or other website) web address, NOT by clicking a link in the email. That link may take you to a fake website that will steal your login information.

Do not share your login password with anyone who doesn’t really need to know it. If you have people who need to take limited actions on your account, rather than giving them your password use the Seller Central features to create a user account with limited permissions.

Scan your system regularly (monthly, let’s say) with Malwarebytes or some other anti-malware product.

For Windows, make sure System Restore is operating and restore points are being created (a discussion of which is beyond the scope of this writeup). You can’t use them if you don’t have them.

bunga bunga!


Account Hacked! PLEASE HELP!
Account Hacked
Hacked?
Account hacked and last two transfer made to another account
Someone created a support case on my behalf
Account suspended due to security and unauthorized party
Know what to do if your account has been compromised
We have identified an issue with your seller account
Phishing scam
Account hacking
Account Hacked and Hacker Tried to Close My Account
Please Help! Bank Account changed by someone, last two transfers made to a thief, and amazon can't give me an answer!
Account hacked Money transferred today to a bank account I don't own
Please help me figure out the fastest way to fix my bank/ nonpayment issue
Our account got hacked our payment is gone to the hacker :(
Phishing scam or can Updating your Emergency Contact can potentially de-activate your account?
Fraud Department for Seller Account
Several seller accounts are hacked, Amazon is slow reacting
Help with suspension
Amazon account hacked and 300k stolen
HELP! Bank account has been changed without notice
Amazon account compromised
NEED HELP! Listings sabotaged
Amazon just refunded 103 transaction total of $37,000
My seller account has been hacked for one hour
My account has been hacked - account number and full name changed - need help!
What's happened?
My account was hacked how do I get help
They sent my money to an account that is not mine
Need help! Account deactivated and how to get the inventory back!
BEWARE SCAMMERS TARGETING AMAZON SELLERS "Greetings from Amazon Services"
Amazon account hacked what a nightmare
Slow account verification? 11 things to do while you wait
Inventory Hack?
Amazon Seller Account Hijacked, They changed the bank account info
Account Hacked Disbusement Made to GreenDot Account
URGENT Assistance required - Bank Account Hacked
My account was hacked
I have to assume this Amazon email is a fake - Beware
Loss of sales
How did you know if it was a hijack?
Money not thru yet. Should I be worried?
75-100 Fraud Orders
My Account was taken over by a hacker! How do I get it back!
Validity of email
Addresses in seller central were changed
2 step verification
6 Days No Response, $15,462.02 stolen from my Seller Account on 3/27/20
My seller account was hacked but nothing happened?
Someone changed my deposit method and my money got deposited to Spain
#2

Great post

Should be pinned


#3

Great post, Bunga!


#4

Very helpful post. Definitely should be pinned. Thanks for taking the time to create it.


#5

I would suggest adding 2-step verification when changing password so it is more difficult to change password again.


#6

Thanks for the update and tips Bunga Bunga - Sorry to hear.
Some of the smartest people are getting Hacked.
Maybe were in the wrong business?

Did you happen to do any cockroach test buys recently?
I am seeing calls/text and intl calls like never before - only after doing the recommended Test Buy.

Until there is a flow of news about arrests and convictions it is open season on the innocent and there is zero help for the unsuspecting victims.


#7

>I would suggest adding 2-step verification when changing password so it is more difficult to change password again.

Yes, that’s a good idea.

Seller Central – Settings / Login Settings / Advanced Security Settings: Edit

bunga bunga!


#8

bump - great post!


#9

>Thanks for the update and tips Bunga Bunga - Sorry to hear.
Some of the smartest people are getting Hacked.

To be clear – we were not hacked.

bunga bunga!


#10

Nothing really smart about not reading the notice in Seller Central and using the Two-Factor Authentication feature that was started a while ago.

That would help to rule out a great deal of many “outside” hacking attempts.


#11

>bunga bunga wrote:
>Some of the smartest people are getting Hacked.
>
>>Nothing really smart about not reading the notice in Seller Central and using the Two-Factor Authentication feature that was started a while ago.

I didn’t write “Some of the smartest people are getting Hacked”; I mis-formatted the post in which I quoted that. Someone else wrote it.

For our part, we started using the Two-Factor Authentication as soon as it became available. It would have been ridiculous not to, considering that I have been pounding the table for it since forever, e.g.:

https://sellercentral.amazon.com/forums/message.jspa?messageID=3553955#3553955

bunga bunga!


#12

Sunday afternoon bump.


#13

My account was hacked . While I haven’t done all these steps listed I am still trying to get to the bottom of this. My disbursement went out to the hackers bank. I realized 12hrs after my disbursement initiated . Since trying to get this cleared up my account has locked me out but since then opened back up. Is there a specific dept you recommend me contacting to get the disbursement stopped ? It initiated 4/4/17 and I notified them on 4/5/17 or is there no longer any hope. It was a large sum of money over $50,000 . Thankfully this was I had a loan repayment so the disbursement was for “less” than what it could have been. Is amazon to be held liable for this? Is there a someone REAL to get in touch with ?

Thanks


#14

Was meant for you bunga::

My account was hacked . While I haven’t done all these steps listed I am still trying to get to the bottom of this. My disbursement went out to the hackers bank. I realized 12hrs after my disbursement initiated . Since trying to get this cleared up my account has locked me out but since then opened back up. Is there a specific dept you recommend me contacting to get the disbursement stopped ? It initiated 4/4/17 and I notified them on 4/5/17 or is there no longer any hope. It was a large sum of money over $50,000 . Thankfully this was I had a loan repayment so the disbursement was for “less” than what it could have been. Is amazon to be held liable for this? Is there a someone REAL to get in touch with ?

Thanks


#15

Please start a new thread with questions; do not add to this one unless you are adding advice on what to do if your account has been hacked.

I said in the post whom to contact.

bunga bunga!


#16

Thanks for another of your excellent guides, Bunga - I’m quite sure I’m not alone in appreciating this, and all of the other service you’ve performed with other guides for various issues.

I do think a good corollary is to recommend that people monitor password breaches that occur on other venues, which are a prime method for hackers to gain access (largely due to lax security practices, such as using the same password for multiple sites).

An easy way to monitor such breaches is to sign up for Microsoft Regional Director Troy Hunt’s free monitoring service “Have I Been Pwned?” (not a misspelling). Entering an address for monitoring will result in an email notification any and every time a breach is detected on a global list of sites. While we have found the service so valuable that I actually donate towards its maintenance, this is not a requirement - it really is offered for free.


#17

Yes, you’re quite right. It is becoming increasingly apparent that too many sellers use the same password for their Amazon account as they do for accounts at other websites, and that password breaches from other sites are a primary method for hackers to obtain those Amazon seller passwords.

Probably Amazon needs to do as other sites have done, even sites that have not themselves had a breach but are aware of this tendency of users to reuse passwords, and force a password change for all sellers, or sellers whose accounts are dormant . . . SOMETHING. Painful, but what we are currently seeing is worse.

bunga bunga!


#18

I use a password manager so I only have to remember a master password. I have that written down in a secure location that a few trusted family members know about in case I get hit by a truck. I also use a Chromebook and an iPad instead of Windows. Windows ends up with so much bloat ware that I’ve given up on it. I am at a point where almost everything I do is in the cloud, so I want an OS that just works.

The only thing that bothers me is that my seller and buyer accounts are connected. Is there a way to separate the two? I would feel much better.


#19

I’ve been in IT for 20 years and there are more simple steps we all should take:

  1. Upgrade to Windows 10, it is infinitely more secure than Windows 7

  2. Run an anti-executable virus software such as PCmatic. This will prevent any software from executing or adding to the Registry unless you actually white listed it in advance. Todays anti-virus software is obsolete and has to already have the protection for a known bad program or it is useless. Anti-executable programs just block everything and then you add in the ones you trust.

  3. Lock down all your browsers with high security settings, turn off every feature that is not necessary to make Amazon Seller Central function such as flash & java. Stick with Chrome if at all possible or use Edge. Firefox has been badly compromised and we stopped using it many months ago.

  4. Use a password manager such as Last Pass or KeyPass so your passwords remain encrypted and not typed in. You can get the best results by carrying around a USB stick to allow access to your machine, taking these protections to the next level. It takes quite a bit of effort, but when there is $50,000+ at stake, it’s just mandatory.

  5. Turn off “Respond to ping requests” in your router so that no one can find you from the outside. There are many other ways to lock down your router and your networks which we should all deploy.

  6. For any business PC’s start with a brand new reinstall of Windows / Mac and NEVER allow anyone to go to on any entertainment or social media / free download / pictures site. If it is not a critical business site it is not allowed. Do not watch videos or go to news sites on that machine(s) ever. We have a strict “no fun” policy in our shop and don’t even allow Facebook which is full of very bad links to drive by downloads.

  7. Never click any link in ANY email EVER!! If some “friend” sends you a link and it looks legit, then copy / paste the actual text (or better yet re-type it) into a sand-boxed browser session and see if the URL changes.

  8. STOP logging into Windows as the Administrator! This is how most hacking occurs, because after they gain hidden access to the system they run in the background yet have full rights to install software. By creating another User account and logging in as a Non-Admin you would have to enter a password for them to install their software. This #1 step would prevent 95% of all hacks. Nearly everyone runs their PC how they bought it, which is using the Admin account from the factory!

  9. There are so many simple things you can do to discover and stop all rogue traffic from entering your network. OpenDNS will prevent any IP traffic which is not already known to be safe and blocks everything else. Run something like PeerBlock on your PC so you can see each and every packet of traffic going across the lines. Access the internet through a Proxy server for a short time and shut these guys down.

  10. LEARN about Security! Hackers prey on your ignorance. If every computer user were forced to go through a weeks training before they ever used a PC, then had to do a refresher course each year, 99% of all hacking would go away instantly. We are our own worst enemy :slight_smile:

IF you have been hacked you need to take this to NSA levels of seriousness. These hackers are the smartest people on the planet. They even have Inside guys at software companies, who all get together and write back doors into peoples systems based on their knowledge of how the code works. There is a lot of corruption in the software industry.

From experience, there are more very critical steps for stopping a Hack and preventing a future one:

  • Discover your current IP address and write it down

  • Disconnect everything from your network and unplug everything on the LAN.

  • Call your ISP and get a new IP address (or verify they change it constantly). Let them know you have been Hacked and ask if they can trace your traffic through any Proxy, DNS service, or foreign country

  • Flash your router (update firmware) and see if you can change its MAC address, or replace it

  • You must be running a Hack-Proof router to begin with which can download Firmware straight from the Mfg website and has a factory reset BUTTON on it, such as high end Asus devices.

  • Don’t go cheap on routers, it must also have built in Security, anti-DDOS, and many other settings!

  • Now, start with a new PC or fresh installation of Windows on a formatted PC with a successfully flashed BIOS and brand new network card (absolutely must have). Yes, you will have to disable your onboard LAN and add a PCI card. This will stop the hackers from being able to find you by your MAC address.

  • Set up your HOSTS file in windows to block access to all sites except the ones you trust

  • Fire up all your programs and get this PC back to normal (do not connect anything else except your printers)

  • Max this computer out with 2 factor authentication, User Account, every kind of firewall setting, browser security, anti-exe software, DNS filter, etc. Your new nickname for this bad boy will be Fort Knox!

  • You must segregate all other PC’s on the network from this PC. This will require either a separate internet connection, or 2 separate routers behind your cable modem (likely not possible). You must keep it impossible for any traffic to cross from old PC’s to the new one.

  • As an alternative, Set up a NAS to transfer data beween PC’s using “mapped network drive” but do not network the PC’s on a “Home Group”.

  • Perform all the steps mentioned in this post and also those mentioned above on your Amazon PC

  • Perform all the same steps on any other PC you intend to put on your clean network or remove it from your property forever

  • Educate everyone who has access to your property, set policies for everyone on your LAN with severe consequences for violating those rules.

IT security is one of the super critical areas where Americans are the most vulnerable. America is the most hacked place on earth because most choose to remain very ignorant about these simple steps which protect their virtual environment.

We’ve had Root Kits, experienced DDOS, been hacked, lost email accounts. Once I saw a virus (activated simply by right clicking a picture in Google Images) suddenly wipe our hard drive, froze our screen, and destroyed CMOS permanently (that computer never booted again). I’ve seen just about everything and had to learn all this stuff the very hard way.

I started doing all these steps plus a bunch of other stuff I can’t remember right now because I’m tired and its been about 4 years since we’ve had anything bother us. Mostly it’s about changing your habits and totally changing how you think about your online footprint.

The mission of Hackers these days is to just live on your network undetected. They don’t usually delete or destroy to get your attention, they want to hide and steal your bandwidth quietly and piggy back their garbage off your network (free bandwidth for them). Most bad guys just collect data and banking information and then sell it, or maybe wait for an opportunity to clean you out all at once.

IF: your computer is running really slow, having a hard time booting, can’t load or uninstall software, can’t access Control Panel, can’t watch internet content, browser home page changes, other websites pop up, web addresses change mid stream, can’t load a web page, flash doesn’t work properly

  • these are all tell tale signs you have unwanted guests.

I would say the #1 sign you have been compromised is a consistently slower and slower internet connection. (Red flag if you cannot get a good speed test anywhere near what you are paying for at any time of the day - You should always be able to speed test at the bandwidth you are paying for). These bad guys are super greedy and will hog more and more of your bandwidth until you get so frustrated you just turn your computer off. I cannot tell you how many times this stuff all happened to me until I finally learned how to secure a small network.

I hope this helps,
Jay


#20

bunga bunga and 3rd Venue - Bravo!!

One of the best threads I’ve seen in a while!