Account Takeoverhigh

The Fake Amazon Seller Account Takeover

A small business selling handmade gifts on Amazon had its seller account hijacked — all revenue was redirected to another account and £12,000 went missing.

Small gifts business (UK)·2022·2 min read

Attack Chain

  1. 1
    Password obtained from unrelated data breach
  2. 2
    Amazon Seller account accessed with reused credentials
  3. 3
    Bank payout account silently changed
  4. 4
    Revenue diverted for three weeks undetected

Background

A husband and wife team ran a small business selling handmade candles and gifts through Amazon Marketplace. Their Amazon Seller account was their primary sales channel, generating around £4,000 per month. They used the same email address and password across multiple accounts.

The Attack

Criminals obtained the couple's email address and password from a data breach at an unrelated website where they had reused the same password. Using those credentials, they logged into the Amazon Seller account and changed the bank account number for payouts. Over the following three weeks, Amazon paid out their sales revenue — including a pre-Christmas peak — into the criminals' account. The couple only noticed when their expected bank transfer did not arrive.

Response

Amazon was contacted and a case raised. The platform's fraud team confirmed the bank account change and suspended payouts while investigating. The couple changed all passwords and enabled two-factor authentication on every account.

Outcome

Amazon reimbursed £8,000 after six weeks of investigation. The couple lost £4,000 and three weeks of Christmas trading disruption. They estimated another £5,000 in lost sales during the account freeze.

Key Takeaways

  1. Use a unique password for every account — a password manager like Bitwarden (free) or 1Password makes this manageable
  2. Enable two-factor authentication on your Amazon Seller account and any platform that receives your business revenue
  3. Set up alerts for any account changes — bank details, email, or password updates should trigger an immediate notification
  4. Check HaveIBeenPwned.com regularly — it will tell you if your email and password have appeared in a breach
  5. Treat your business payment platforms (Amazon, Etsy, Shopify) with the same security care as your bank account

How to Prevent This

All guides
beginnerfeatured

Use a password manager so every account has a different password

Using the same password on multiple accounts is one of the most dangerous security habits — and one of the most common. When any website is hacked and your email and password are stolen, criminals test those same credentials on Gmail, Facebook, Amazon, banking apps, and dozens of other services automatically. If you reuse passwords, one breach becomes many. A password manager solves this by remembering a unique, random, strong password for every single account. You only need to remember one master password — everything else is handled for you. Bitwarden is completely free for personal use, open-source, and works across iPhone, Android, Chrome, Firefox, and Safari. 1Password and Dashlane are paid options with more features. Most iPhones and Chrome browsers now have basic built-in password managers, which are better than nothing. Once set up, switching to a password manager takes about an hour of updating existing accounts — time well spent considering what's at risk. Start with your most important accounts: email, banking, and Amazon.

See: The Fake Amazon Seller Account TakeoverPasswords & Accounts
Amazon selleraccount takeoverpassword reusepayment diversionsmall business

More in Account Takeover

2023medium

Data Breach at a Local Gym Chain

2 min readAccount Takeover
2023high

The Café Owner Who Lost Access to Everything

2 min readAccount Takeover