When I wrote this blog two years ago, sellers had been struggling with major hacks to their accounts from bad actors. Our clients lost hundreds of thousands of dollars in stolen disbursements. Now a new breach is causing sellers problems, so I thought it would be worthwhile to list the remedies again.
You may have seen this article in my Safety Detectives’ blog when it first came out about a significant data breach from an apparent Chinese bad actor that affected hundreds of thousands of Amazon seller and buyer accounts. Seven gigabytes of contact data were up for grabs.
I wondered at the time if Amazon had seen that data, and it appears that they have. They have not said anything publicly. This is my speculation based on observation. Here are the steps we’ve seen Amazon take since this breach:
- Locked sellers out of their accounts. A lot of sellers.
- Purged thousands of reviews. One seller lost tens of thousands of reviews on his products that I personally observed. There are also posts on social media from indignant sellers about the purge.
- Closed buyer accounts. These were both personal buyer accounts and sellers’ business buyer accounts. Some people were strictly buyers. These were probably the “reviewers” in the database if my theory is correct.
- Fraud claims.
- “Suspicious activity” claims.
- Required verification.
It’s a bit confusing looking at these different performance notifications, but what seems to be happening is that other bad actors also downloaded the database. There are attacks on sellers in the dead of night trying to get into their accounts. These would seem to be the source of the “suspicious activity” claims. Those are the easiest to remedy. Resetting all your passwords (personal account, seller buyer account/Seller Central account) has been fixing it for many of our clients.
Fraud claims are trickier because they could be the hack – Amazon thinks they paid for reviews, possibly – or they could be something else entirely. As always, Amazon is not specific. With fraud claims they are also unlikely to let the sellers back into their accounts. What we’ve seen over the past couple of weeks is that there are innocent fish caught up in some of these fraud claims. Amazon is fixing the algorithm and reversing some of the lockouts but not others. For some sellers, their accounts are suspended, but for many their accounts are open. It is only their login that isn’t working.
In some of these lockouts, it is just the primary login that is locked out. In other words, we can get into our clients’ accounts with our logins and help them keep the business running while we try to fix the lockout. These are generally the innocent fish and/or the suspicious activity claims.
Clearly Amazon suspects real fraud in some of these cases, but they aren’t exactly sure what that database represents. Some of the seller names in the database could be a prospect list, for example. I suspect this is true for part of the data because most of my clients that are caught up in this are innocent fish. We’ve been inside their accounts for years, we know them. They are very careful about compliance. Some of them are wholesalers/retail arbitrage/drop-shippers that don’t have their own brand, so why would they pay for reviews?
Others in that database are clearly sellers who paid for reviews as evidenced by Safety Detective’s report on the breach.
If you are a seller who paid a service company to get you reviews, you should be very concerned right now. Amazon is on the hunt and there is a good chance they have gigabytes worth of evidence. I’m confident that the database was also shared with the Federal Trade Commission (FTC) because fake reviews are a crime.
Verification is part of Amazon’s account review process in the fraud claims, and we are seeing them ask for various documents from some sellers. Other sellers are getting nothing from Amazon. Not even an email. Our hope is that when verification is complete, our clients will be unlocked and allowed into their accounts again.
- I can’t get into my Amazon account! Does that mean I’ve been hacked?
It might. Amazon freezes out sellers from their accounts for suspected hacking, yes, but also if they suspect fraud or other serious crimes on your part. Occasionally people get frozen out because of glitches at Amazon. You should get an email if your amazon account has been hacked or if you have been suspended for fraud. Even though bad actors usually change the email addresses in the hacked accounts, Amazon’s policy is to send warnings like this to the old email as well as the new email.
- What should I do to get back into my account?
What you should try first is reaching out to Seller Support online. Click on this link to get to Seller Support from outside Amazon.
They will tell you to call: 206-922-0880. This is the team that will help you reset your password and login if they can.
Once you are in, you will want to see if you can find a performance notification or case log file that explains why you were frozen out. If money has been dispersed or inventory removed without your permission, inform Seller Support immediately.
- What if I still can’t get in?
If you’ve exhausted your options with the phone numbers above and if they won’t or can’t tell you why your account is frozen, use Twitter or Facebook. There is a team at Amazon that reads tweets and messages sent by social media. You will need to tag Amazon to get its attention, but the social media team is usually pretty fast. They’ll give you a link where you can write up your problem and then they’ll send it to the right group internally. Most of my clients have received a call back or an email within 24 hours using this tactic.
- What if I’ve been hacked?
Amazon will need to verify you as the rightful account owner. After all, the hacker could be spoofing your email and pretending to be you. We see that a lot lately with fake IP retractions. Amazon assumes that all digital data has been compromised. We’ve seen them ask for passports/driver’s license, birth certificates, personal social security numbers and more. They may try to contact a relative to vouch for you. Give them what they need. If you’ve ever had your identity stolen, you will understand what you are in for. Assuming you can get back in, you’ll need to check your bank account, Tax ID and other business data to see what was hacked and if they stole money from you.
Then take these steps:
- Report to law enforcement. Then give the filing number to Amazon as proof that you are taking steps to fix the situation. How interested law enforcement is in your case depends on how much money or property you’ve lost. One seller, for example, had all his inventory removed from the warehouses and sent to an address in another state by the bad actor.
- Document everything. Not only will you need it for law enforcement, but you will also need it for possible future legal action. You will be asked for the same information over and over and over…so make yourself a PDF of all your evidence of the hack and what was taken. Include a timeline of events.
- Hire a forensic computer analyst. Take your computer, phone, tablet and any other device you use to access your Amazon seller account to an expert. If you have trouble finding one, ask a lawyer. These are the guys who testify in court. Their data preservation techniques and third-party neutrality help in lawsuits, and they help in hacking situations. They are very good at finding traces. You want to make sure that the hacker did not get in by inserting software into your machines.
- Beef up your digital security. If you are not using a VPN when you are out of the office, for example, you should from now on. This includes your phone as well as other devices. Never surf the internet naked again.
- Hire a security expert to examine your network at work and make recommendations for programs on your devices that can detect and protect you from hacking. It could be the same person as #3 above. Your virus protection software and firewall are often not enough to stop a determined hacker.
- Fix your passwords. If you are not using at least 10 randomly generated digits, characters and lower/upper-case letters for your passwords right now, get a program like Roboform or LastPass and never repeat a password ever. There are people out there who still use passwords that are easy for them to remember. You know who you are. Stop it now.
- Look around you. Statistically, most cyber theft like this is embezzlement from a trusted employee or relative. Everyone I ever suggested that to was absolutely furious with me, but it’s true. The best person to know your password and get into your account is someone you see every day. Someone you trust. At least consider it. Because guess what? Amazon can tell if it is someone else at your office/home getting into your account. If you can’t show you have a handle on your security problem, they won’t let you back on. I had a client who refused to consider it despite the fact that Amazon TOLD her it was someone on her network who was doing this. She never sold again. Put your business first. Your honest friends, family and co-workers will have no problem with you taking extra security measures.
- Turn on your Amazon 2-step verification. A lot of folks turn it off for their main laptop, their phone, etc., and automatically login. It’s a pain, but have it turned on for every browser, every device, every time. Otherwise, someone physically close to you or someone with control over your computer/phone can get into your account when you aren’t looking.
- Put your account on hold. If you gain access to your account, put it in vacation mode until you feel comfortable that it won’t happen again. Once you talk to Amazon about what happened, take their lead. They’ll give you advice about your account. Once they are alerted to the problem, they will be monitoring the situation and will shut down your account if the bank account or email is changed.
- How do I report to the FBI or Secret Service?
Justice Department – There’s a page with everything you need to know about reporting a federal cybercrime. Most Amazon hacking is federal because the hack, money or inventory crosses state – and sometimes international – borders.
Internet Crime Complaint Center – a reliable (do you trust the government when they say that?) reporting mechanism to submit information to the FBI. Even if nothing was stolen or the value was low, you should report it. Sometimes these bad actors are part of a larger crime group. Law enforcement may already be working on a case.
FBI find-a-field-office – for those of you who want to look a person in the eye and turn over your evidence.
Secret Service find-a-field-office — for those of you who want to look a person in the eye and turn over your evidence. See below to determine if your case should go to the Secret Service.
- Which agency should I go to?
First you should see if your local police force has a Cyber Crime Division and start there. The FBI is the next step (and your local Cyber Crime officer can help you contact them) when there is money or property transported across state lines. This kind of hack is also considered identity theft which is a key initiative by the FBI.
The Secret Service is most interested in international hacking rings and money transported out of the country. If the hacker also inserted software into YOUR machine, then the Secret Service might make sense. They have a database of this kind of hack and can often identify whether the hacker is part of a larger group by how your system was breached. It is most likely the FBI would contact the Secret Service if this kind of hack is suspected.
- What does law enforcement need from me?
- Take a copy of Amazon Law Enforcement Guidelines for them, just in case
- Amazon’s address for legal processes:
Corporation Service Company
300 Deschutes Way SW, Suite 304
Tumwater, WA 98501
Attn: Legal Department – Legal Process
- Amazon’s law enforcement email – these may no longer be accurate, but they were previously: firstname.lastname@example.org or email@example.com. As you know, Amazon keeps changing its emails. Have the police try this before mailing to the address above. It’s faster.
- Timeline of events.
- Amount of $ or physical property stolen. You can run reports and/or take screenshots to prove your loss.
- Bank account and email used by bad actor.
- Proof of your identity, your business and your bank account.
- Your seller email and seller ID. They will need that to communicate with Amazon about you.
- An affidavit giving Amazon permission to share your seller information with law enforcement. Get it notarized. It will make it easier for Amazon to cooperate with law enforcement.
I suggest having everything on a thumb drive and having physical copies that you can leave with the police. The notarized affidavit will need to be an original, most likely, so sign multiple copies in case you work with multiple groups.
- What if the hack is at Amazon and not with me?
In this case, if you are confident that it is not your system or you personally that has been hacked, go to the FBI and report to the Cyber Action Team that you believe Amazon has been hacked and why. If they believe your report is credible, they will reach out to Amazon and take it from there.
One indicator that it is Amazon and not you is if your account is NOT frozen, but the email, password and bank account are changed. You notified Amazon of the theft, but your account is still open. That’s what happened to our clients last year. The bad guys kept their account open and kept stealing their money. Once you’ve changed your password and taken greater security measures, it’s more likely to be Amazon.
- Should I tell Amazon?
Yes. If they’ve been hacked, literally millions of Amazon seller accounts are at risk. Most likely what will happen is that law enforcement will reach out to them for you, but you can also tell Amazon that you’ve informed the FBI’s Cyber Action team and provide them with a report number/case ID so they can talk to the FBI themselves.
If you have a local Cyber Crime officer working on your case, have him or her reach out to Amazon (see details above). The police are much more credible to Amazon.
- What if I was the one that was hacked?
You should tell Amazon, and request they unfreeze your account. Provide them with your case ID from the police and tell them the specific steps you have taken (not “will take,” taken) to make sure it never happens again. Write it like an appeal. Give the root cause, the steps you took and then what you’ve put in place to make sure it never happens again. We help our clients with these types of appeals if you need it.
- How much does all this cost?
A lot. Not only are you not selling every day, but the forensic search can also cost hundreds to thousands of dollars, depending upon the number of devices. Hiring a security expert to review your network for weaknesses will cost a few hundred if you are a small operation. There could be costs for proof of your identity like a birth certificate or social security number (do you know where your card is? Most of us don’t.)
- Will my insurance cover my loss?
Obviously, this depends on your policy. Now might be a good time to refresh the details in your mind. Even if your loss is covered, you probably have a deductible, and the insurance company usually has a ceiling on how much they pay. Lastly, the insurance company is going to want assurances that this theft was not due to negligence by you before writing a check. Your police report will help, but you may also want to talk to a lawyer before you record your loss on that recorded line. Insurance companies are looking for reasons to say “no,” particularly if the claim is large. You don’t think it is your fault. They might not agree with you.
Some sellers didn’t have insurance, so this loss hit them hard.
- Will they eventually trace my money and get it back to me?
Maybe. Some sellers got lucky and eventually their money was traced and retrieved. I wouldn’t count on it though. Sophisticated hackers have already thought out how they are going to hide the money from law enforcement.
- Will Amazon reimburse me?
No. Here are some of the relevant passages from our agreement with Amazon:
“…You are responsible for maintaining the confidentiality of your account and password and for restricting access to your account, and you agree to accept responsibility for all activities that occur under your account or password…”
“AMAZON WILL NOT BE LIABLE FOR ANY DAMAGES OF ANY KIND ARISING FROM THE USE OF ANY AMAZON SERVICE, OR FROM ANY INFORMATION, CONTENT, MATERIALS, PRODUCTS (INCLUDING SOFTWARE) OR OTHER SERVICES INCLUDED ON OR OTHERWISE MADE AVAILABLE TO YOU THROUGH ANY AMAZON SERVICE, INCLUDING, BUT NOT LIMITED TO DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, AND CONSEQUENTIAL DAMAGES, UNLESS OTHERWISE SPECIFIED IN WRITING.”
In short, Amazon is responsible for nothing.
Hopefully none of you will ever need this information. Hacking is rare compared to other Amazon suspensions, but it does not hurt to be proactive. If your security protocol could use improvement, take the time now to protect yourself, and while you may be confident that everyone around you is trustworthy, having 2-step verification always on and changing your passwords is just smart business. I imagine many of you have programs to wipe your phones or laptops if they are lost. This is just one more sensible precaution. Your livelihood is at stake and Amazon is not going to reimburse you if something goes wrong.