1 min read

I Think Amazon.com's Security Settings Are Faulty

I just received the following from Amazon:

  • Confirmation that I changed my password
  • Confirmation that I added my mobile telephone number to my account
  • Confirmation that an order I placed was successful

The problem is, I didn’t do any of this stuff. Not one thing.

The other problem, the email address I received all these confirmations from isn’t even associated with my Amazon.com account.

I called the customer support line at Amazon.com and explained the situation, figuring someone simply left a character out of their email address (the one the confirmations were sent to is a rather common name / account). They told me the email address for this person’s account was nothing like the mine.

So, that means someone used my email address to add their phone number, change their password, and order a Kindle book.

Meanwhile, I can go onto Amazon.com, request that I lost my password. That password gets sent to me (hey, it’s my email address), or a link gets sent to me that I click on to change the password. Hello, I now am in full control of this person’s account – that means credit cards, addresses, etc.

That’s a bad thing, no?

Like I said, I called Amazon and reported this, but it’s too late in my eyes. I already have this persons address, cell phone number, and now I can log in to his account (which I haven’t, and I won’t). All because he mis-typed his email address. And yes, I know it’s a he.

And all because Amazon didn’t take the precaution to send a confirmation / authorization link before allowing that email address to be changed.