Thread: Amazon Sign In Password Hacked

If no transactions happened, how do you know the OTP failed?

OTP are not perfect, though the common way of defeating them is forced porting of your mobile so they receive the text.
Fraudulent mobile number porting and identity theft

Some general security tips:

Use a different password for every site.

Use a password manager to store all these different passwords.

NEVER NEVER NEVER use the same password for your email and anything else. Your email is your master key to everything.

Separate things that actually matter and things that don't.
E.g. internet banking is very important and security breach results in major harm. Someone accessing an account on a random forum or store is not going to cause major harm.
Use separate emails - one limited to high priority, one/others for everything else - if someone gains access to the low priority email they can't intercept your forgotten password emails from important things.

How safe is google password manager, I assume not very?

Originally Posted by pippin88

If no transactions happened, how do you know the OTP failed?

OTP are not perfect, though the common way of defeating them is forced porting of your mobile so they receive the text.
Fraudulent mobile number porting and identity theft

\

My phone received an OTP without me requesting it. As I said in my post I have had this happen before and no transactions took place then and this is what I don't understand. What is the point of hacking a PW then not doing anything when the PW is unique to the site as all my PW's are. I don't use my phone for internet access at all so the link is not relevant in my case but is relevant for those that do. It seems that there is a bit of interest in cracking Amazon's OTP system. amazon otp cracked - Google Search

Originally Posted by tony_A

How safe is google password manager, I assume not very?

Would google create something they couldn't read or control???

Originally Posted by Chris Parks

\

My phone received an OTP without me requesting it. As I said in my post I have had this happen before and no transactions took place then and this is what I don't understand. What is the point of hacking a PW then not doing anything when the PW is unique to the site as all my PW's are. I don't use my phone for internet access at all so the link is not relevant in my case but is relevant for those that do. It seems that there is a bit of interest in cracking Amazon's OTP system. amazon otp cracked - Google Search

So the OTP/2FA has worked to protect you - they tried to log in. Amazon sent a OTP request. It went to your phone. The hackers did not get it, so could not continue and get into your account to buy baubles. That's how 2FA works.

2FA doesn't necessarily stop a hacker getting your password (either by guessing it, harvesting it in a security breech, or a brute force hack). But the hacker still can't get into your account because although they now have 'something you know' - your password, they don't have 'something you have' - your phone with the authenticator app or SMS.

Pat yourself on your back. You've saved yourself some $ and trouble.

Now you need to work out how they're getting your password. Is it easy to guess? Has it been used somewhere else? Has there been a known security breech that contained it? Do they have access to your email account (and is that critical password super-secure)?

If your password doesn't look something like this: 7Lh8xyoMrqi?po then you're vulnerable. Another, slightly easier way of generating difficult passwords is by using a set of three or more random words that you'll be able to remember. eg possumbouncyleaflet - they're actually very difficult to hack.

Originally Posted by Bernmc

So the OTP/2FA has worked to protect you - they tried to log in. Amazon sent a OTP request. It went to your phone. The hackers did not get it, so could not continue and get into your account to buy baubles. That's how 2FA works.

2FA doesn't necessarily stop a hacker getting your password (either by guessing it, harvesting it in a security breech, or a brute force hack). But the hacker still can't get into your account because although they now have 'something you know' - your password, they don't have 'something you have' - your phone with the authenticator app or SMS.

They changed the password so I guess they did get in via them receiving the OTP as well as me, how does that work? I had to change the password today so I could get back in and check what had happened. The password is about 20 characters auto generated so it is not a simple guess.

Amazon customer service likely reset it. Internal jobs are rife in all businesses.

If I might offer my 2 cents?

This seems like a lot, but it isn't.

-- Bernmc is dead right. FluffyPinkBunny is far harder to crack than 7Lh8xyoMrqi?po (see comic below)
-- Authy | Two-factor Authentication (2FA) App & Guides for 2FA. Put it on your PC and phone. Trust Google? Hahahahaha (ahem. Ahahahahahaha)
-- Use BRAVE browser for automatic password generation and management. Its all encrypted into a personal blockchain (blob). OK... and use Brave Browser.

-- Never store your credit card on a facility. Enter it every time, even if you copy/paste the numbers/expiry/code from a text note on your desktop.
-- Cloudflare WARP for free fast pseudo-VPN. Its a VPN to protect your privacy, not evade the authorities. Its very good.
-- Change your DNS to 1.1.1.1 and 1.0.0.1 on your router and elsewhere (such as your TV)
-- Use DuckDuckGos Privacy Addon and get your free relay-email. One choose a base [email protected] and it sends all email to your real email. It also allows one to generate one-off [email protected] emails that relay to your own real address. This way your real address is never exposed by scumbags selling your data (ahem, CMC markets stockbrokers!)
-- Get a second SIM from Amaysim for your phone for $10 a year (if your phone can handle two sims). Use the new one ONLY for auths and website signups. NEVER use your personal phone number.

Also, check to see if your info is public: Have I been p0wned .... if you have, rectify it.


There is a lot more one can do, but this is the very minimum. The internet has become a LETHAL place. Everyones data is always for sale, from everyone. Its as become toxic.



password_strength.png

Originally Posted by tony_A

How safe is google password manager, I assume not very?

I have also asked myself that.

Originally Posted by Chris Parks

They changed the password so I guess they did get in via them receiving the OTP as well as me, how does that work? I had to change the password today so I could get back in and check what had happened.

Had it happen to me twice recently. It's annoying and time consuming getting it sorted out.

If it happens again I will cancel my account... I can live without Mr Bezos.

All good advice WP & Bernard. I have taken a few of those steps, my phone is not connected to the internet and the password cracked was a phrase though not random words and not one that would be familiar to any other person except me. I think auto log in found on browsers is another problem and I log in manually each time. I doubt any measures will keep them out if they want to get in.

Originally Posted by Chris Parks

All good advice WP & Bernard. I have taken a few of those steps, my phone is not connected to the internet and the password cracked was a phrase though not random words and not one that would be familiar to any other person except me. I think auto log in found on browsers is another problem and I log in manually each time. I doubt any measures will keep them out if they want to get in.

Sure, if you are talking about a state actor (FSB, NSA etc). However, you would have to be of interest to them to go to that trouble.

However, having real strong and unique passwords and enabling 2FA (two factor authentication, note that Amazon does offer genuine 2FA) that is not based on text messages makes it pretty damn hard. Even better are things like Yubikey (Yubico | YubiKey Strong Two Factor Authentication).

I use LastPass as my password manager and they also offer a 2FA app that can use local biometric authentication on your device as an additional layer of security.

The biggest threat we all face is crypto ware. There is only one protection against that and that is backups. Having a cloud service file system (Google Drive, iCloud etc) is not sufficient backup to protect against crypto ware. In addition to local backups, I use Backblaze and have the unlimited versions backup service.

I know of a medium sized company in QLD that got ALL of their data encrypted by crypto ware last month. Even their backups were encrypted by it. I have no idea how they are going to survive as a business.

Originally Posted by Chris Parks

All good advice WP & Bernard. I have taken a few of those steps, my phone is not connected to the internet ...

In addition to what I said; phone numbers can be hijacked by porting the SIM. You can read a brief synopsis of how this is done here: SIM Hijacking Explained - Panda Security

Another attack vector is SIM card cloning. Have you had your phone serviced or looked at by anyone recently?

Originally Posted by markharrison

In addition to what I said; phone numbers can be hijacked by porting the SIM. You can read a brief synopsis of how this is done here: SIM Hijacking Explained - Panda Security

Another attack vector is SIM card cloning. Have you had your phone serviced or looked at by anyone recently?

No and I have not made an outgoing call on it in many months and I cannot remember the last incoming call either. Can a port be hacked if there is no data link on the phone?