Though fortified at its front, Amazon's may need to step up its efforts to cover it's rear. After being thanked for a conversation he didn't start, an Amazon customer says he found evidence that the e-commerce company had given away his personal details to an impostor.
Amazon had been one of the few companies Eric Springer trusted, he said, but that was before the former Amazon software developer was recently thanked for an inquiry he didn't initiate.
Springer followed up out of curiosity and he was sent a transcript of a chat conversation he said he never had.
He previously used the address of an area hotel to register a web domain. Someone ran a simple whois query on Springer's domain to find out the address, which was the location of the hotel, and that information was used to convince Amazon to divulge details about Springer, according to the former Amazon dev.
With a billing zip code in hand and an address matching one that was on file at Amazon, the attacker asked the company to confirm a shipping address. Confirming the shipping address, Amazon gave the attacker Springer's real location.
From there, the attacker went to Springer's credit card company and convinced the bank to send out a new card, he said.
A few months later, back at Amazon, the attacker attempted to get the last four digits of Springer's credit card. Springer said he asked Amazon to make note of his trouble with the attacker, then he updated his card and address information before eventually removing the information from his account.
Then it all came down. Springer received noticed that his order had been shipped. It was an order he placed, he said. So the attacker finally won.
"At this point, Amazon has completely betrayed my trust three times," wrote Springer on Medium.com. "I have done absolutely everything in my power to secure my account, but it's hopeless. I am in the process of closing my Amazon account, and migrating as much to Google services which seem significantly more robust at stopping these attacks."
