questionsanyone else suspect their amazon account has been…

vote-for22vote-against
vote-for18vote-against

Interesting. I'm going to check right now...

Yes, I am just that fast. There's no evidence of anything even suspicious. I have an Amex (among others) affiliated with that account. I do not, and have never had, a Walmart account. Perhaps the compromise is in the opposite direction?

I also checked the Kindle account. Neither shows any unusual activity.

vote-for15vote-against

@shrdlu: I've always wondered; do you actually hear the Wonder Woman theme music as you spin around, while changing into your costume?

And how do you keep from getting dizzy?

vote-for8vote-against

@magic cave: Sorry to hear about your accounts. I don't know very much about online accounts, so I can't help you out. Hope you get everything worked out.

vote-for7vote-against

@shrdlu: I'm sorry for the confusion, but I misspoke (mistyped?) in my original statement: Amazon changed my p/w and mailed me an account alert at 2:02PM EDT on Saturday, July 28, while the Walmart purchases using my AmEx card were not made August 2, while

That is the primary reason I'm assuming the original breach was at Amazon; I don't think it's likely that someone started at Walmart on or before 7/28, decided not to use the AmEx card info they found there, but went to Amazon next and used the Visa card first.

The second site breach is my own $#*&!! fault for being lazy with a password, but I'm seriously PO'd over the thefts and what they cost merchants to contain, refund, and correct.

vote-for7vote-against

@barnabee: Thank you for your kind wishes -- yes, everything worked out well for me, although it was less well for the merchants.

(Please see my amended timeline of events just above this comment.) Amazon was first at the gate to think there was a problem; they emailed me around 2pm Saturday to say they'd changed my account p/w and blocked the attempted purchases. Visa called my home around 4pm Saturday to say they'd restricted the card. AmEx didn't call at all (although they called with 10 minutes of a fraudulent charge from indonesia hitting my account a year ago!), almost certainly because there was absolutely nothing suspicious about a purchase of two $25 iTune cards. Walmart will end up being out $50, and all four companies are out the cost of their security work, sending me new cards, etc.

Dang, I really, really hate thieves!

vote-for8vote-against

@magic cave: Actually, I think I forgot who I was answering. I recognize you have the banking background, and had your facts straight. I still maintain that the compromise was not specifically an Amazon breach (else I'd have heard plenty about it from other resources). Here's an interesting site to browse for known compromises.

http://datalossdb.org/ (requires you to make an account and password to view most things)
http://seclists.org/dataloss/

The only two mildly interesting events I see are Dropbox, and a gambling site (and I can't picture you using either).

I'd be willing to bet this is a one off incident, where your credentials were compromised, and the attacker then moved on to Walmart.

vote-for7vote-against

@magic cave: I was recently issued a new Discover Card. I guess a lot of accounts had somehow been compromised and Discover decided to be safe rather than sorry and issued new cards.

I hate thieves, too.

vote-for7vote-against

@shrdlu: I really appreciate the sites (which are interesting to browse through and will be useful for work purposes, as well), and I'm entirely open to your view that it's a one-off event. As you can imagine, I'd much prefer it to be a just me, rather than a slew of bad cards from a payment-processor breach. (And no, the gambling site wouldn't interest me. My wildness these days is limited to such things as whether I can get the dogs outside in the morning before they piddle on the kitchen floor.)

I've tasked myself for tomorrow with updating the gazillion accounts I have across the wide, wide, really wide web and converting a lot of passwords into Keepass or some such.

Thanks again for the assistance!

vote-for3vote-against

@barnabee: damn. now i'm worried. discover is the only card i have/use.

vote-for5vote-against

I'm nowhere near the sleuth that shrdlu is, but is it possible that you had a PC or email hack? We leave a lot of stuff floating around in cyberspace. Sorry for your troubles and glad that they are being fixed. :)

vote-for5vote-against

@moosezilla: Just checked my Discover Card. My new one became active almost 3 billing cycles ago. So, if you didn't receive a new card, yours must be okay.

vote-for4vote-against

I'm a thousand percent certain that you're either A) infected with a keylogger/keylogging malware or B) you managed to give away your password somehow. Both are more likely than someone hacking into one of the biggest merchants on the internet.

vote-for7vote-against

A couple of years ago, we made a purchase through Amazon from a t-shirt vendor using a credit card that had not been used for months but had $1.5K available on it. The next day, a bunch of transactions occured on that card from two states south of us and the account maxed out We were made whole by by the bank and Amazon denied any culpability, but we continue to believe that the Amazon transaction triggered the ID theft. We have made many Amazon purchases since and have had no problems.

vote-for6vote-against

@br0seidon: Thank you for the suggestions, but neither one is the cause. My husband is a former tech-support guy, and we run a lot of protective software. When he first got the call about my Visa card compromise he pretty much took my computer apart (speaking metaphorically, of course) and ran all the usual detect-and-clean software plus some other heavier duty stuff. Nothing turned up. Had there been something bad lurking around, it's likely much more damage would have been done to my [many many] other accounts.

vote-for10vote-against

@magic cave: Got your back on this one. People compromise the big guys all the time. All. The. Time. While I still believe this is a one off event (but am awaiting Monday, from whence all information flows), I'm strongly suspecting something that could have been as simple as a drive by advertisement inhabited by malware, or even a lucky guess on hte password by the miscreant.

I used to run Crack and John the Ripper (among others) on password files from Windows and Unix machines, and people were often disturbed to see how quickly their clever password choices fell to solution.

It's an interesting problem, but it's also likely that the ONLY person (or persons) who will ever know are the originals behind this...and they aren't posting comments here.

vote-for6vote-against

@shrdlu: I definitely think this is a one off event as well. A few years ago I was heavily involved in the anti-malware scene and used to keep up on all the latest news and such.

It will be difficult to know whether this is a one off event though. Many thieves grab tons of numbers from various different means and hold on to them for a while. I would imagine they actually want to get the products so it would be foolish to use all of them at once. And unfortunately, security software is not going to help much since thieves want to target large companies rather than small people (would you rather have 1 number or 1 million?)

vote-for4vote-against

@magic cave: I'm sorry about what happened to you. I sincerely hope everything gets straightened out. Thanks for bringing this to our attention.

I've just checked my Amazon account and found nothing amiss. The same goes for my Wal*Mart account that I checked yesterday.

vote-for5vote-against

@magic cave: My Walmart account got compromised a few months ago. I didn't even remember having a Walmart account or a credit card stored in it but some thief ordered an expensive cell phone (and overpaid for it but didn't bother to spring for expedited shipping. I'm glad this guy wasn't very smart). I caught it when I got the shipping notice and was able to get the shipment turned around. I was using a weak password on that account (my own fault). And was very fortunate that I didn't use that password on other sites.

I ended up getting a new credit card issued, deleted my credit card information that was stored at most web sites, changed my passwords on a lot of sites, filed an incident report with the police and put a notice on my credit report. All of that was possibly a little overkill but I felt it was best for my own protection. And that has been the only issue that I've had.

Best of luck in getting this worked out.

vote-for3vote-against

My new password an abbreviation a number the first letter in the site I am visiting a number. A misspelled word with a common number replacement a number and the #. the last letter of the site I am visiting
Example: for woot: ectw6c0mmen3jpy4#t <-not really my password.
ect is an abbreviation I use a lot.
64 could be your bday
the non letter number # add a lot of time to the brute force guesser. the w and t keep my password unique for every site I visit.
Easy for me to remember hard to have someone look over my shoulder. Hard for a dictionary attack hard for a brute force attack. the miss spelled word is c0mmen 0 is o and e is o.
I learned the misspell trick from someone at work. they had and easy spell word with a common sense misspell. Even when I he told me his password I still got it wrong. My fingers did not want to misspell common.

vote-for5vote-against

@shrdlu: As always, thanks for watching my back and providing your usual expert suggestions and support. You're a great asset to Woot.et.al, and I really appreciate your help.

@caffeine_dude: Thank you for the excellent p/w suggestions. I revised my own p/w system after my problem last week, but your post contains great additional options. THIS http://xkcd.com/936 was especially helpful, since it brought a moment of laughter when it was seriously needed.

@gt0163c: A little overkill can be a good thing -- thank you for sharing the steps you took to protect your accounts and your credit files.

@nortonsark: Thank you for sharing your Amazon story. As I tell the credit-union members with whom I speak, it's pretty much impossible in 99% of security and/or card breaches to know for sure what happened, but it's always a comfort to know I'm not the only person who might have had an Amazon problem.
[cont'd]

vote-for5vote-against

[cont'd]

@everyone else: Many thanks to each of your for your stories, assistance, and good wishes. Most of us will have similar problems sooner or later (it's the nature of the system), and it's great to have kindred souls in this particular community who are quick to offer support!

vote-for2vote-against

@magic cave: XKCD usually brings laughter sometimes head scratching.