Hackers accessed third-party Amazon sellers' accounts using stolen login credentials they purchased on dark web marketplaces. CJ Rosenbaum, a lawyer based in New York who is representing some of the affected Amazon sellers, told The Wall Street Journal that more than a dozen of his clients lost close to half their monthly sales due to hackers. The losses range from $15,000 to $100,000. The sellers want Amazon to reimburse them for the lost sales.
As reported by Fox Business, hackers gained access to the accounts after purchasing login credentials leaked from LinkedIn and other companies affected by a recent string of "mega-breaches." The attackers then conducted password reuse attacks by which they tried those credentials across other accounts. Upon successfully authenticating themselves to an Amazon seller account, they posted listings for deeply discounted goods and used fake payment sites to steal customers' money. Lightning X Products Inc., a bag maker based in North Carolina, lost $60,000 in the hacks. Employees received an email from Amazon notifying them of suspicious activity. But when they attempted to log in, someone had already changed their profile's bank account information. Another seller, Margina Dennis, said she received hundreds of emails from customers complaining they had yet to receive Nintendo Switch consoles they ordered from her. Dennis reached out to Amazon for help. After a few days, the e-commerce website took down Dennis's account. In a statement prepared for SC Magazine, Amazon explains it's working with sellers and customers to address these instances of fraud:
"We withhold payment to sellers until we are confident that our customers have received the products and services they ordered. In the event that sellers do not comply with the terms and conditions they've agreed to, we work quickly to take action on behalf of customers. There have always been bad actors in the world; however, as fraudsters get smarter so do we. Amazon is constantly innovating on behalf of customers and sellers to ensure their information is secure and that they can buy and sell with confidence on Amazon.com."
While affected sellers await reimbursement, they should create a complex password for each of their web accounts to defend themselves against password-reuse attacks. They should also enable two-step verification (2SV) on Amazon and their other accounts that offer the option. Customers can also make sure they receive their purchased goods by buying from established sellers with positive reputations and frequent activity. They should also be on the lookout for suspiciously low prices. If a deal seems too good to be true, it probably is.