Amazon account compromise can combine direct financial abuse with delivery manipulation and identity misuse. Attackers often move quickly: place orders, add addresses, drain gift cards, and then try to lock you out by changing recovery details.
Start by deciding which branch you are in. The order of operations matters more than the order of the menus.
If you only do one thing: secure the email inbox tied to Amazon before you retry passwords, order changes, or payment cleanup. If the inbox is still exposed, every reset can be intercepted.
| Situation | First move | Why it comes first |
|---|---|---|
| You can still sign in somewhere | Change the password on a clean device, then review Amazon account access and payment settings | A live session is the fastest way to remove attacker persistence |
| You only see unauthorized orders or charges | Stop the payment path, cancel what you can, and document order IDs | Money can move before the account looks fully broken |
| The email or phone on the account changed | Recover the inbox and phone first, then return to Amazon | Those reset channels control the account |
| Gift cards, subscriptions, or addresses were changed | Audit the monetization surfaces and remove unknown entries | Those are the attacker's leverage points |
| The incident started from a fake Amazon email or text | Treat it as phishing, not just a password problem | The message itself is part of the attack |
Containment first
Work on two tracks in parallel: prevent more purchases and remove the attacker’s access. That means checking recent orders, subscription renewals, gift card balances, addresses, and payment methods before you spend time on anything cosmetic.
- Review recent orders and cancel anything unauthorized as quickly as possible.
- Check subscriptions and recurring deliveries and cancel anything you did not approve.
- Review gift card balance and digital purchases for unauthorized activity.
- Change the Amazon password from a clean device.
- Review logged-in devices and active sessions and remove anything unfamiliar.
Safety note: do not call Amazon support numbers from emails, texts, or search ads. Use only official support entry points inside Amazon or Amazon Pay.
Secure the control plane
Amazon security is only as strong as the email and phone that reset it. If the account uses the same inbox for login alerts, shipping notices, and password resets, that inbox becomes the real control plane.
- Change your email password and enable two-factor authentication.
- Remove suspicious mailbox rules, forwarding, and unknown sessions.
- If your phone number is a recovery method and you lost service unexpectedly, treat it as possible SIM swapping.
- If a suspicious link or attachment was involved, check the device and review two-factor authentication before you trust the session again.
How to read the signals
| Signal | What it often indicates | Best response |
|---|---|---|
| New orders or subscriptions | Active access | Cancel quickly, secure access, and contact official support |
| New delivery addresses | Fraud setup | Remove unknown addresses and verify defaults |
| New payment methods | Monetization path | Remove unknown methods and review recent charges |
| Password reset emails you did not request | Credential attack | Secure email, rotate passwords, enable 2FA |
| Repeated prompts after changes | Session theft or device compromise | Check devices before changing more passwords |
Common mistake: only changing the Amazon password. If an attacker has email access or an active session, they can return.
If you can still sign in
If you still have a live session on a trusted device, use it first. Amazon’s Password security help page shows that sign-in protection belongs on the Amazon.com account page, while Amazon Pay account settings manage payment methods and authorizations. The point is to use the live session to cut off the attacker before you lose access again.
- Change the password from a clean device, then review the account's
Login & securitypage. - Turn on two-step verification. Amazon says this adds another code at sign-in, which makes password-only takeovers fail.
- Review the email address and mobile phone number tied to the account and remove anything you do not recognize.
- Check whether Amazon Pay settings show unknown cards, bank accounts, or payment authorizations.
- If you manage a business or shared account, confirm that the change did not also affect other users or shared payment methods.
For Amazon Pay accounts, Amazon’s account settings page says you can edit contact information, add or delete credit cards, manage bank accounts, and edit payment authorizations from Edit My Account Settings. Amazon.com account changes such as password and email live on the Amazon website’s Your Account page.
Read how to secure your Amazon account after this incident is stable. That page covers the hardening pass that keeps a recovered account from drifting back into the same failure mode.
Rule of thumb: if you can still sign in, stop the attacker first and clean the account second. Do not spend the live session browsing old orders before you cut off access.
If you are locked out
If the password reset path is the only thing you can reach, start there from a clean device. Amazon Pay’s help page says password resets happen on Amazon.com, and its account settings page explains that Amazon.com controls password and email changes while Amazon Pay controls payment methods and authorizations.
If the attacker changed the email address or phone number tied to the account, secure that inbox or number first. If the reset channel is still compromised, repeated password attempts only create noise.
- Use Amazon’s password reset flow from the official site or app, not from a link in a message.
- Keep the device and network consistent while recovery is in progress.
- If you get back in on one device, use that session to change the password and review
Login & securityimmediately. - If the reset goes nowhere, check the inbox tied to Amazon for tampering before trying again.
If you need the broader locked-out sequence that works across platforms, use recover a hacked account when you cannot sign in.
If phishing started it
Many Amazon takeovers start with a fake order notice, delivery fee, or account alert. Amazon Pay’s phishing guidance says the real domains are pay.amazon.com, payments.amazon.com, and authorize.payments.amazon.com, and that suspicious messages can ask for passwords, gift card claim codes, or payment details. The message itself is part of the attack.
- Do not sign in from the message. Open Amazon directly or use the app.
- Do not share verification codes, claim codes, card numbers, or login credentials with anyone who contacts you first.
- Delete suspicious messages and attachments instead of forwarding them around.
- If you need a broader playbook for the message side of the attack, use how to identify scam emails and phishing.
- If the message led to a suspicious app install or helper download, check the device for spyware before you trust the session again.
Amazon Pay’s security page also says to report phishing or spoofed email, and if you entered your password into a forged site, update the Amazon password immediately from the official site.
Orders, addresses, payment methods, subscriptions, and gift cards
This is where most of the money leaves the account. Triage the surfaces one by one.
- Orders: review order history and any Amazon Pay activity for purchases you did not make. If the purchase is through Amazon Pay on a merchant site, open the order in
Amazon Pay Activityand useDetails & Support. Amazon Pay says the merchant may be able to change or cancel an order before it ships, but Amazon Pay itself cannot cancel or refund it for you. - Addresses: remove unknown shipping addresses and verify the default address before you place anything else.
- Payment methods: remove unknown cards or bank accounts, then review any recent unauthorized charges or authorizations in Amazon Pay or your card statement.
- Subscriptions and recurring payments: Amazon Pay says you can review or cancel payment authorizations on the website, and that canceling an authorization stops future charges but does not cancel the service agreement with the merchant. Contact the merchant directly if the subscription itself needs to end.
- Gift cards: Amazon Pay says never to give Amazon.com Gift Card claim codes by phone, text, or email. If somebody asked for them, treat it as a scam. If gift card balances or credits were redeemed, record the amount and time before you contact support.
If the charge looks fraudulent but the order is already in motion, keep the billing record, the order ID, and the shipping status together. That is what support teams and card issuers need to see.
Safety note: Amazon Pay’s help pages are explicit about gift card claim codes. Anyone asking for them outside the site is not helping you recover the account.
For Amazon Pay-backed transactions, the support page for Viewing orders and transactions explains where to open the order record and Details & Support. The page for Canceling payments or orders says Amazon Pay cannot cancel or change the order for you, so the merchant is the next stop when the order is still reversible. The page for Authorizing automatic payments explains how recurring authorizations work, and Merchant agreements FAQ explains how to cancel a payment authorization and why the merchant relationship may still need a separate cancellation.
After recovery
Once the account is stable, make the next compromise expensive. Keep the Amazon password unique and keep two-step verification turned on. Use the Login & security page for password and recovery details, and use Amazon Pay settings for cards, bank accounts, and payment authorizations. That split matters because the attacker often tries to come back through the easiest control plane, not the most obvious one.
- Keep the email inbox tied to Amazon locked down with strong authentication and no forwarding rules you did not create.
- Use a password manager so the Amazon password is not reused anywhere else.
- Review orders, addresses, and payment methods on a routine basis, especially after travel or a device change.
- If the phone number tied to Amazon ever changes unexpectedly, treat it as a recovery incident and review how to protect your online information.
- If the same pattern repeats across other accounts, use how to check if you’ve been hacked to separate a single-account problem from a broader device or identity problem.
Amazon recovery is successful when the inbox is clean, the password is new, the orders are quiet, and the payment methods and authorizations match what you expect. That is the point where the incident stops being active fraud and becomes ordinary account hygiene.
If the account keeps drifting back into suspicious activity, stop treating it as a password problem. A recurring compromise usually means the inbox, the device, or the recovery channel still belongs to the attacker. Fix that control plane first and the rest of the account becomes much easier to trust.