Amazon account compromise can combine direct financial abuse with delivery manipulation and identity misuse. Attackers often move quickly: place orders, add addresses, drain gift cards, and then try to lock you out by changing recovery details.
| Immediate sequence | Do this | Why it comes first |
|---|---|---|
| 1 | Secure the email inbox tied to Amazon and enable 2FA | Email is the reset hub for Amazon and the evidence channel for disputes |
| 2 | Reset the Amazon password from a clean device and remove unknown sessions/devices | Stops active access and reduces repeat orders |
| 3 | Audit monetization surfaces: orders, subscriptions, gift cards, payment methods, addresses | These are the levers attackers use to steal value |
| 4 | Contact Amazon through official in-app or on-site support flows | Support impersonation scams are common |
| 5 | Check device integrity if the compromise began with a link or download | Session theft can bypass password changes |
Key idea: secure email first. If your inbox is compromised, Amazon recovery steps can be undone immediately.
Containment: stop orders and stop access
Work on two tracks in parallel: preventing more purchases and removing the attacker’s access.
- Review recent orders and cancel anything unauthorized as quickly as possible.
- Check subscriptions and recurring deliveries and cancel anything you did not approve.
- Review gift card balance and digital purchases for unauthorized activity.
- Change the Amazon password from a clean device.
- Review logged-in devices and active sessions and remove anything unfamiliar (TODO(verify) exact screens on web vs mobile).
Safety note: do not call Amazon “support” numbers from emails, texts, or search ads. Use only official support entry points.
Secure the control plane: email and phone
Amazon security is only as strong as the email and phone that reset it.
- Change your email password and enable 2FA.
- Remove suspicious mailbox rules (forwarding) and sign out unknown sessions.
- If your phone number is a recovery method and you lost service unexpectedly, treat it as possible SIM swapping.
Common takeover signals and what they imply
| Signal | What it often indicates | Best response |
|---|---|---|
| New orders or subscriptions | Active access | Cancel quickly, secure access, and contact official support |
| New delivery addresses | Fraud setup | Remove unknown addresses and verify defaults |
| New payment methods | Monetization path | Remove unknown methods and review recent charges |
| Password reset emails you did not request | Credential attack | Secure email, rotate passwords, enable 2FA |
| Repeated prompts after changes | Session theft or device compromise | Check devices before changing more passwords |
Common mistake: only changing the Amazon password. If an attacker has email access or an active session, they can return.
Audit the monetization surfaces attackers use
Once you have stopped immediate abuse, do a systematic audit.
- Addresses: remove unknown addresses and verify your default shipping address.
- Payment methods: remove unknown cards/banks and verify the default payment method.
- Orders: check order history, archived orders, and digital orders for anything you did not approve (labels vary).
- Subscriptions: cancel anything you did not authorize and review renewal dates.
- Gift cards and credits: review balances and any recent redemptions.
Keep screenshots and order IDs. Disputes become evidence-driven.
If you cannot sign in
If the attacker changed your email or phone, recovery becomes harder. Use official Amazon account recovery and keep attempts consistent (device and network). If you keep failing recovery prompts, stop and secure the control plane rather than brute-forcing attempts.
If you need a general “locked out” sequence that works across platforms, use recover a hacked account when you cannot sign in.
If the incident started with a phishing email or text
Many Amazon incidents start outside Amazon: a fake order confirmation, a fake delivery fee, or a fake account alert. The goal is to steal a login or a one-time code.
- Do not log in from the message. Open Amazon directly or use the official app.
- Never share one-time codes with anyone. Code requests are takeovers in progress.
- Expect follow-up scams that pretend to be support. Use how to identify scam emails and phishing.
After recovery: harden to prevent repeat compromise
Once access is stable, harden the account so the next attempt fails early.
- Keep the email account tied to Amazon secured with strong 2FA.
- Use a unique Amazon password stored in a password manager.
- Review sessions and devices periodically.
- Audit addresses and payment methods on a cadence, especially after travel, device changes, or suspicious messages.
Use how to secure your Amazon account for a deeper hardening checklist.
Amazon recovery is successful when orders stop appearing, addresses and payment methods are clean, and your email recovery path is under your control. Once stable, keep a simple routine: alerts for orders, periodic review of addresses, and strong authentication on email and Amazon. The goal is a state where fraud attempts are noisy and reversible, not silent and persistent.