Most people today are pretty careful about which companies they allow to access their personal financial information. We have all heard the stories of people who fell for an online “flash sale” of knockoff UGG boots, Louis Vuitton bags or Rolex watches and learned a valuable lesson about internet thieves, which is why we’re careful to only shop on secure sites–like Ebay, or Amazon.
But what happens when an internet savvy person, using a well-known website gets their information stolen?
Over the weekend, Amazon customer Eric Springer shared his horrifying tale on Medium. Springer revealed that all a hacker needs to steal your account information is your name, email address and a mailing address–and not necessarily a correct mailing address. And it’s all thanks to the friendly individuals in customer service.
A few months ago, Springer received an auto-reply email from Amazon thanking him for contacting customer service, which was puzzling, because Springer never contacted Amazon.
After reaching out to Amazon and requesting the transcript of the online conversation he supposedly had with customer service, Springer discovered that a hacker pretending to be him used customer service as a “back door” to obtain critical account information.
All the hacker had to do was provide his name, email and a fake home address that Springer occasionally uses to protect his real information if the data is leaked. But even after going to such great lengths to ensure he was protected, his worst nightmare still came true.
By using Springer’s fake address, the hacker was able to obtain his real address—a key detail that, when combined with his name and email, could cause a lot of damage.
Springer let Amazon’s customer service have it, and the company promised to take better precaution in the future. But because of what had already happened, Springer still felt the need to inform the public that what happened to him can happen to anybody. And that is terrifying indeed.
Alex Cranz of Gizmodo attempted to reproduce the hack to see just how big the problem was. She offered an old address that she knew was available in the public domain and provided it to Amazon’s customer service. Her experience was much different:
The Amazon Customer Service Representative seemed to pick up on my scam quickly and turned me down flat when I provided the old address. Then, after giving them my actual address, they refused to give out any more information until we had a chat on the phone.
Franz concluded that the success of the hack largely depends on the customer service representative handling the request. Her advice for online shoppers was to use a public address from their work, FedEx or UPS stores, or an Amazon locker.