In a blog post on Medium, self-described “security conscious user” Eric Springer reveals how an Amazon customer service representative gave out his home address and phone number to cybercriminals. The attacker used Amazon’s customer service chat function, gave the Amazon rep Eric’s email address and a fake home address, and asked the representative where his latest order was being shipped. The representative complied and gave the attacker Eric’s real home address and primary phone number in addition to identifying the item in question. Subsequently, the attacker was able to use the information to convince Eric’s bank to issue a new copy of his credit card. 

Springer was astonished by the development: “Amazon.com was one of the few companies I trusted with my personal information. After all, I shop there, I used to work as a Software Developer and I am a heavy AWS (= Amazon Web Services) user.” He suspects that the person who perpetrated the successful phishing attack on the customer service rep. used information he had used to register one of his websites: such information is, by default, publicly available. But it does not discount the fact that the customer service rep had such a low standard of due diligence as to accept a fake address as criteria for verifying a user. 

Springer contacted Amazon: “Trying very hard to not take out my frustrations on an unrelated support rep, I contacted both Amazon Retail and AWS expressing my disappointment and asking them to put a note on my account that it is at extremely high risk of being social engineering.” However, several months later, Springer was notified of another customer service interaction from his account which he had not initiated. This time the attacker attempted to get the last four digits of his credit card and didn’t succeed. Once again Springer asked for a warning to be placed on his account so that future customer service representatives know his account is at risk for fraud.  

A day later, Springer received another notification of a third customer service interaction from his Amazon account which he did not initiate: “Here’s a link to the invoice you asked about…” In this case, the attacker contacted Amazon customer service by phone and Springer could not receive a transcript or recording of the call to verify what information of his had been released. Based on his previous experience, he had to assume that Amazon had once again provided a criminal with his personal information. Another Medium user tested Springer’s claims and posted screenshots of their own which show another Amazon customer service presentative giving out his home address after he verified his identity using only his email address and a fake location: