UPDATE: The hold has been removed from my account, and I have access again. Even though I had previously been told my account had been closed, it seems like this wasn't final. This resolution was down to an escalation of my case at Amazon, after a team member contacted me through Twitter and promised to personally look into it.
8 days ago I tried to log in to my Amazon retail account, and received a password invalid error. As it turned out my account had been closed, as it appeared to Amazon that it had received a suspicious log in. This is the same account that I use for AWS - hosting websites critical to my business.
Today it appears I am no closer to gaining access back to my AWS account than I was on day 1, even though I have been billed as normal for my services during this time.
This should serve as a warning to anybody else who has an Amazon account that is shared between retail and AWS.
Linked is a list of every event and interaction I have had during the last 8 days with Amazon, via Twitter, email, phone and chat.
In all seriousness, email jeff@amazon.com. The most likely outcome is that some relevant managers will receive one of the infamous "?" emails from him.
If so, that'll result in two things:
1) Your problem will be resolved ASAP, managers right up the chain will be tracking it extremely closely, as they'll have to justify every action to Jeff. Everyone goes scrambling when one of those emails goes out.
2) A post-mortem will be done of everything that happened, with processes and procedures improved to ensure it doesn't happen again.
I think that's gone the way of the dodo. Last I remember, he didn't read those anymore, and they were automatically just shunted into the normal escalation flow. Too many people got wind of it and abused it.
It was certainly still active and being triggered by Jeff not long before I left Amazon (just over a year ago now), I used to be subscribed to the list where those post-mortems would appear, and they would always indicate how the escalation occurred.
Nope. Those still work the way OP described, if my recent experience is anything to go by. Not sure if @jeff reads all the emails... but he may have assitants that do and send those out, and track them?
The managers in the escalation chain might tend to panic when the "?" comes about like the OP claims going by the # of emails and phone-calls I recieved from them.
I don't care if he personally reads them or not but it worked for me in January. I was locked out and phone/email support ignored me or sent me in circles. One email to jeff@amazon.com and my account was restored in a few hours.
I emailed it a couple months back to complain about USPS, and got a reply and a result (all my packages arrive via UPS or some rinky dink carrier now.)
I've seen it happen, repeatedly, and the outcomes of it (even to the point of hardware and software engineers being sent out to visit customers to figure out what is wrong). So yeah.
> This should serve as a warning to anybody else who has an Amazon account that is shared between retail and AWS.
So much this.
I had such an account and neglected the retail side (it was linked to amazon.com as well as AWS) as I was using a different account for retail (linked to amazon.co.uk from the days that these were separate systems).
Logging on to amazon.com one day I noticed LastPass suggest I log in, so I did. To see that I hadn't ordered anything retail for 5+ years. So I requested deletion of the amazon.com account (good hygiene, delete unused accounts).
Retail happily obliged... and a week later when payment failed and dunning started I realised what I had done. The account did not exist any more, I could not login to resolve this.
This was entirely my mistake (and quite funny as well as terrifying), but the risk is real.
Should anything happen to your retail account then your AWS account can and will suffer.
I managed to resolve this, I was only using S3 and I wrote a migration tool to remotely move S3 items from one account to another, using only the auth keys that were still active. But woah... if I'd been using EC2 or anything else I would have been in a lot of trouble.
Keep accounts single purpose and obvious. Use an account that only handles your AWS purchases.
I reset a password, then they detected "suspicious activity." I clicked "send pin via email" and the email never shows up. I've done it 3 or 4 times over the course of a week + it never works. It's a documented error + FB/Instagram refuse to addres it.
Took me weeks to get back an Instagram account that was locked as soon as I signed up, with a phone number too. Half the forms that are meant to help you are actually broken and 500 error most of the time. After many emails I ended up having to send a photo of myself holding a sign with the username and some random code on it. So bizarre. It's not like Facebook don't know my entire life history, but hoops still had to be jumped through!
And a similar thing has happened to me with Microsoft. I needed to get to my OneDrive. I go to log in, and it says invalid password. I go to reset the password, and it never sends me an email. I go through the alternate-email update process, answer the security questions, and it doesn't believe I am who I am.
When I try to get access to real support (a person), it makes me login. Back to problem #1.
Also, I should note that the email on record is real and works. The only thing I can think of is I named it microsoft@mydomain, and they don't like the word microsoft in it?
We're having the same problem, and it's been well over a month now, and despite several phone calls with Facebook support and lots of emails, nothing is working. We've sent documents, escalated, etc. Nothing works.
We've spent over 200,000 EUR on Facebook/Instagram advertising so far (I guess that's still small fish), and still can't get it resolved.
If anything this, along with similar situation(s?) with Google, should stand as a strong warning against single sign on systems across multiple services with multiple TOS.
Why do you see this as a single sign-on issue? Seems to me the issue is over reliance on large SaaS providers. Same things happens all the time to Google users.
Because you're unlikey to trigger a violation on your cloud SaaS account, but could easily run afoul of other policies like "Real Name" or "Bought a Pixel Phone and Sold It" or posting something "offensive", getting reported by other users, etc.
If the account is just for a cloud SaaS, then there's likely to be very few policies to disable your account.
But then you're storing passwords in more services, which creates more surface area for breaches.
If you shop with Amazon, host your services with Amazon, watch TV on Amazon...there's simply no way of getting around the fact that Amazon will only want to manage a password for you in one place. The issue is clearly over reliance on Amazon services.
I don't follow your logic about the breach risk. If you're using unique passwords per service (and you really should) then I would expect any breach that involved passwords would have less of an effect. If there is a breach with a centralized single sign on service then every other dependent service is also affected.
There's a big difference between what people should do, and what people actually do. Research consistently shows that a large percentage of people reuse passwords across many sites.
Sure, but I'd bet that people who have cloud services accounts are much more likely to be better at password security than the general public, as a group.
Uh, Sure, if you have one account. The point being that if you're smart, you isolate every account. myaccount-aws@domain and myaccount-retail@domain and then turn off cloud services for retail account and turn on two factor auth for saas.
That's on you. You can't get the benifit of separation if you have them do it for you.
In the same way you get one company to own your domain and one to run your email. That way when your email provider decides you're a spammer or your account get's closed for uploading a bad app to the android store, you can go else where and swap your dns.
A friend had this happen to him (The unauthorized person accessing it). He sells on amazon and had all his inventory removed from being sold while this was going on. Calls did nothing.
What finally worked was the amazon facebook page. He posted on there, they PMed him and he was back up and going within a couple hours where he had been getting the run around for a week or two on the phone.
I had this happen because of a closed AWS account with 2FA that locked out my longtime Amazon.com retail account. The 2FA factor was a business phone number that I had given back to my former employer a couple of years ago.
The best that AWS/Amazon support could give me is start a new Amazon.com account. At least the AWS account wasn't billing anything.
- I log in to my new Amazon account and chat to customer support. They can't really help and tell me they have spoken to another team and I will receive an email within 24 hours
3rd July
- I do not receive an email within 24 hours
- I continue the conversation on twitter, and get varying responses from different customer support agents, including a suggestion to contact AWS support
- I contact AWS support via a form on their website
- AWS support says the root issue is with my retail account, however, it has impacted my AWS Account as the login is the same, and that I need to email cis@amazon.co.uk who will provide me with further information
