A new danger has been added to the already-stressful world of third-party Amazon selling: hackers. Reports have come in from numerous sellers, describing accounts being drained, passwords being changed, fake products being sold, and many other symptoms of a hacking wave.
The consensus on these hacks is that they’re coming from sales on the dark web: malicious groups accumulate millions of email account/password combinations, then sell them for $1-$3 apiece. Sometimes, these compromised passwords come from other sites, and the hackers take advantage of people reusing passwords between sites — a great reason to, at the very minimum, use a unique password for your Amazon Seller account (although you should be doing much more than that — more on that later).
How the hacks affect sellers depends on whether the compromised account is active or not. If the hacker accesses an active account, they will change the bank deposit information and siphon tens of thousands of dollars from Amazon’s holdings into their own pocket. If they find an inactive account, they quickly post hundreds of fake, high-demand products for half price, set them at four-week shipping without any intention of actually delivering anything, and pocket as much cash as they can before Amazon or the owner of the account catches on.
So, some sellers are having half their monthly profits stolen, and others are seeing dozens of alerts from Amazon to ship products that they never sold in the first place. Thankfully, some sellers in the first category are reporting that Amazon is in the process of refunding them for their stolen capital. However, the threat of hacking should still be a huge concern to you, and there’s no guarantee that you get your money back if a malicious actor worms their way into your account.
Thankfully, there are a number of security measures that you can enable to beef up protection of your Amazon seller account, if you’re not already using them.
Two-factor authentication simply means that every time you sign into your account, Amazon will send a unique code to your phone that you will need to log in. This is fairly easy to enable from your Seller Central, and it’s definitely worth the trouble.
This is especially relevant if you’re part of a larger team with multiple users accessing the same Seller Central account: you should restrict access to important settings, such as user permissions or bank information, to just one user with two-factor authentication enabled. All other users within your account (employees, service providers, etc.) should have their permissions limited based on only what they need to do their jobs, and nothing else.
This is a pretty standard security tip, but make sure everyone accessing your main Seller Central account has a unique password for their login that they don’t use anywhere else. This means that malicious actors can’t hack into another service, scrape a password from there, and use it to log into Amazon at the same time.
In order to make this precaution more manageable, you can use a password database for your team. We recommend using one that doesn’t store passwords on the cloud, but instead stores passwords in a local database or server, but you can use any manager that you or your team feels most comfortable with.
This one is fairly self-explanatory: you can enable email notifications any time your information or settings get changed on your Amazon Seller account. This way, even if all your other security measures fail, you can still get notified about a hacking attempt much more quickly than you would otherwise, and begin taking action immediately.
There are, of course, numerous other safety measures that you can take on top of the above, but what we've listed here are probably the absolute minimum safety features you need to enable if you're serious about your business' security.