Serious Security Problem with Amazon; How Is This Even Possible?

This morning, I went to my Amazon account to turn on two-step verification. This system offers an additional layer of protection, and requires that, when you sign into your account, you enter a six-digit code that is sent to you via text message. You can trust devices, so you don’t need to enter the code each time, but at least no one can log into your account from a new, untrusted device without a code.

I have three Amazon accounts. I have been shopping with in the US since it was launched. I lived in France for a long time, so I have an account there. And I now live in the UK, and have an account with Amazon UK. I use the same password for each of the accounts, and Amazon stores my addresses and payment methods for all of them; if I change any of these on one country account, the changes are made on the others. As such, turning on two-step verification on also turned it on for Amazon UK and Amazon FR.

So I went to check my Amazon accounts in the three countries, and in different browsers. (A trusted device is not just a computer, but a specific browser on a computer, so if you use more than one browser, then you need to enter a code for each one, or trust each one after entering a code the first time.)

When I went to Amazon FR in Firefox, I saw something very surprising. I was not logged into my account, but into someone else’s.

Amazon fr p

It turns out that the someone else is my son, but this is very worrisome. My son lives in Paris, and while he has visited me in the UK several times since I moved to the country, he confirmed that he has never used my computer to log into Amazon; when he visits, he brings his laptop. In addition, I don’t know his password, and, when I checked Firefox’s saved passwords, no passwords of his show up for any site. While I don’t use Firefox often, I’m sure I’ve logged into Amazon FR in Firefox at least once since I’ve been in the UK.

Note that I can view my son’s shopping cart, but I can’t access any of his account info, or place an order. When you do that, you need to sign in. Amazon displays this screen when I try to access any further information about the account:

P amazon login

There is a link between us: we each have the other’s address in our address books. But there is no other link. We did share an Amazon Prime account several years ago, but, while he still uses Amazon Prime, my Prime account ran out a few months before I left France, or about three years ago.

I tried calling Amazon FR to find out what happened. The first time, the call got cut off while I was waiting for my case to be escalated. The second time, a person told me to just sign out, as if it wasn’t a big deal. I explained that it was a big deal, that I shouldn’t be able to see someone’s account in any way, not even their shopping cart. After several minutes, I was put on hold for a long time, then the call got cut off.

I’m quite worried about this. I now have two-step verification set up, but I don’t understand how I could be logged into someone else’s account. At least it’s my son’s account, and not some stranger’s, but this simply shouldn’t happen.