Amazon has very strict policies in place regarding how users can sign-up to their site and begin making purchases. But what would you do if you needed to change the email address of your account that contained your name, address, credit/debit card details?
What Amazon allowed was for an account holder to call in and change the email address as long as the caller could be identified by name, email address and mailing address. It’s these details that can be easily obtained online.
On Tuesday Amazon amended their policy preventing users from calling and making account settings changes, like their card details or email addresses associated with their account. No official comment has been made by Amazon, but representatives have stated that the changes have been put in place for “your security.”
On Friday 3rd of August, a 19 year old hacker, identified as “Phobia”, gained access to Honan’s account. You can read Neowin's report on how the situation then spiralled out of Honan’s control here.
Honan himself has admitted that daisy-chaining his accounts together was his own fault and he deeply regrets his lapses in security.
Amazon’s policy change was discovered when attempts to replicate the exploit failed.