So my Amazon account was compromised. (dodgy app?)

Banjo String

Yeah got an email from Amazon that they basically had reset my password as my account had been accessed by a third party.

Greetings from Amazon Payments.

Please take the time to read this message - it contains important information about your Amazon.com account.

After careful review of your account, we believe it may have been accessed and used by a third-party to initiate transactions without your permission. It seems that someone obtained your personal account information elsewhere, and used it to access your Amazon.com account in order to create a new Amazon Payments account. Please note that no unauthorized transactions were completed as we were able to cancel the transaction(s).

We have closed the newly created Amazon Payments account and have taken immediate steps to secure your Amazon.com retail account. We’ve assigned a new, temporary password to prevent further access by the unauthorized third-party, and removed any credit cards or other payment methods from your account. Additionally, if any information was added to your account by someone other than you, it has been removed. Your Amazon.com account access has been restored and is available to use at your convenience.

You’ll need to reset your password when you return to our site. Just click “Your Account” at the top of our Home page and select “Forgot your Password?” in the Settings section.” Enter your email address as prompted, and once completed, we'll send you an e-mail containing a personalized link. Click the link from the e-mail and follow the directions provided. Your new password will be effective immediately. Please note that you will need to re-enter your complete credit or debit card number during the checkout process.

It is important to know that Amazon.com accounts can only be accessed by those who know personal, specific information about you and your account -- such as your email address, Amazon.com password, physical address, credit card information, and other details. As mentioned above, it appears someone obtained some of your personal account and/or financial information elsewhere and used it on Amazon.com to access your account.

While it is not clear how this happened in your case, we do know that personal account and financial information are often obtained by scam artists who send unsolicited email to unsuspecting users asking them to "update" their account information. The email usually contains a link to a website that is controlled by the thief asking the user to submit personal information including email address, password, credit card number, and other relevant information. Once the information is obtained, the scam artist can then gain access to numerous online accounts since many internet users frequently use the same user name, email address, password, and financial information at multiple web sites.
Please know that Amazon.com employees will *never* ask for your password, nor will we ever send an email asking you to verify personal information.

Although it appears someone did access your Amazon.com account, they would not have been able to view your full credit card numbers as they are never displayed on our site. However, it is possible your credit card numbers may have been compromised at the time your other personal information was obtained. Therefore, we suggest you carefully review recent credit card statements to check for any unusual activity or unauthorized charges.
In the future, you can protect your Amazon.com password and account by following some of these safety tips:

This email was quickly followed by another detailing what the third party was attempting to buy.

Greetings from Amazon Payments,

We're sorry, but your Feb 12, 2014 payment to Humble Bundle, Inc. of $6.09 has failed. Details of this transaction are below:

Payment details:

---

Transaction ID:
Recipient: Humble Bundle, Inc.
For: Purchase Humble Weekly Sale: Double Fine (transaction id: )
Amount: $6.09
Date: Feb 12, 2014
Payment method: Visa XXXX-XXXX-XXXX-


Thank you for using Amazon Payments.

Now I 99.9% access the Amazon marketplace via my phone, I also have the Amazon app market installed.

I am also 100%confident that I haven't fallen for any phishing mails/scams etc (I'd be fairly wise to these) and my Amazon password was different from any of my other online accounts.

I'm wondering if a dodgy app could be recording key strokes or something on my phone, and if so, how would I find out which one?

I regularly enough download androids various free apps of the day via the Android app market (FWIW)

Anyone any thoughts?

White Heart Loon

Do you have a completely unique password for Amazon that isn't use anywhere else?

Banjo String

White Heart Loon wrote: »

Do you have a completely unique password for Amazon that isn't use anywhere else?

No. I have to admit to using same password in a few different accounts.

White Heart Loon

Banjo String wrote: »

No. I have to admit to using same password in a few different accounts.

Therein lies your answer. Get lastpass or some other password manager. Make each password is unique so if one site gets hacked they cannot get into another with your details. By recycling you're also making it too easy to get phished, they don't need to hack you, just convince you sign in or sign up somewhere new on a fake login page.

Go a step further and enable two step authentication wherever you can too. Sites are being hacked every day without mentioning it.

paddydriver

White Heart Loon wrote: »

Therein lies your answer. Get lastpass or some other password manager. Make each password is unique so if one site gets hacked they cannot get into another with your details. By recycling you're also making it too easy to get phished, they don't need to hack you, just convince you sign in or sign up somewhere new on a fake login page.

Go a step further and enable two step authentication wherever you can too. Sites are being hacked every day without mentioning it.

Then download Google Authenticator and enable 2 factor auth on Lastpass.. but just take whatever measures you can to allow recovery of your Google Authenticator in case you lose your phone

White Heart Loon

paddydriver wrote: »

Then download Google Authenticator and enable 2 factor auth on Lastpass.. but just take whatever measures you can to allow recovery of your Google Authenticator in case you lose your phone

They've already thought of that
https://lastpass.com/support.php?cmd=showfaq&id=2613

You can easily regain access to lastpass on the pc you've been using it on. My daughter forgot her password and it was easily recoverable on her own laptop with help from support

yllw.ldbttr

paddydriver wrote: »

Then download Google Authenticator and enable 2 factor auth on Lastpass.. but just take whatever measures you can to allow recovery of your Google Authenticator in case you lose your phone

Google allows you to setup an alternate number that it will text a code to if you've lost your device, it also gives you ten numeric codes when setting up 2FA - you should print these out and keep a hard copy.

White Heart Loon

yllw.ldbttr wrote: »

Google allows you to setup an alternate number that it will text a code to if you've lost your device, it also gives you ten numeric codes when setting up 2FA - you should print these out and keep a hard copy.

He's on about Lastpass, it uses the Google Authenticator for it's two step (as does Dropbox and Microsoft)

yllw.ldbttr

White Heart Loon wrote: »

He's on about Lastpass,

erm.... I think you'll find the comment refers to loss of a handset which uses Google 2FA to authenticate access to any service (there are hundreds using Google)

paddydriver wrote: »

but just take whatever measures you can to allow recovery of your Google Authenticator in case you lose your phone

So my advice above stands.

White Heart Loon

yllw.ldbttr wrote: »

erm.... I think you'll find the comment refers to loss of a handset which uses Google 2FA to authenticate access to any service (there are hundreds using Google)

The above info is only relevant to logging into Google services, not Lastpass. I already posted the action you take https://lastpass.com/support.php?cmd=showfaq&id=2613

yllw.ldbttr

White Heart Loon wrote: »

The above info is only relevant to logging into Google services, not Lastpass.

It's relevant to anyone who uses Google 2FA to authenticate access to any service, which is what I quoted above.

White Heart Loon

yllw.ldbttr wrote: »

It's relevant to anyone who uses Google 2FA to authenticate access to any service, which is what I quoted above.

It only gets you access to your Google account, will not get you access to Lastpass or Dropbox. You obviously don;'t understand how it works, when you add Lastpass or Dropbox to your Google Authenticator it does not have the same verification number as Google, it has a different one therefore you must deal with either Lastpass or Dropbox to get access to their service.

yllw.ldbttr

White Heart Loon wrote: »

. You obviously don;'t understand how it works.

I give up. Read back again. Maybe a little slower.

I referred only to a person who loses their device with 2FA and how they can regain access.

DID
NOT
MENTION
LASTPASS


On that note I'm out.

White Heart Loon

yllw.ldbttr wrote: »

I give up. Read back again. Maybe a little slower.

I referred only to a person who loses their device with 2FA and how they can regain access.

DID
NOT
MENTION
LASTPASS


On that note I'm out.

Yes you did, maybe you should be the one to read back slower. Your first post quoted a post which says Lastpass then you even went on to say any service
http://www.boards.ie/vbulletin/showpost.php?p=88991926&postcount=7

yllw.ldbttr wrote: »

erm.... I think you'll find the comment refers to loss of a handset which uses Google 2FA to authenticate access to any service (there are hundreds using Google)