Hacker News new | past | comments | ask | show | jobs | submit login
Still locked out of my AWS account (docs.google.com)
463 points by colinmeinke on July 7, 2017 | hide | past | web | favorite | 274 comments

I've been locked out of my AWS account for almost 3 years now. I have 2FA enabled, tied to a phone number I no longer have access to.

I receive two emails per month. One invoice, for $0.80 (I cannot remember what is running on there, but I guess it must be something). One threatening, "Your AWS Account is about to be suspended". I've been "about to be suspended" for the entire 3 years.

I want to pay the bill, I can't log in.

I emailed, I phoned. Eventually I spoke to somebody, who told me the only way I could access my account was to fill in "some paperwork"[1]. They emailed that to me. It has to be notarized. I called again, they absolutely will not accept this if it is not notarized.

I've explained to them that all I want to do is pay the ~$30 in bills I've accrued for 3 years. I don't mind if I never get access to the account - let me pay the bill and shut the account down, they won't have it. I don't have any free notary access, and I'm not willing to pay more than the AWS bill amount just to be able to pay the bill. I've explained that to them, and they don't seem to care about that either, they'd rather not have the bill payed and continue piling it up.

[1] https://s3.amazonaws.com/AWSCS_CustomerForms/IdentityVerific...

I was locked out of my AWS account for about 2 years due to loosing my 2FA authenticator on my phone. But had no open bills and didn't really care about it, so I did not try to gain back access.

Until last week, when I decided that I need to use the account again. I simply clicked the recovery link on their 2FA login form. Had to enter my account details and my phone number. Within 15 minutes (as stated on the website) a member of their service team called me. I explained the situation (lost 2FA app). Not a problem, the service agent told me. He then sent me an e-mail (to my AWS-associated mail address) with some random characters, which I had to read back to him. After that he simply removed 2FA, and I was able to log in with my username/password. For me the experience was quite pleasant, but had someone else have access to my e-mail account and knew my AWS username/password, he might have been able to take over my account, bypassing 2FA. I don't quite know how to feel about that.

EDIT: Ok, this probably only works if your phone number is also already associated with your account. So an attacker additionally would need access to my phone number, making things quite a bit more secure in my view.

Could the number be spoofed?

Unfortunately, yes - by going through the customer services of most mobile phone companies.

As of late, transferred phone numbers against the owners will is a thing.

I'm sorry for what you have to deal with, and I think as an industry we have definitely not thought through on the 2FA-over-phone system.

But I feel like asking for a notorized letter confirming you are actually "you" is quite reasonable. Otherwise it'll be all too easy for malicious social engineering.

What's the consequence of him being impersonated here though? Some fraudster pays his bill and gets nothing out of it?

Some fraudster shutting down an account that should actually be kept running, owned by someone who is merely very lax about paying bills.

If you aren't paying your bills, then you shouldn't be surprised that it gets shut down.

The idea being that it wasn't Amazon that shut it down, but the fraudster.

I guess I fail to see the importance of difference. Legal reasons?

Amazon is responsible for making a reasonable effort to prevent anyone unauthorized from doing anything to an account. Swap "shut down" with "read personal information tied to account" or "upload a heinous webpage to the AWS server," whatever.

This is not one of those "by any means, achieve the ends" type scenarios.

Who downvoted you for saying one shouldn't be surprised when an account gets shut down after not paying for 3 years?

On that note: why hasn't the account been shut down for nonpayment?

Presumably because that only happens when it crosses a threshold dollar amount, and $0.80/month isn't enough to get it over that threshold.

(That price is too small for there to be a running instance; it's most likely for storage belonging to an instance that was shut down, such as a 16GB EBS snapshot. It is reasonable that Amazon would be very careful about deleting that.)

Maybe the debt needs to be groomed on paper before it's sold.

Please don't complain about downvotes

That's not particularly relevant to the question of whether a fraudster should be able to shut down your account simply by offering to pay the current bill.

Someone gains unauthorized access to their data stored in AWS.

Wouldn't the consequence be that a fraudster gets complete access to the account and starts doing nefarious stuff?

The Amazon support employee gets fired during some internal audit for policy noncompliance?

> let me pay the bill and shut the account down

The account gets shut down

The problem is that as they get bigger, they may soon automate delinquent account notifications to debt collection agencies which could impact your credit rating sometime down the line.

You are unfortunately on the wrong side of an asymmetric relationship here.

That's solved by disputing the debt. Document the good faith attempts to pay.

I take it you haven't actually tried disputing debt. It's not a simple process, and can wreak havoc on your credit even if you are clearly not at fault.

I have disputed debt. Simple is relative, but I certainly did not have any trouble with the process.

It's true that your credit can be damaged by false reports. It's also true that damages resulting from false reports are recoverable.

If you don't feel like you can do it yourself, hire a lawyer and have them sue Amazon to recover their fee.

They are not recoverable. Good luck trying to get your rewards back once the credit card company cancels your card because some moron enter you social security instead of someone else's at the dept collector. Sure you can get a new account once your credit score is back but you get no simpathy from the credit card company. Even after more than 10 years with them.

Of course they're recoverable. See JOHN STEVENSON vs. TRW for example.

You seem to be saying lawsuits are a hassle. Yes, they are.

Still a hassle you shouldn't have to go through.

I sympathize with your predicament, but I can say I am very happy to know that Amazon won't just let anybody get access to a 2FA account without a substantial burden of proof.

We all read horror stories of people's accounts being compromised via trivial social engineering hacks. This will always be a balancing act. And to be honest I am all for erring on the side of caution.

You can get something notarized, at least in Illinois, for $1. Just go to a currency exchange. Most banks will do it for free.

The term "notarization" means very different things depending on the country you live in.

Outside the US this process can be lengthy and/or expensive as it can even result in official government stamps, translations, etc.

GP is in San Francisco. Standard notary fee is $20 in California, but some companies will subsidize it.

I feel sorry for those foreign countries where notaries are either rarified or unobtainably expensive, but it doesn't apply to this thread.

That said, I think Amazon's policy of notarization (at least in the US sense and fees) seems a reasonable policy from an account security standpoint. Not sure I can sympathize with GP who voluntarily added 2FA to their own Amazon account, then no longer had access to the phone number they previously used. $20 is not unreasonable for something that GP could have prevented with some forethought.

Yes, my bank branch notarizes for free.

This is quite different in Australia where notaries public are appointed either by the State Supreme Court or by an Archbishop. Almost all of which of which are solicitors or barristers, sometimes retired from practice.

As an Australian, if your workplace has a legal department - make friends with someone there.

It can save you a huge headache when you need to do something like apply for a home loan, and need tonnes of notarised papers.

In the US the bank sends a notary free of charge with all your paperwork to sign. What a pain that you don't get this service!

Their security worked, you lost access so this is entirely your problem. I'm happy to see that AWS requires notarization to get past 2FA.

Regardless of the size of the bill, comparing it to cost of a notary (which is very minimal) is irrelevant.

The exact same thing happened to me. In my case I still had a t2 instance running and was billed ~15$ a month. Eventually I shut down the instance over ssh, but that didn't change the overall situation.

I was studying in Germany at the time and access to a notary public costs about 40$ USD there. I asked the AWS support on the phone if letting the payments bounce would suspend my account which they confirmed.

Unfortunately every time I disputed the payment with my bank, AWS send me a physical copy of their terms and my billing address as a proof of contract and my bank would process their payment. Eventually, 3 months in, my credit card expired anyway, solving at least that part.

They still tried to charge me for about 6 months afterwards, but I haven't heard back from them since. Interestingly, I opened a second account, with the exact same billing address, but a different credit card without problem. But I don't really use AWS anymore since then.

I totally believe that they (AWS) just stuck to their process, which was enacted in good faith. But switching my phone number should have not caused that entire fiasco.

I recently noticed a $20-30 charge each month from 'Amazon Web Services' on the credit card and vaguely recall signing up and trialing it one day (must have left a small instance running I guess too).

I had to cancel that credit card in the end as I couldn't get access to the account and their support is, as far as I can tell, automated email responses. I also had the threat to suspend my account over many days (to which I was responding, 'Yes, please do'), but they stubbornly just kept threatening instead of closing the account. The support person did not seem to respond to what I wrote in my replies at all, just pasted a stock response that didn't make sense in context.

They really cannot seem to handle their scale in terms of their customer support (and I wonder how many people are getting bitten for small chunks of cash).

Have you made any attempt to work something out with whoever may have your old phone number? Explain the situation to them? Maybe they'd be kind enough send you the 2FA code for the account?

The UPS store will notarize stuff for like $10-20 bucks FYI.

Unless you live in Kansas, Iowa, Maine, Alaska, or Louisiana, you won't be charged over $10.

I'd be worried about them sending your account to collections -- would be annoying to take a credit hit over this ... insane as it is that you have no ability to resolve this situation now without hardship, you also won't have hardship free resolution path after it goes to collections ...

I guess if it goes to collections you'll at least then be able to pay the debt collector -- but you'll still take a credit hit ...

at what point does the debt get sold to a debt collector thus causing you more trouble and pain than paying for a notary would cost? Also if you're in the US and maintain a bank account, many banks offer free notary services.

It depends - but once that happens he is likely in the clear. The FCRA(https://en.wikipedia.org/wiki/Fair_Credit_Reporting_Act) states that once a debt is acquired by a new party, you(the debtor) can demand a proof of debt. If you don't get it in 30 days after the demand, the debt is null and void. If you do get it - proceed directly to small claims court and dispute it with all your documentation, and ask for an immediate bench ruling. There are precedents for this type of thing, and they are on the poster's side.


Most cities charge <$50 for small claims court hearings too.

Can't you also ask to recover any court fees from the defendant if you win?

I love your willingness to be blackmailed.

It's not blackmail. He locked himself out of his account, and Amazon is erring on the side of caution before turning off services and shutting down accounts.

While it might be a nuisance to get a document notarized, it's not some extraordinary hardship. The policy is there to prevent abuse. If he prefers to let his bill go unpaid as a result of locking himself out of his account, that's his choice.

The point of humans providing customer service is that they can judge that in this case the account can in fact be closed without harm.

You shouldn't have your credit ruined for not wanting to give up your documents to some shitty company.

That's not what's happening here. Not paying your bills does rightly deserve a warning on credit reports.

Not paying your bills because you lost access to your own account does not change this situation. The same way as that having no income or car or phone or internet and can't pay your other bills doesn't excuse those liabilities either.

It's practical advice.

Ask the office manager at your job if there's a notary public on staff.

It's not uncommon for one of the assistants or the office manager to get certified as a notary. It's very useful for small office situations and short deadlines.

your bank can usually notarize the document for free.

This. I do it all the time. They have no problems with it.

You're willing to pay the $30, $40, $50 AWS bill for services you aren't using but the $5 notary charge is some grave affront?

As said already in other comments of sibling thread: notary fees can differ hugely depending on state/country and may be more on the order of $40-$50.

Having a brief search around the standard UK price per page of document to be notarised seems to be £60. Or, as here, ~£200 per hour - http://www.premiersolicitors.co.uk/Legalisation,11332,10160,....

As said already in other comments: the poster is in San Francisco. Last time I had to get something notarized in SF, I went to a UPS Store and it cost me $15.

I don't understand, why don't you just notarize the form and send it back to them, notaries are really cheap.

They like having something to complain about. The poster lives in/near SF and has hundreds of notaries available to them for 0 to minimal cost, time, and effort.

Have you tried calling your old phone number and seeing if it's been recycled? You could have that person do the second factor for you.

Cancel your card. Problem solved.

To clarify, get a new number for your credit card account; don't cancel it entirely. If it's your oldest credit card account then canceling it outright will have bad repercussions for your credit score.

That's not necessarily sufficient. If the card is a Visa or MC and credit card uses the card update service that is available for such cards then that might give Amazon the new card number on the account. I believe that whether or not the update service works for a specific card is up to the entity that issued that card.

If you report the card as lost or stolen, I would guess that the update service wouldn't be used: the bank likely doesn't want to update the card number with someone who might have added it fraudulently.

8 days ago I tried to log in to my Amazon retail account, and received a password invalid error. As it turned out my account had been closed, as it appeared to Amazon that it had received a suspicious log in. This is the same account that I use for AWS - hosting websites critical to my business.

Today it appears I am no closer to gaining access back to my AWS account than I was on day 1, even though I have been billed as normal for my services during this time.

This should serve as a warning to anybody else who has an Amazon account that is shared between retail and AWS.

Linked is a list of every event and interaction I have had during the last 8 days with Amazon, via Twitter, email, phone and chat.

In all seriousness, email jeff@amazon.com. The most likely outcome is that some relevant managers will receive one of the infamous "?" emails from him.

If so, that'll result in two things:

1) Your problem will be resolved ASAP, managers right up the chain will be tracking it extremely closely, as they'll have to justify every action to Jeff. Everyone goes scrambling when one of those emails goes out.

2) A post-mortem will be done of everything that happened, with processes and procedures improved to ensure it doesn't happen again.

I think that's gone the way of the dodo. Last I remember, he didn't read those anymore, and they were automatically just shunted into the normal escalation flow. Too many people got wind of it and abused it.

It was certainly still active and being triggered by Jeff not long before I left Amazon (just over a year ago now), I used to be subscribed to the list where those post-mortems would appear, and they would always indicate how the escalation occurred.

Nope. Those still work the way OP described, if my recent experience is anything to go by. Not sure if @jeff reads all the emails... but he may have assitants that do and send those out, and track them?

The managers in the escalation chain might tend to panic when the "?" comes about like the OP claims going by the # of emails and phone-calls I recieved from them.

I don't care if he personally reads them or not but it worked for me in January. I was locked out and phone/email support ignored me or sent me in circles. One email to jeff@amazon.com and my account was restored in a few hours.

I emailed it a couple months back to complain about USPS, and got a reply and a result (all my packages arrive via UPS or some rinky dink carrier now.)

It definitely still works that way, in my experience.

Probably only works if you know Besos personally nowadays.

Can you provide some links to stuff about the infamous "?" emails?


and a little bit here: https://www.quora.com/Whats-it-like-to-receive-a-question-ma...

No one inside Amazon wants to receive a question mark email from Jeff, and a number of the VPs have picked up the habit too.

Duckduckgo wasn't so helpful with this one. :-(

Because you think sending an email to Jeff will actually get into his inbox or even read by himself? lol.

I've seen it happen, repeatedly, and the outcomes of it (even to the point of hardware and software engineers being sent out to visit customers to figure out what is wrong). So yeah.

This has happened plenty of times. Examples are in this thread.

> This should serve as a warning to anybody else who has an Amazon account that is shared between retail and AWS.

So much this.

I had such an account and neglected the retail side (it was linked to amazon.com as well as AWS) as I was using a different account for retail (linked to amazon.co.uk from the days that these were separate systems).

Logging on to amazon.com one day I noticed LastPass suggest I log in, so I did. To see that I hadn't ordered anything retail for 5+ years. So I requested deletion of the amazon.com account (good hygiene, delete unused accounts).

Retail happily obliged... and a week later when payment failed and dunning started I realised what I had done. The account did not exist any more, I could not login to resolve this.

This was entirely my mistake (and quite funny as well as terrifying), but the risk is real.

Should anything happen to your retail account then your AWS account can and will suffer.

I managed to resolve this, I was only using S3 and I wrote a migration tool to remotely move S3 items from one account to another, using only the auth keys that were still active. But woah... if I'd been using EC2 or anything else I would have been in a lot of trouble.

Keep accounts single purpose and obvious. Use an account that only handles your AWS purchases.

This happened to me with instagram.

I reset a password, then they detected "suspicious activity." I clicked "send pin via email" and the email never shows up. I've done it 3 or 4 times over the course of a week + it never works. It's a documented error + FB/Instagram refuse to addres it.


Took me weeks to get back an Instagram account that was locked as soon as I signed up, with a phone number too. Half the forms that are meant to help you are actually broken and 500 error most of the time. After many emails I ended up having to send a photo of myself holding a sign with the username and some random code on it. So bizarre. It's not like Facebook don't know my entire life history, but hoops still had to be jumped through!

Do you have any numbers or emails you used to get in touch? I've sent in like 3-4 support requests and it's a black hole!

And a similar thing has happened to me with Microsoft. I needed to get to my OneDrive. I go to log in, and it says invalid password. I go to reset the password, and it never sends me an email. I go through the alternate-email update process, answer the security questions, and it doesn't believe I am who I am.

When I try to get access to real support (a person), it makes me login. Back to problem #1.

Also, I should note that the email on record is real and works. The only thing I can think of is I named it microsoft@mydomain, and they don't like the word microsoft in it?

This is worse because at least with mine, they send the reset password (so I know they have the right email on file).

Then, when they send the PIN to the same email - it never actually shows up. Ugh.

Same here (email never arrived) with my Apple Developer Account.

I got into a similar situation when Apple prompted me to turn on 2-factor auth, and then after I accepted it wouldn't send 2-factor codes.

Thankfully the "we turned on 2-factor" email gives you a link to turn it back off within 30 days or I would have been in some trouble.

Makes me feel better about all the time I spent on the password reset functionality for my latest project.

We're having the same problem, and it's been well over a month now, and despite several phone calls with Facebook support and lots of emails, nothing is working. We've sent documents, escalated, etc. Nothing works.

We've spent over 200,000 EUR on Facebook/Instagram advertising so far (I guess that's still small fish), and still can't get it resolved.

If anything this, along with similar situation(s?) with Google, should stand as a strong warning against single sign on systems across multiple services with multiple TOS.

Why do you see this as a single sign-on issue? Seems to me the issue is over reliance on large SaaS providers. Same things happens all the time to Google users.

Because you're unlikey to trigger a violation on your cloud SaaS account, but could easily run afoul of other policies like "Real Name" or "Bought a Pixel Phone and Sold It" or posting something "offensive", getting reported by other users, etc.

If the account is just for a cloud SaaS, then there's likely to be very few policies to disable your account.

But then you're storing passwords in more services, which creates more surface area for breaches.

If you shop with Amazon, host your services with Amazon, watch TV on Amazon...there's simply no way of getting around the fact that Amazon will only want to manage a password for you in one place. The issue is clearly over reliance on Amazon services.

I don't follow your logic about the breach risk. If you're using unique passwords per service (and you really should) then I would expect any breach that involved passwords would have less of an effect. If there is a breach with a centralized single sign on service then every other dependent service is also affected.

There's a big difference between what people should do, and what people actually do. Research consistently shows that a large percentage of people reuse passwords across many sites.

[1] http://www.jbonneau.com/doc/DBCBW14-NDSS-tangled_web.pdf

Sure, but I'd bet that people who have cloud services accounts are much more likely to be better at password security than the general public, as a group.

Uh, Sure, if you have one account. The point being that if you're smart, you isolate every account. myaccount-aws@domain and myaccount-retail@domain and then turn off cloud services for retail account and turn on two factor auth for saas.

That's on you. You can't get the benifit of separation if you have them do it for you.

In the same way you get one company to own your domain and one to run your email. That way when your email provider decides you're a spammer or your account get's closed for uploading a bad app to the android store, you can go else where and swap your dns.

Create multiple accounts then

Yeah, it's convenient to have only one, but it seems it's dangerous as well

Because if you lose that single sign-on account, you lose everything attached to it as well.

Amazon offers many services, of course they are going to want users to have one set of credentials to access all those services.

There are trade-offs to every security approach, but storing passwords at every web service is 100x worse.

I don't understand your concern. We all have numerous accounts all over the web. Having one or two more doesn't increase our attack surface 100x.

What have passwords anything to do with this?

A friend had this happen to him (The unauthorized person accessing it). He sells on amazon and had all his inventory removed from being sold while this was going on. Calls did nothing.

What finally worked was the amazon facebook page. He posted on there, they PMed him and he was back up and going within a couple hours where he had been getting the run around for a week or two on the phone.

Are services offline or are you just locked from accessing the account?

My services are still online, so it's not a total disaster (yet), but I cannot sign in to the AWS control panel.

Definitely time to change services ...

I had this happen because of a closed AWS account with 2FA that locked out my longtime Amazon.com retail account. The 2FA factor was a business phone number that I had given back to my former employer a couple of years ago.

The best that AWS/Amazon support could give me is start a new Amazon.com account. At least the AWS account wasn't billing anything.

Also having problem with AWS - can't access it and they keep billing me for something there I want to shut it down (EC2?) but I can't.

I recently moved from Brazil to UK (new address) and changed phone + sim card (Authenticator after restore from backup lost all 2 factor auth entries).

This is the moment when you realise that you're outside of predefined use cases of The Machine and you're fucked. Nobody is here to help you. I've tried, nobody gives a shit at Amazon. They have procedures, you know.

I blame 2FA and I think it's great if you don't have problems but it's shit if you have, ie. you move places, change phones etc. in your life. Something there in the process is missing like "next of kin" recovery that should be mandatory when enabling 2FAs.

This anecdote makes me very happy with AWS. I want loss of 2FA to completely revoke access to my account. Otherwise any smart hacker can social engineer Amazon support with some fake drivers license photo and steal all my BTC (for example).

So what is your plan in case your phone gets lost/stolen/whatever and you lose access to your TOTP app?

I use Authy as my TOTP client. It has a encrypted backup feature and allows me to share tokens between my devices (computer, phone, iPad, etc.) It's saved me on more than one occasion. :)

Use the backup codes they provided you with when you set up 2FA. Or does Amazon not have those? (If not that seems really strange, every other service I've set up 2FA on has that recovery method.)

They don't provide backup codes.

I have encrypted backups of all my 2FA secrets in two locations. I change phones every year and have never lost an account.

Yeah, that sounds good and all, but what happens if you lose your 2FA then?

This is why, when creating a new 2FA login, you MUST write down the one time use backup codes, and store them in a safe and secure place.

I don't think I've seen any backup codes when enabling 2FA on AWS - do they provide them? Support people haven't mentioned anything about those. If they show them I must have put them somewhere...

I learned this the hard way when google authenticator failed to restore my keys after a phone upgrade. Now I make sure I copy the data from those QR codes and store them in a GPG encrypted file (I store the data and the QR code itself as utf-8 art in the file).

The way that first sentence is phrased makes it sound like it was the app's fault.

I blame the app entirely. Not marking the private keys as something to backup is a really really sucky thing to do.

Most services don't have one-time backup codes, unfortunately.

>Something there in the process is missing like "next of kin" recovery that should be mandatory when enabling 2FAs.

wouldn't this just weaken the second factor? Services that have bypasses to 2FA wind up rendering it useless.

NearlyFreeSpeech seems to have pretty comprehensive account recovery procedures, though I can't say I've ever used them.


I store my 2FA in 4 different authenticator apps on my phone just in case.

Google Authenticator has never restored these properly, ever. Encrypted backups or not.

I didn't know you can do that, I thought it generates device (app) hashed codes that are synced with first code or some other magic, just today I learned it's just based on this initial code (presented as qr usually) so you can do as you say, just record it in multiple places, great idea, especially that there are even command line tools for it. I'll replicate it on my desktop next time. For now I have to go to notary and send signed docs to amazon, hopefully that'll work to get back access.

You should try Authy. I switched over to it after I got burned by Google Authenticator deleting all my tokens after an upgrade. It can store your tokens in a encrypted central location and allows you to share tokens between devices (computer, phone, tablet, etc.) It kinda freaked me out at first but now I really like it.

It's not supposed to restore them.

Google Authenticator is a bad 2FA app. Authenticator+ costs a couple of bucks but has many features that make it much easier to use, including the ability to back up an encrypted copy of your 2FA keys (standard disclaimers about risk of compromise to this file, yadda yadda yadda). When you change phones, you just download that, decrypt, and pick up where you left off; no hassle trying to replace the 2FA generators, which is a PITA when you have one 2FA, let alone going through that process for several accounts.

If you're going to use Google Authenticator anyway, at least unlock your bootloader before you initialize the identities. You can't get to the key database without being rooted, even if you're doing a full backup with adb, and unlocking/relocking the bootloader wipes the device.

Mobile phone authenticator apps are not that great anyway. They rely on the security of a phone that is connected to the net to keep the keys secure. If someone can get code running on the phone and exploit a privilege escalation vulnerability to get root, they can read the keys. A hardware token like a Yubikey or similar is probably more secure.

Another problem with the Google authenticator, at least for Google accounts, is that you have to add a phone number to your account to use it I think and, they then allow access by SMS, which is not so hard to circumvent.

You can remove the phone number once you add another 2FA method, such as U2F (Security Key) or TOTP (Google Authenticator or other TOTP app).

I like to think "thank god I have a google voice number" but then I realize if google just decides to shaft google voice, as the have to countless of their projects in the past, I am totally fucked in regards to the many things that 2fa off it.

I had this situation. I had an AWS account linked to some email I no longer had access to and could not get into the account. I opened a support ticket and they sent an email to the old address, after 10 days of no response they sent it to "Legal" for review. The account was then closed by them which resolved it for me.

I had 2FA activated, changed phones and lost it. I couldn't log in to my account, so I contacted support. Within about 30 min they had put me back into my account.

The dude who helped me was super chill and understanding as well.

What is the purpose of 2FA when social engineering the support team circumvents it? This should not be possible! Lost your phone? That’s what 2FA backup codes are for.

Whats your proposed resolution for the two cases on this thread?

That if you lose access to all of the 2FA methods you have available, you should just lose access to your account and there be no way to recover it.

If there is a way to recover it, that has to be secured too and, there are only a limited number of ways you can do that (and the more that are enabled, the harder it is to secure). Most services with 2FA offer a set of one-time codes that you can write down and store securely at multiple locations (safes in different places, safe deposit box etc). It is not that hard to avoid losing access if you care. If you don't care enough about the account to do this, just accept losing access, cancel the card payment authorisation and, lose it.

Companies should not grant access to accounts with 2FA by letting you call support unless they at least take proper steps to ensure that you are the account owner, which is pretty impractical in most cases (it is either too costly to be worth it or, too hard to do well enough). Demonstrating that you are the account owner to recover it if you have lost 2FA access should at least require a visit, in person, with photo ID being checked with the relevant authorities (for example the passport service examining your passport to check it is not a forgery) and, multiple people who can attest that you are in fact the person in the photo, to recover an account, for which they would presumably have to charge hundreds of dollars. It seems easier to just not offer recovery in most cases.

Unless you have written backup codes, there should not be a resolution possible. You either remember to changes phone #s before you change them, or you are locked out. Deal with the phone company.

> "There should not be a resolution possible"

This guy works in customer service. LOL

If you're sending me a bill, you need to provide a way for me to resolve an issue such as this. "There is not a resolution possible, we will continue billing you in perpetuity thank you good day" is not acceptable. (It's AWS and they do, so maybe it is, but... try building a new service that isn't AWS with that attitude, and see how far it gets you!)

I kind of see chargeback as a potential resolution for this. If you lost access to your account and can't shut down billing via the normal route, you could still stop payments from your bank or credit card. That is the ultimate source of truth anyway, in regards to payments, so you could "prove" who you are by stopping all continuing payments to the service.

So say I do this, and later my account is sent to collections. Can you think of a worse possible outcome when your phone is dropped in the toilet if you have no scheme for 2FA recovery?

My cloud-hosted business gets shut down, credit score tanks, because of the combination of my butter fingers and your secure authentication scheme! Might as well not employ any CSR drones at all if you're not going to handle this case. Maybe I'm exaggerating, but this is not a great strategy for customer satisfaction or retention.

To the extent that in a dispute situation, who pays the bill =/= whomever holds the keys, my preferred customer service strategy would tend to favor who is paying the bill.

I haven't heard of hosting companies sending anyone to a collection agency. It could happen, sure a but I think it's more likely they just cancel your account and suspend all continued hosting (which, if you believe 2fa should be impossible to circumnavigate, this is probably the ideal outcome). From there you would probably open a new account and start over.

I could see the argument either way on if this is the most optimal solution or not.

>If you're sending me a bill, you need to provide a way for me to resolve an issue such as this.

not if you want it to provide real security.

I dont give a fuck if someone else want to pay my bills

Yeah, for real why does my Comcast account need 2FA?

so you would have no problem posting your username and password for comcast publicly?

Hell no, without 2FA those are the only things protecting my account! Why would I want to post them publicly? That doesn't even make sense.

I do business with 4 banks and have no less than 4 credit cards, and I'm pretty sure that none of them offer proper 2FA with tokens for the online accounts. Now that you mention it, this is a serious question. Why does Comcast get there before any of the major and/or local banks?

I'll admit, if I can protect my Comcast account and as a result, I never have to speak to another one of their Customer Service Reps, it would be a huge victory! This is probably part of their retention strategy, to be fair.

It's telling that there's no mention of on any document, or interface to Comcast's 2FA settings (that I can find anyway) that speaks to how to use it for protecting the set-top box from ordering Pay-Per-View content.

If I turn on 2FA, I'm pretty sure I won't have the option to use it when ordering PPV. It looks like they have a PIN lock instead. Maybe I can disable PPV and protect it with the second factor?

I honestly have no idea why it's even an option. Are swatters gonna log into my Comcast account, upgrade my XFINITY connection to the maximum bandwidth, and sign me up for all of the premium channels?

Or are they hacking my account so they can pay the bill for me :-D

i would have a problem posting them publicly. Now, if someone wants to trick Comcast support so they can pay my bill, go ahead !

UPDATE: The hold has been removed from my account, and I have access again. Even though I had previously been told my account had been closed, it seems like this wasn't final. This resolution was down to an escalation of my case at Amazon, after a team member contacted me through Twitter and promised to personally look into it.

Did they mention this article when they contacted you?

Glad to hear that ;)

Some great advice in here about creating multiple accounts with a + sign in the email address. One thing I didn't see mentioned that is a standard best practice for AWS is to create a separate IAM account for your day to day usage and NEVER log into your root account (unless you need to open a billing support ticket) after creating the IAM account.

You will get a new login page and username to log in with and not need an email address specific account.


The moral of the story is that your AWS account and your personal amazon buying account should be separate.

As well, if you use Kindle Direct Publishing, are an Amazon Seller, work for Amazon Flex, or use the Amazon Affiliates program, each of these should also be on an independent Amazon account.

This way, problems on one won't affect problems on the other.

I am not convinced such a separation would be effective. Accounts identified as being associated with a "problem" account (shared CC, addresses, etc) could also justifiably be closed. The idea being to keep "abusive" individuals from just opening a new account and resuming their abusive behavior.

The only long term solution is to get a person with enough power to make their own decisions to look at your claims, but that takes quite some time and is not guaranteed to be successful.

I agree. Isolate your shit. I know it's more work, but still do it.

Stories like this are frustrating and a symptom of the impact very large companies can have on multiple facets of our lives.

One possible approach is to keep accounts separate for personal and each business that you are involved with. For example, you probably have at least a separate personal checking account and business checking account. Likewise, it would make sense to have all accounts used for a given business to only be used for that business.

In addition to providing some safety against automated action, division of accounts provides a nice legal line, wherein if a court order requires you to disclose information, you can simply dump everything on the account without touching any of the other businesses or personal documents.

Stymieing this, of course, is companies (Facebook?) that have a policy of prohibiting a single real person from having distinct accounts.

Send an email to jeff@amazon.com

Jeff Bezos himself said if you are having problems you should mail him directly. Behind this address there is a full team investigating the issue and if it's something they want to handle will actually lead to improvements for all customers.

I think if Jeff actually cared he would have put some personnel in place to back up "Your feedback is helping us build Earth's Most Customer-Centric Company".

It's odd though, in my experience customer support on Amazon is amazingly good.

Mine hasn't been. I've had all sorts of petty issues with their customer support. Basically any time something falls outside of the norm or if anything is genuinely wrong with site functionality, their remedial processes are poor.

I spent a month and a half locked out of my AWS account due to 2FA issues and being caught in a Mobius strip with AWS support.

IMHO 2 problems with how AWS handles customer support (vs. other co's):

1. Different support rep every time = following the same script with every phone call. I'm sure assigning first available rep speeds up response times but for you, if the problem can't be resolved in 1 phone call it's like talking to someone with Alzheimer's, you're constantly re-answering the same 15 questions to a new person every time.

2. Customers are not allowed to directly interface with level 2+ support, only the nontechnical level 1 support can do that. Good luck getting them to communicate your technical issue correctly.

For example, every single support rep asked me if I had 2FA disabled for my Amazon retail account (I did). After re-answering this question with every single rep, they'd file tickets with the next level of support...only to be rejected later because level 2+ said it was most likely because I had 2FA on on my Amazon retail account (I did not). It was nearly impossible to bridge this disconnect.

Customer support is not easy to do well so I hesitate to widely impugn Amazon's efforts, but if you're an AWS customer and you have an issue that's an edge case outside of the scripts these support reps are using prepare to waste weeks or months of your life trying to resolve it.

Whilst this is more about AWS accounts, the ability of Amazon (and other cloud providers) to lock you out of an account with very limited recourse does present some other problems.

I've got quite a few ebooks I've bought via Amazon Kindle. If amazon one day decided to delete/lock my account, I would lose access to all that content which I had "bought".

The more data people store in various cloud providers systems, the more the need for some kind of recovery mechanism / dispute resolution process becomes apparent.

Whilst its relatively easy, in many cases, for more technical users to ensure they have backups of data that they control, less technical users could have a lot of their information tied up in these systems, and loss of it could be quite bad for them.

You don't really buy eBooks. You can't resell them after all. You're just renting them.

I'd look up some of the free tools out there and backup/un-DRM your Amazon/Nook/Google e-books. There are some guides out there for extracting your books notes as well.

Thus my quotes around "bought" . Again whilst technical people likely know the consequences of buying DRM protected content, I think that a non-technical person who suddenly found their paid for content removed from them due to an automated process locking/deleting their account would be quite upset.

People are, for better or worse, entrusting more and more of their content to cloud services, things like photographs, documents they've created, music etc etc.

> You're just renting them.

It's not renting really. If I rent a physical book (or house, etc), I have exclusive access to it. Nobody else can possess it. It's for this privilege that I'm paying. Obviously, this is not true of ebooks because 'X' persons can "rent" at the same time.

You're just licensing them. You're just paying for a license which can be revoked at Amazon's whim.

I have yet to receive a human response from Coinbase after contacting them 59 days ago... time to nag them again.

Write to Fred Wilson fred@usv.com (investor in coinbase)

Guaranteed that you will see the escalation that you need. You may want to provide links to others complaints about the same that you can find but make it short and simple.

"Who are you?" is the most expensive question in technology. No matter how you get it wrong, you're fucked.

Letting the wrong person in to an account? You're fucked.

Locking the right person out of an account? You're fucked.

Given that data can't be reversed as charges can, arresting an account may be slightly preferable, but it remains highly disrupting.

I've been through the experience a few times myself, largely with Google. Out of a fit of pique, the temporary account I created for myself (and through which I negotiated for recovery) was "The Real Slim Shady". Several of my G+ contacts noted that they could be pretty certain that this was in fact me, though I'm a little frightened whichever way that works out.

(I did have other profiles through which I could announce my plight.)

I still think that the matter of idientification, or rather, the more primary matters of authentication, authorisation, integrity, validation, payment authorisation, ownership, receipts rights, and similar associations, need to be worked out.

I'm also strongly in favour of a system in which a physical token -- and I think a signet ring with a very-near-field chip and accompanying sensors on mobile, laptop, and desktop devices would be just about perfect -- should be part of that systme.

Not an insertable device (as with Yubikey), or something requiring keying in a value (as with RSA fobs). But something which is worn (so: on you at all times), replaceable, destroyable, discardable, but also exceedingly difficult to duplicate or appropriate, or to read without intention on the part of the owner.


We had exactly the same issue. We solved it by creating a new AWS account and using that to call support.

Once through, being persistent eventually (it took a week or so) saw us regain access to the account.

He did just that though.

Might sound obvious in hindsight, but _always_ create separate AWS accounts for your different projects.

Doesn't this require separate gmail addresses? If so, then that's an extremely bad idea. I already had one gmail account completely banned with no notice. I wasn't doing anything abusive -- I used it for some npm projects and a github account.

Actually, is there a reasonable free gmail alternative for situations like this? I'd like to migrate. FastMail is worth paying for, but it's too expensive for one-off side projects. And while I don't trust gmail, I think I trust most services even less.

EDIT: My point was, if you use a single account, it's far less likely to get banned. I think my account was caught in some sort of automated purge, since I certainly wasn't abusing anything. Some proof: http://i.imgur.com/H5RRkyP.png I'm not sure which policy violation they're referring to, but all appeals failed. I lost all emails in that account, which thankfully wasn't very serious because the account was still young.

eropple and drbawb pointed out that you can use plus addresses with AWS, e.g. foo+aws1@gmail.com.

One trick I like is that you can use `account+<tag>@example.com` and a lot of services will consider it a separate e-mail address, even though MTAs will transfer it to the same account; this has the added benefit of being easy to filter for on your e-mail client. I also use this tactic when signing up for web services that I anticipate will spam me. (I import a lot of merch from China/Japan; their unsubscribe systems tend to be insanely broken / borderline user hostile. Each such account gets a unique tag so that I know which service is spamming me.)

Alternatively if you want ultimate trust just run your own mailserver and set up as many aliases as you want! For $5/mo you can get a Linode box to do it, and I've yet to get an IP from them that is on an e-mail blacklist. They have great documentation[1], the most important thing is to just make sure your SMTP server requires authentication & refuses to relay for remote hosts. SPF/DKIM are necessary to get past modern spam filters, but frankly if you've ever setup a TLS cert you can probably manage to setup DKIM just fine.

[1]: https://www.linode.com/docs/email/postfix/

I used this trick for years. However, there are downsides.

For example, sometimes a service will let you sign up with this just fine, but later when you need to do something else (such as password reset) or a phone agent has to enter it... it chokes.

Not to mention after some time passes you may forget what the special bit was and have to fall back to searching your email. Being regimented about the naming system helps, but it's not foolproof.

I'm using this trick less and less nowadays and just entering my plain email to avoid these hassles... especially for things like real life accounts. For possibly shady characters and account email consolidation, still a great trick!

This is why I have my own domain. I have a catch-all email box that just accepts everything and can make up emails on the spot, service@example.com. It makes things a lot easier down the road if I have a problem with my current provider as I can change the MX records at will. This means though that my DNS service must be under another domain for safety though but that's less of an issue.

Do you have anything written about the components & configuration, by any chance?

That is actually pretty easy.

1. register domain at a registrar that supports email catch all (I use namecheap, not affiliated)

2. setup email catch all (https://imgur.com/a/PTlzv) with redirect to your "real" email

3. write email to foobar@example.org -> get's redirected to your "real" email

This has the big advantage that you can change your real email account (I switched away from GMail two years ago) quite easily, you can track who leaks your address and filter more easily. But be prepared to leave some people stunned, I registered at my electricity provider with electricity@example.org or at my hairdresser with hairdo@example.org

Thanks! (Belated)

In my case I'm using an old grandfathered free google apps setup. So I don't have anything to really setup/configure myself. I know it's possible to do it with postfix and other mailing agents.


Yes, this is the reason I know that the + character is %2b in a url. I've had to manually type it on so many crappy unsubscribe links (they don't realize + needs to be escaped because the web server they are using is doing the old-school + => space translation).

The nice thing about running my own email server is I configured it to use . and _ as well as +. me.xxxx@example.com and me_xxxx@example.com are pretty much guaranteed to work, and it ends up exactly the same as the +.

> Not to mention after some time passes you may forget what the special bit was and have to fall back to searching your email

A password manager solves this problem

I knew someone would say this. lol If you're away from your computer and haven't installed the password manager to your phone (I'm not nearly alone in this), then you may need to fall back to searching your emails. Better?

Anyway, this doesn't solve the other technical problems you may hit at some point using this trick.

I'm just giving people a heads up. It's a useful tool for certain things, but it can be overused.

I would recommend not using Linode and realize your e-mail will be terribly unreliable if you run your own e-mail server (even if you setup DKIM, SPF and DMARC. Google/Microsoft don't give a shit about any of that). I wrote a post about this a while back:


I've considered moving to Vultr since they block SMTP/25 by default and individual customers have to get it enabled (which seems like it should reduce false positive spam classification as more e-mail providers).

I was just about to comment with this suggestion. A friend of mine uses it for gmail and its great for filtering as you suggested.

Sometimes I feel like I'm last person on the planet who has their own domain and hosts their own email.

I don't host my own email (I've had terrible experiences trying to send), I do have my own domain and let someone else host my email (In this case Google :( but since it's my domain I can change it and it doesn't matter to anyone).

Aside: It always frustrates me when I see a business with their own domain and then an @gmail.com or @aol.com address. What registrars don't offer basic email forwarding (often for free?) or cheap (~$10 email) service you can buy from them if you can't figure out Google for your Domain)?

I feel like there is a small, but profitable space here, I just can't figure out what to do to harness it.

Zoho is pretty much free for personal uses. They charge per user per month, but under 25 users is free, and if you're not a business you don't have that many users.

I have numerous personal projects that are web sites/web apps and I use Zoho to get emails at all those domains.

I don't know if this is frowned upon by Zoho, but if you don't want to use their UI, you can set up your regular personal Gmail account to act as a POP3 client and just retrieves emails from Zoho that way. (now that I wrote it out, it makes me think it can't be frowned upon, simply because POP3 is even offered as a feature there)

I'm still doing this one too - took maybe an hour to configure a simple dovecot+postfix+spamassassin setup and I don't have to touch it beyond an upgrade once every 6 months or so.

Having catchalls at bullshit domains is great.

You aren't the only one. I host mine on linode and have no problems sending now that I have DKIM and SPF set up.

I feel like my company is the last to not use Google and Salesforce... There are a million reasons why Google could lock you out of an account... If I lose my personal email, I will survive. I can't in good faith accept that type of liability for my business communications though.

You're certainly not the only person, I do the same. These stories that keep popping up, about people losing access to their SSO accounts and emails convinced me that it's worth the effort.

You are.

I was like 10th from the last. :)

> My point was, if you use a single account, it's far less likely to get banned

Why do you think that? If anything, you have more activity you can be banned for...

And also, why you say it like gmail is the only email provider? You need separate _email_ accounts, not gmail. It can be some other service or your own domain. Google can be service provider behind your own domain, but you will control address space etc. Nobody will ban you out of your own email address (except domain registrar, but that's unlikely).

It seems like Google uses some heuristics when deciding whether to ban an account. My theory is that if you stick with your personal gmail account, you have such a long history of activity that it's unlikely to be flagged by whatever "smart" algorithm they're using.

I was quite surprised that my gmail account was banned without doing anything remotely malicious. (Certainly not anything listed in https://www.google.com/intl/en-US/%2B/policy/content.html) I suppose it's my word against Google's, which isn't a happy position to be in, but to the best of my knowledge that's what happened.

Regarding other services, I was hoping to get some recommendations about which one everyone likes using. Gmail and FastMail seem to be the two HN favorites, but FastMail gets expensive quickly for side projects. You can host your own email, but people have shared some unpleasant experiences with that route. It's true that you can still use gmail without losing your address, but you'll still lose your emails if they decide to suspend you.

> It seems like Google uses some heuristics when deciding whether to ban an account. My theory is that if you stick with your personal gmail account, you have such a long history of activity that it's unlikely to be flagged by whatever "smart" algorithm they're using.

I never saw/heard of evidence of such behavior.

> but you'll still lose your emails if they decide to suspend you

Emails are easily backupable, you can download them locally and/or forward everything to the "backup" email. One more service to host email on your own domain is Yandex.Mail, it's free and pretty good.

Do keep in mind that Yandex falls under Russian federal law. There was an incident already with FSB getting data about backers of Navalny's anti-corruption website from Yandex Money and if you are vocal on LGBT laws you can easily run afoul of federal children protection law (to protect children from abuse, shocking materials, LGBT, anti-family values, etc.) like the founder of Deti-404 (LGBT support group that even the author of children protection law defended, ironically enough) did.

I'm personally considering hushmail (Canadian) or some other paid email in the future, for maximum piece of mind, any double digit number seems reasonable enough annually. Some out of the way liberal first world country , no superpower (and superspy) aspirations, a small paid provider (that actually needs customers and word of mouth and not throwing their weight around, Google is notorious for deleting YT channels willy nilly for 'guidelines violation' and then restoring them after a shit storm) to ensure no 'smart' 'ML' algorithm bans you. Sounds just about right.

You can use plus addresses for multiple AWS accounts. They're fine with that.

Cool, thanks!

No problem. Fair warning--you'll want to be pretty proactive about going in and killing all their marketing emails, because each and every account gets all of them.

I use fastmail to host my own domain. I alias all users to myself. Any email I get to aliases that don't end in e.g. ".s" automatically goes to a filtered folder. So blah.s@example.com goes to my inbox, blah@example.com gets filtered. $5/month is cheap. I only use one domain, but presumably you could even host multiple domains using a similar setup.

AWS requires a different email address per account yes. I don't see how it's bad? In your case, if you lost access to one gmail account with a dozen AWS accounts attached to it, that would affect all your AWS accounts? Better to have them fully separated so they can't affect each other.

> Doesn't this require separate gmail addresses?

It probably should, but I somehow ended up with two Amazon accounts (retail, not AWS) with the same email address. Changing the password I use changes which account I log in to.

Presumably it's a bug, but it's certainly confusing.

I recently managed to do that as well. This becomes very interesting if you try to recover a password, because apparently the password recovery only recovers the last account.

Eventually I got out of that by changing the mail of whatever account I could log into, using gmails feature of ignoring everything between the first + and an @ in the address. But most annoying, now my aws login is something silly like me+awsConsole42@gmai1.com.

Maybe I could change that back, but I'm too scared to touch that.

> FastMail is worth paying for, but it's too expensive for one-off side projects.

FastMail will let you create multiple aliases, either at your own domain, or one of theirs, linked to your account.

Find a webhost or DNS registrar that will do autoforwarding. I have a personal domain with a bunch of emails for specific things.

AWS accounts require separate email addresses, which may OR MAY NOT happen to be provided by Gmail.

I have had a half-dozen gmail accounts over the past 10 years and all are active with no problem.

Use aliases. It possible even in gmail. Or host your mailing and use aliases.

Multiple gmail addresses is not a bad idea, but a highly supported and recommended setup.

Mine was banned with no notice after weeks of work. So I'm just putting this out there as a warning that gmail can crush you at any time with no recourse.

Of course they can - but that is yet another reason to rather rely on multiple gmail accounts if the alternative is a single gmail account.

If you use a single gmail account, it seems far less likely to get banned. I think I was caught in some sort of automatic purge, since I certainly wasn't abusing anything or using it for much beyond my side projects.

This email hostage situation kind of sucks. Hopefully there's an alternative for scenarios like this.

Someone mentioned self-hosting upthread. I wonder how difficult that is.

I have numerous Gmail accounts (more than 20) and not a single one has been banned. And Google explicitly supports using multiple accounts by providing an account switcher. Perhaps your account was banned for some reason other than being a duplicate.

Maybe so, but they won't tell me why it was banned. That alone should give people pause. There were a lot of resources tied to that account.

Here's the closest thing to a list of reasons I could find: https://www.google.com/intl/en-US/%2B/policy/content.html

I didn't engage in illegal activities, malicious or deceptive practices, hate speech, harassment, distributing personal information, child exploitation, spam, ranking manipulation, distribution of sexually explicit material, violence, selling regulated goods and services, impersonation, account hijacking, or use multiple accounts to bypass the above policies. So I have no idea what I did -- Google won't say, and all attempts to get more info out of them failed.

IMO this is more of a workaround for a defect which is "Customer service for these cloud feudals is an oxymoron".

So what if I use the same account, if there is a lock-out event I should be notified and there should be an actual customer service agent that can solve my problem taking care of the issue...

I've had the same issue with buying and selling accounts - my buying account got locked out, which prevented me from logging in to my selling account, with 50 pending orders at the time. Luckily I emailed jeff@amazon.com and got my main account unlocked within 2 days and my buying eventually got back a week or two later.

Seems like they still haven't fixed the underlying issue of bots locking accounts across services.

I'm one account flag change or one password reset from being in this exact situation, and it's terrifying. I have been an Audible customer since before Amazon bought them. Somewhere in their account aggregation process, I've ended up with at least four distinct logins for amazon that all use the same email address.

One email address... And i use one password for audble, one for amazon, one for aws, and one for amazon affiliate. If I password reset on any one of those services, my accounts are all bricks. I've made that mistake once and had to frantically call audible support & climb through the support chains until someone could basically undo my password change.

During the process, they offered to try and deduplicate my accounts, but I think we're going to need a team of senior-level DBAs to sort this shit out.

My recommendation would be to email jbarr[at]amazon.com directly.

He will probably naturally see this thread over the course of the day though if it get's popular anyway....

Exact same issue. Have tried to resolve it for six months now. I've cancelled the credit card and they can f* themselves.

I love AWS - but why, oh why, is a retail account linked to it? These need to be entirely separate.

This. This is the worst design flaw I am aware of in AWS. It makes no sense that Amazon's two totally different businesses, use the same account.

Email jeff@amazon.com. This same thing happened to me a few months ago. I tried everything and was banging my head against the wall. After emailing jeff@amazon.com the issue was resolved in less than 24 hours.

Expected from the earths most customer centric company. Here in India, my first order at Amazon was a fraud done by Amazon with its JV firm CloudTail. tl dr: Amazon Fulfilled product sold at fake discount and MRP mentioned on site was higher than printed MRP.


They tell him to create a new account because they think the old one was compromised? I would be furious. I have bought a number of books on Kindle. If this happened to me, I would essentially lose all of the books I purchased. I'm not sure I would ever use Amazon again.

I'm actually glad its this way. Its difficult to take over an account.

If you can't keep your passwords in check and use 2FA you ought to lose the account & make a new one. Some kind of consistency, e.g 2FA or password is needed to keep it secure.

>This should serve as a warning to anybody else who has an Amazon account that is shared between retail and AWS.

Wouldn't Amazon have locked your AWS account for unauthorized login as well? I don't see how the retail activity matters here.

Since we're on this topic: Is a Google Apps account considered "seperate"? Eg I have jim_gordon@gmail.com and jim@gordon.com.

So I'm thinking of centralizing all non-business to gmail.com and the rest to gordon.com.

Before bitcoin caught up with general public, I became interested in what it is to mine. To try it, I set up mining software in heroku. I knew even then that it is not a very nice thing to do, but it was free for me. I wasn't looking for money or something. In a day, my account was banned permanently, without prompting me of anything. While it deserved to be banned, but maxing out the CPU might even be caused by simple mistake in a legitimate way. I have a big suspicion that they can read the application code if there is a problem like this.

This happened to me as well. Email jeff@amazon.com. No joke, within 24 hours I was good to go. It worked for me a few months ago.

Any references to how one should go about separating an Amazon retail account and an AWS account, if they are presently the same?

The best option I know is rebuilding your services in a new AWS account. That will let you can keep using the same Amazon retail account as before, and transfer your assets in AWS to an account tied to your production organization.

CloudFormer[0] might be able to automate some of the process - it analyzes your existing VPC and generates a CloudFormation[1] template. You could then take this template and deploy the stack in your new account, and you'd only have to rebuild the remaining few items.

Then you could redeploy all your applications, test, and migrate production services to your freshly-tested instance. Finally, you must be aggressive in shutting down the old services. It would be agonizing to have your entire site down because one server remains in the old account, and the account had some issue. Feel free to contact me for more specific advice.

[0] https://www.linkedin.com/pulse/how-why-use-aws-cloudformer-a...

[1] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGui...

I believe it's as simple as changing the email address for your AWS account, which can be done within the account settings. You can confirm that this does the trick by updating the password and ensuring it doesn't change your retail password.

I was locked out and charged from October till May being charged. Finally got a full refund. It's a nice savings plan lol

This is such an unfathomable problem to me. When I need someone at my DC, I just call them and they pick up the phone.

You can pay Amazon for that level of support.

The level of support where they won't ignore my emails after locking me out of my account and compromising my production servers for a week without my consent.

Always use MFA.

This story reminds me of a friend of mine who has a second Amazon account just for his Kindle. He does that because he read a story where someone lost access to their Kindle books after Amazon closed their account.

Guess this idea applies to AWS as well.

Time to contact your solicitor chap.


That's a valuable perspective. How do you propose they prevent social engineering of their staff while meeting this goal?

Please delete your comment.

I am incredibly happy that Digital Ocean made you go to those lengths to get your account back. The last thing we need is web services companies requiring less security. Social engineering attacks are typically the method of entry to hosting providers such as Digital Ocean.

Frankly I would be totally fine if they required another form of ID (such as a passport) or another form of address/name verification (such as a utility bill). Or perhaps even a picture of the card on file.

What is NOT okay is a lack of response, which this article is describing.

Didn't you have backup codes or a backup phone number? Bearing in mind I have no idea how 2FA for DO works, but all services where I'm using 2FA have these options, although I've yet to fall into a similar situation I imagine that it should turn out fine thanks to these options.

I had two experiences getting locked out of accounts.

First was an old pre-Atlassian BitBucket one that just broke due to shenanigans with Atliassian accounts integration or SOMETHING. But big props to them. I complain and I get it fixed super quick. Just how it should be. Solid 4 out of 5 (5 is for guys who managed to not lock my account due to weird mergers, I'm even OK with the weird "don't use FRex, form now on login with your email: smtsmt@gmail.com" I get on attempting 'FRex' + password).

Second is Twitter. FUCK THEM so hard. Excuse my French but I have no other words for how idiotic this situation is, it'd make a saint mad.

I make an Twitter account using my secondary/side gmail account that has been phone verified and 2FA using Google Auth for Andoird, verified my Twitter account by clicking link in the email they sent there, connect it to my YouTube account that has been phone verified, send out the welcoming tweet they propose (something like "Hello Twitter!", I think it was just a button press or a combo box to pick from but I might be wrong now) and I get banned for (exact wording may vary) 'suspicious/possibly automated activity' (mhmm... these huge botnets of phone verified 2FA gmail and YT accounts operating out of EU ips... good job catching me Twitter).

I could of course act like a good peon and provide them a phone number and be graciously allowed by the Twitter Heavenly Emperors to use my 10 minutes old account. I write to their support via some super idiotically hidden panel of theirs on twitter while still in my 'locked' account and.. I get an automated (!) email to my gmail (!!) telling me in steps how to just fuck off and enter my phone number (!!!) and to ask for help if I don't have it unlocked after providing a phone number and waiting a few minutes ('fucktastic' was the word of the day that day, seriously, that made my day). I wrote another one, telling them to shove it (in kinder words and with zero profanity but firmly making it clear I'd not provide my number on account I did literally nothing on and want to use for YouTube connectivity to a verified channel and created on a 2FA and phone verified gmail account I verified by clicking the link in the email) and got another bot email and no reply since then (about a month ago). Total human replies: 0. Bot replies: 3+ (see below). And I'm the one running an automated operation in here.

And the cherry on top: I still get trending political BS tweets (because that's what trending where I live every week) sent to my social tab in gmail and can't disable it since my account is locked and throws me to 'provide a number' screen that only has 'help' (blabbering about how I must be the one in the wrong here but if I provide a phone number..) and 'log out' available. Good fucking riddance. I truly dodged a bullet by using my alternate gmail!

And all this on a service that has users that are outright bots, Nazis, terrorists (ISIS itself), hacktivists (you can argue some of it is a positive force for change or securing up but it's still highly illegal and often done just for lulz) and the like.

Of course I'm not going to give in to this BS. I can sort of understand Google/YouTube with their stuff and it actually helped me once by requiring SMS verification when my kinda weak old password got cracked/guessed but what Twitter did is downright dumb extortion ("gib phon number! gib, gib, don't write support requests! 1st gib!") or them being idiots (what did I do that's suspicious exactly.. make a Twitter account in 2017?) and grossly neglecting their users (0 human reply, ever). Twitter fortunately would just be a nice-to-have for my side hobby of YTing and I have the privilege of saying "fuck no" to them for this and shitting on them on every occasion but if this was my mail gmail it'd do me in for weeks before I recovered all of my stuff.

There are horror stories on YT too, see Millbee (let's plays) or I Hate Everything a.k.a. IHE(critique/shitposting), banned overnight (Millbee for a nip snip in an anime game despite all the nudity, GONE SEXUAL and borderline CP on YT going unpunished and IHE for 'community guidelines' for a video of smashing a film DVD that was later hand judged as not in violation), both returned after a social shitstorm but with no apology, explanation, nothing. I bet if I was a high up in some company and had a company account tweet what BS I went through it'd all suddenly be fixed in a jiffy with no need for my phone number. But what are internet and real life rank and file tech nobodies supposed to do..?

Protip for everyone on this site.

Look at a companys stock price. If it's in the triple digits, avoid it, because they can and will screw you over.

Lol so Microsoft, Comcast and Sony are safe?

Hypothetical: I have filed incorporation with a single share and deposited a Benjamin into the capital account, exactly what powers have I conjured for myself here?

Should your rule be written to use market cap?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact