Just received spam to an address only used at Amazon?

Not sure if it's the case elsewhere as well, but at least in India, email address on amazon orders are accessible to sellers if you made a purchase from a seller. I have had sellers reach out to me right after buying something from amazon, offering an incentive for a review.

Further, customer support agents can pull up your details as well. At least when there is an active ticket. I was reached out by one of the support executives confronting me from his personal mobile number after I left poor feedback for a chat interaction.

Amazon has little or no respect for data privacy especially in regions where there are no strict regulations that can cause them monetary loss through fines.

Since you mention it's in UK, I am surprised this is the case.

> To head it off: no it shouldn't be third-party sellers - they don't get your email, any disputes etc. are through a unique-id@marketplace.amazon.co.uk address in my experience.

I have received 2 emails from an Amazon seller's personal email to my personal email asking me to remove a review about a cartridge of printer ink. The review was written by my father but using my account.

They did also email me 3 times through Amazon's email forwarding. But the 4th and 5th time was directly to my personal email which the Amazon account is registered under. They offered me a full refund and a $20 gift card.

He signed his review with his first name, and in the email they address him by that name. Yet my personal email is MY name plus some numbers.

I never responded to their messages or anything that would give them access to my real email. The only acknowledgement of their emails I gave them was changing it to 1-star and adding in that they are offering to pay people for 5 star reviews.

P.S. don't buy any printer ink from JARBO. Aside from the email spam, the cartridges run dry after a couple dozen pages.

Here is the first direct email

> Dear Customer, This is Lexi from Jarbo. I apologize for my delay contact. In order to match your order ID, I have searched it within thousands of orders.

> We received your review that the toner cartridges are not working properly and have caused you so much trouble. I understand your feelings, and hope that you can give me a chance to rectify this.

> Therefore, we'd love to compensate $20 to make up your loss. Will that be okay?

> Because I am only an after-sales service staff, in order to better apply for a refund to the finance department, Could you remove the review first? I will get the refund back to you within 72 hours.

> Here is the link to your review for your convenience:

> [ link to review they want removed ]

edit: I'm in the USA, amazon.com domain

In my experience (europe) delivery companies get access to my unique email address that I also only use to buy things on amazon. They use this email address to send me information about deliveries directly to my inbox.

Not similar, but related, once I made the mistake of paying with "pay with amazon" on a website, I foolishly thought that amazon would hide most of my details, instead of it they immediately shared my email with this website, without even asking me to confirm it, since I use a proper email with my amazon account, I was mad.

If it's obviously-named, it might be brute forced. I have an alias (amazon@ and aws@) on my domain that I never used to sign up for Amazon and was never used at all, but it receives spam on a daily basis (and AWS phishing emails - it was never once used at either service).

It must have been brute forced. I used to create aliases on gmail for different services - eg. john+twitter@gmail.com and it happens that alias is targeted by non-twitter mails.

In general in last year or two (wfh? hehe) I realised that I receive more and more spam for email addresses I don't share at all.

I've also created a small email-forwarding service [1] that I and few friends use for public sharing like conferences or sketchy services (of course I don't mean Amazon here ;) )

[1] https://non-public.email

I've also had this recently, I had an address which was `amazon.co.uk@mydomain` and I've recently started getting spam to this address where I wasn't before.

What does your email server reply with to `RCPT TO:`? Always 250 OK, or does it leak existing inboxes to brute force scrapers?

If you used this email to register for a third party warranty, a rebate, or clicked on a link sent by a third party an Amazon merchant can get your email that way

Email addresses can be brute forced as others have mentioned, so it's not a guarantee that Amazon leaked your email.

I also think that the kind of hoops tech-savvy folks go through to protect their main email account from spam are more time and effort than dealing with spam in the first place.

I'm personally not going to register for things with a thousand different + addresses just to try and find out what company leaked my email. Even if I manage that with a password manager it just seems like an extra chore.

Spammer's got me email address? I don't really care. The spam is going to the spam box.

Am I opening myself up to a larger attack vector? I guess so, maybe. There are more important things in life than locking down my online life like it's fort knox.

Like, think about it, OP. You got a piece of spam mail and you contacted Amazon, and then made a post on HN about it. Is this really worth your time and headspace? I get hundreds of pieces of spam email a month and I don't notice or care.

I don't really think email addresses were designed to be private pieces of information in the first place. Enabling two-factor authentication is the effective protection against account seizure.

> no it shouldn't be third-party sellers

It definitely is. In 2021 a seller directly emailed me and a bunch of other customers all listed in the "To" field of the email (!) after I returned & got a refund for their product. It definitely caught me off-guard, but it clearly shows me that they get access to your email in some cases.

This has been going on for years, wired covered it a while back…

https://www.wired.com/story/amazon-failed-to-protect-your-da...

> Like many of us I have an email address for Amazon (.co.uk) which I don't use anywhere else.

Out of the loop, what's the purpose of having a separate email address for Amazon?

Similar post about Comcast yesterday:

https://news.ycombinator.com/item?id=33020571

I searched years worth of Amazon messages, and DHL, and a local freight shipper have my real amazon address.

Have you ever ordered anything heavy, or international?

This happened to me once about 3 (?) years ago.

I do not send emails directly to vendors. Email from them comes through the amazon intermediary system. I would reply to necessary vendor communications using the web interface.

The spam email I got was for a seller asking for me to review some product.

I contacted amazon but got no satisfaction. I had to change the email address I used for (only) amazon.

I figure someone inside amazon was bought out.

Are you sure that email is always delivered over TLS?

If it is not, then are you sure that you trust every ISP between Amazon and your mail server?

I think you also have to consider the entire chain of custody for the address: Do you have any browser plugins that might have grabbed it? Have you used a VPN while accessing Amazon? Have you accessed it with a Mac or Windows computer?

How easily guessed is it? Does it follow a similar format to your personal email address?

Contact the Information Commisioner's Office for them to investigate. Regulatory authorities are the only viable defense we have against conglomerates such as Amazon.

Could a third-party merchant access the email when fulfilling your order?

It's also possible that a browser extension accessed it.

Is it pretty short / guessable? Maybe spammers are brute-force guessing email addresses.

I haven't and don't believe this is systemic. You may have been brute forced?

email goes through relays which are not secure. neither you nor amazon controls those in the middle relaying your email, a spammer could grab all email addresses in the middle if they have access.

Is that a question of a statement?

Report it as a GDPR violation?

I’m pretty sure they do give out your email. It’s just most go through amazon’s system. The reason is, this is not the first time in the past 12 months I’ve heard of this happening and last time I think it came out that markertplace sellers get all your info