Why Does Amazon.com Allow Multiple Accounts With the Same Email Address?

A few weeks ago I discovered a rather quirky and slightly disturbing fact about Amazon.com: they allow members to have multiple accounts under the same email address. Even a cursory internet search reveals that this strange system is one of the number one causes of confusion for Amazon customers.

One customer logged into his account and discovered that the Kindle he ordered was gone from his account, yet a check of his bank account showed that the money was indeed gone. It turned out to be a case of multiple accounts.

Another customer discovered that he had two accounts when he logged in and noticed that his purchase history was many years old.

Interesting questions arise when the multiple passwords on one email address situation is thought out. For example, what happens if I have two accounts with the same email address and I attempt to change the password on one account so that it matches the password on another account?

At the risk of destroying my Amazon.com account I decided to try it out. This is the message that Amazon.com gave me:


So fortunately Amazon.com does not allow you to mess up your account in this way. However, it does lead to another interesting question: Since Amazon.com does not require email verification of new accounts would it be possible to gain access to someone else's account by creating an account with their email address and then guessing passwords until you saw the "Important Message" which indicates that you have correctly guessed their password?

This explains why Amazon.com requires an image verification for changing the password. If they didn't someone could easily set up a bot which could retrieve the password of any account on Amazon with little trouble. However, it does mean that an Amazon.com account is only as secure as the image verification feature and the concealed nature of your email address. With regard to the image verification, I wonder how long it will be before computers are able to read simple image verifications like this:


The best policy then is to use a separate email account for Amazon and keep that email address private.

What Amazon should really do is get rid of this strange account technique, if for no other reason than that it is inconvenient and confusing for many customers.

The only reason why Amazon.com implemented this feature in the first place was so that they could allow family members to have multiple accounts on the same email address. But this was during the early days of the internet when email addresses were expensive. Now a free email account is easy to come by.

There is no longer any need for Amazon users to have multiple accounts on the same email address.

29 comments:

  1. This happened to me just last week. Two accounts on same email address. I would apply a gift card in one then the other not realizing it was two different accounts. I called Amazon and they can not merge the accounts at all. The rep had to up my issue with the gift card services which then transfered one balance to the other account which I know now not to log into.

    ReplyDelete
  2. Yep that was the exact thing that happened to me and motivated me to write this post. ;)

    ReplyDelete
  3. It might be a little quirky, but how is this a security hole? Can you please further explain how "guessing e-mail/password combinations" is "hacking"? This is a sensationalist article.

    If you can use the same e-mail address and different passwords to create different accounts; then anyone creating a new account with my e-mail and a different password still doesn't have access to my account. They have to know my password to access my account. So bots can create accounts with my e-mail all day... the only thing that would happen to me is a bunch of welcome e-mails perhaps to the same e-mail address.

    As you demonstrated in your blog post; you can't create a new account with the same e-mail/password combination. It sounds like people who log in to find "order dating back years" just happened to use an older password. Same thing with the person who "lost their kindle order".

    ReplyDelete
  4. Hello Drew. I do not feel that this article is sensationalist as I do not say in this article that it is a security hole, nor do I say that it is hacking to guess password / email combinations.

    I'm just pointing out that this technique could be used. I'm also highlighting how the security of you Amazon account is dependent on how secret you keep your email address and on the assumption that bots won't be able to read the image verification.

    This is not a security hole but rather a security inconvenience.

    ReplyDelete
  5. This is definitely a horrible practice by Amazon. Identity theft usually happens by someone you know. That means, someone, who might have the last four of your credit card and your e-mail address could create another account you don't know about and, if you didn't know about this Amazon practice, you would have no idea where to start, yet the purchase would still be tracked back to you. Amazon needs to get rid of this practice. I just found out today I have THREE accounts under my e-mail address. WHAT????

    ReplyDelete
  6. Thanks for commenting Anonymous. I recommend that you complain to Amazon.com. If more people complain about this it may eventually result in a policy change.

    ReplyDelete
  7. In my view, it is a way for very busy people to lose money to Amazon by losing track of their accounts (especially those that have gift cards).

    Just today, I would have lost over $100.00 due to multiple accounts had I not went out of my way to contact Amazon when it should have been a simple process.

    The Scenario - I had sent back 3 textbooks under their buyback offer, and got an email from Amazon stating that I had a $101.47 gift card in my account. A month later, I ordered a furnace filter and, forgetting that I had already created an account, got the message

    http://3.bp.blogspot.com/_bazwyKf2FDM/SwLUYmKIIcI/AAAAAAAACPI/yfZU6kOvxRg/s1600/passwordChangeMessage.PNG

    Bottom line is I ended up with an additional account based on their unclear instructions after the above message. My additional account had no connection to my $100+ gift card account.

    Many, many, many people are not going to research this stuff and go after their money (in my opinion), especially if the dollars are small, or those controlling the orders are not those actually earning the dollars.

    This practice by Amazon is simply a way to make recouping what is legitimately yours more difficult, in hopes that lazy people will not make the effort. I imagine that unclaimed funds are a major revenue source for Amazon.

    What do you think?

    ReplyDelete
  8. Let's say my password is 'football'. I can login t my account using 'football', 'football1', 'football8', 'football99', 'FOOTBALL1', etc, etc, etc

    Obviously this is a security flaw. Sounds different from this article but figured I'd post as I was searching for this issue.

    ReplyDelete
  9. Thank you so much for this blog. The same exact thing happened to me and I was told the accounts cannot be merged, but 1 can be cancelled (if you call them). so surprising that they would have this weird, confusing, annoying, and ultimately potentially dangerous feature. amazon is usually wonderful and safe and great. hope it doesn't happen to anyone else, but if it does, it's probably worth complaining about so they know & hopefully will change.

    ReplyDelete
  10. I just realized today that I had two accounts.

    An order that I placed was just sent to an old address from a very old account. I guess I must have logged on with my old-stale password associated with my old mailing address.

    It was very confusing as the order wasn't even showing up in my current account, but the email did come to me. They really need to change this.

    ReplyDelete
  11. I am as stunned as everyone else above. I am about to complain to Amazon because the impact on me has been financial and resulted in a bad credit reference.
    Not realising I had two accounts I deleted the connection with my MBNA Amazon card on only one but then continued to place orders on the wrong one. This has put me in debt to MBNA!

    ReplyDelete
  12. How do you know if you have more than one account linked to your email address? Is there an easy way to check this?

    ReplyDelete
  13. I also just discovered I had two accounts- same e-mail address, two different passwords. I discovered it by receiving e-mail confirmations, but not showing purchases in Amazon's billing history. I think the only way someone would know (if they did not suspect something was wrong with their account) would be to call customer service. According to customer service the multiple accounts can not be combined, but one or the other may be cancelled.

    ReplyDelete
  14. I also just discovered I had two accounts- same e-mail address, two different passwords. I discovered it by receiving e-mail confirmations, but not showing purchases in Amazon's billing history. I think the only way someone would know (if they did not suspect something was wrong with their account) would be to call customer service. According to customer service the multiple accounts can not be combined, but one or the other may be cancelled.

    ReplyDelete
  15. I also just discovered I had two accounts- same e-mail address, two different passwords. I discovered it by receiving e-mail confirmations, but not showing purchases in Amazon's billing history. I think the only way someone would know (if they did not suspect something was wrong with their account) would be to call customer service. According to customer service the multiple accounts can not be combined, but one or the other may be cancelled.

    ReplyDelete
  16. Here is the scenario where it should work perfectly. I believe the feature was designed to serve this or very similar purpose.

    I just got Kindle for my kid who is too young to have own email. I don't want him/her to have full access to my account and all the books I have there, but I want to be notified using my email of any activity on that second account. That second account can have gift cards to make purchases, have a separate collection of eBooks/movies, etc. Eventually I should be able to change email address on that second account, and let the kid have completely separate one with all the history and purchases.

    Does this make sense?

    Now, very unfortunately, it looks like Amazon listened to threads like the above. When I try to setup new account today, I am getting:
    ---
    There is already an Amazon account with the e-mail xyz@abcd.com.

    If you create a new account with the same e-mail, the existing account will be disabled. Once disabled, the existing account will not be able to access order history, gift certificates, digital purchases, Kindle books or any other data.
    ---

    And this is really scary and unfortunate.

    ReplyDelete
  17. I was thinking of doing this to separate my work-related purchases from my personal purchases. When I put in my "work" password only work items (Kindle purchases, wish lists, etc) would be visible. If I made a separate account I would have to pay twice for Amazon Prime. Thoughts?

    ReplyDelete
  18. It's possible to circumvent just about any rule particularly on Amazon, if you do it right. Google is your friend.

    ReplyDelete
  19. I think it's quite possible to have multiple Seller accounts, although this requires you to jump through a few hoops but hey, it's worth it.

    First off, you'll need separate names, addresses, bank accounts, credit cards and social numbers to apply to each Seller account you open. This can be your gf / bf, or any of your relatives, esp. those that are totally computer illiterate. Use PO Box for the address. You can open a PO Box in each U.S. city, and then request mail forwarding to your city of residence. Try using your company name instead of your or someone else's real name; this applies to the PO Box, bank account, and credit card.


    You can get caught if you sell inventory that is the same or similar to your old one. To circumvent this, try a completely new line of products, and after several months slooowwly one-by-one introduce your new line of products.

    ReplyDelete
  20. Use disposable e-mail accounts for your different Buyer accounts, and a new Gift Card each time. Then close your disposable email, and you're all set. You can do this unlimited number of times, and can use only your first name and a PO Box for the address.

    This works on Amazon but not on eBay, as the latter wants your cc along with Gift Card. But then again, you can have unlimited number of accounts on eBay perfectly legally. I myself have about half a dozen.

    ReplyDelete
  21. Unless you have very weak passwords (like "1234", "dog", "cat", etc), I would not worry about this. The statement "they can easily guess your password if they have your username" is also bullshit.

    Here comes the math. Suppose that only 70 characters are used for any given password (English upper and lower case letters total 56 alone, and then you have 10 numbers, etc, etc).

    Now suppose that you only have a 4 character password. Is that secure? Well, that would take 70^4 attempts to try all possible combinations. That's 24,010,000. Even if cracking were not timed out after a few invalid attempts, and each request took 1/100 of a second, that would still take 70 hours...just for you? with a 4 char pw? come on guys

    ReplyDelete
  22. Guys I also found out that my Email-address had two accounts. I tried to change both accounts to a new different Email-address and found out that Amazon does now accept just ONE account for each Email-address. This means that the problem of several accounts with the same Email-address is already solved and does only occur for old accounts!
    By the way: you also can delete your additional account if this is too dangerous/scary for you...

    ReplyDelete
  23. help, i have money on secondary account under same email and cant access it now

    ReplyDelete
  24. I want to create multiple amazon accounts. is there any tricks???

    ReplyDelete
  25. it's crazy! I have one account with gift certificates and by occasion the second account has prime. Nope, I won't delete any of them but merge them.

    ReplyDelete
  26. My guess is that most of us have old Amazon accounts and when Amazon switched to a newer version of their website, we all were able to create a new Amazon account with the same email address. I have two seller accounts, just made a sale on one but cannot log into it to finalize the sale and ship. Very frustrating.

    ReplyDelete
  27. AMAZON WAS HACKED! ACCOUNTS I DIDN’T KNOW I HAD GOT CHARGED TO CURRENT PAYMENT INFO. THIS CAN HAPPEN TO ANY AMAZON CUSTOMER!!!
    Please read about my experience with Amazon’s multiple accounts and the charges to my credit card here:
    http://www.amazon.com/forum/amazon/ref=cm_cd_fp_ef_tft_tp?_encoding=UTF8&cdForum=Fx1UE1R6VSVMXK7&cdThread=Tx43HXCA2S5IBQ

    ReplyDelete
  28. Amazon has been HACKED and you are probably at risk!

    http://www.amazon.com/forum/amazon/ref=cm_cd_pg_oldest?_encoding=UTF8&authToken=&cdForum=Fx1UE1R6VSVMXK7&cdPage=1&cdSort=newest&cdThread=Tx43HXCA2S5IBQ

    ReplyDelete
  29. This is happening to me right now. This is so ridiculous.

    ReplyDelete