In early December 2023, we received emails from readers who asked about a Facebook rumor (or possibly a scam) associated with Amazon.com that began with the words, "Amazon got hacked."
The text of the posts said that criminals had added to users' accounts one or more mailing addresses that were labeled as alternative pickup locations named Amazon Locker, Amazon Hub Locker, Amazon Fresh or Amazon Counter (e.g., Whole Foods Market). (Usually, a one-time, six-digit code or a user's phone is needed to retrieve packages from such locations.)
According to the rumor, the added addresses were fraudulently labeled and were not actually official Amazon pickup locations. The rumor appeared to say that the actual number and street name for each address led to locations that could be accessed by criminals, which would allow them to order products and then receive them, all on an innocent Amazon user's dime.
One of the more popular versions of the rumor read as follows:
PSA: check your saved addresses on Amazon. Amazon got hacked and a lot of people (including me) have random “Amazon lockers” saved in their addresses - which are not actual lockers. If you do use Amazon lockers, be sure to verify that the locker you’re sending it to is an actual locker.
Double check your order history and make sure there aren’t any orders you don’t recognize. And check your bank accounts to make sure your credit card on file is also not being used for unauthorized purchases.
In our research of this rumor, we noticed that quite a few Facebook users had shared screenshots of the purportedly fake Amazon pickup addresses. However, key here was the fact that all of the mailing addresses that appeared in these screenshots were, in fact, genuine and trustworthy pickup locations for Amazon Locker, Amazon Hub Locker, Amazon Fresh and Amazon Counter. Some of the users who shared the rumor had incorrectly said that the mailing addresses were "not actual lockers."
From all of the posts that we combed through online, we noted that none of the people who had appeared to report the mailing addresses as showing up on their accounts had also said that unauthorized orders had been placed. In other words, if criminals were purportedly taking advantage of these addresses that they supposedly added to the accounts, why weren't users on Reddit or Facebook including in their posts and comments details about fraudulent orders?
In our initial correspondence with the company, an Amazon spokesperson told us, "We have no evidence of a security event at Amazon and our systems remain secure."
In an update, on Dec. 8, an Amazon spokesperson sent a second statement that said the addresses had been added to users' accounts in "error" and that the company was "working to fix the issue":
This isn’t a data security matter and our systems are secure. Amazon pickup locations were added to a small number of customer accounts in error, and we are working to fix the issue. We apologize for any inconvenience this may have caused, and customers with questions about their account are welcome to contact customer service.
This rumor appeared to be nothing more than the latest item in the world of copied-and-pasted Facebook posts. Such posts usually contain evidence-free claims about security or privacy risks.