a few days ago, I received suspicious emails from what looked like Amazon saying my delivery was on the way. figuring it was a spoof, I deleted the emails, opened the app to make sure there were no orders, and saw nothing. later that day, I received a text from the Amazon 2FA number. i thought okay, this is a spoof, too. Amazon would email me if someone attempted to log in from a suspicious location, as it has done before. as it turns out, though, someone got into my account.

the person was able to get into my account without my code, or somehow gained access to the text messages to get the code. I have a Pixel 6 Pro and security is up to date, I do daily scans, and when i visit websites, I use HTTPS in Firefox. also, I don't log in to Amazon on my PC, and the email on the account was recently secured. the most shady website I visit is fbox.to, but I configure Firefox to block all window and tab pop-ups unless whitelisted. cookies are also disabled everywhere unless turned on (yes, even if it breaks the site when I use it). despite all this, my Amazon was used to purchase items in a brushing scam.

luckily, they didn't use my card. I contacted Amazon and they escalated the issue because they were unable to see how the hacker logged into my account. i am supposed to hear from them by now, so I'll be giving them a call shortly. in the meantime, do you smart people have some ideas how this could have happened? thanks!