How to Secure Your Amazon Account: A Complete Security Guide
Your Amazon account holds your payment cards, home address, purchase history, and potentially access to Prime Video, Kindle, and Alexa devices. Here's how to lock it down against the most common attack methods.
Why Your Amazon Account Is a High-Value Target
Your Amazon account is more valuable to attackers than many people realize. It typically stores one or more credit cards, your home delivery address, your purchase history (which reveals personal details about your life), and may be linked to Amazon Prime, Kindle books, Alexa devices, Amazon Web Services, and Amazon Pay. A compromised account can be used to place fraudulent orders shipped to reshipper addresses, drain stored gift card balances, or harvest personal and financial information.
Amazon accounts are frequently targeted in credential stuffing attacks — where automated bots try username/password combinations from unrelated data breaches. If you've reused your Amazon password anywhere that was ever breached, your account may already be at risk. According to security researchers, Amazon is consistently in the top five most-targeted consumer platforms for credential stuffing, in part because a successful breach has immediate financial payoff for attackers.
The good news is that a few straightforward steps dramatically reduce that risk. This guide walks through every meaningful security measure Amazon offers, in order of impact.
Step 1: Set a Strong, Unique Password
The most common way Amazon accounts get compromised is credential stuffing — attackers trying passwords leaked from other breaches against your Amazon login. The defense is simple but requires discipline: use a completely unique, randomly-generated password for Amazon that you've never used anywhere else.
Go to Account & Lists → Account → Login & security → Password. Use our free password generator to create a 16+ character random password and store it in a password manager like NordPass or 1Password. You should never be able to recall this password from memory — if you can, it probably isn't random enough.
What makes a strong Amazon password? Length matters more than complexity: a 20-character random string is far harder to crack than a 10-character password with symbols. Avoid anything based on your name, birthday, or pet's name. Avoid dictionary words in any language. And critically: never reuse a password that appears on any other account.
Step 2: Enable Two-Step Verification
Amazon calls its 2FA system "Two-Step Verification" and it's one of the most effective protections you can add. Even if an attacker has your password, they can't log in without the second factor. To enable it, go to Account & Lists → Account → Login & security → Two-Step Verification (2SV) Settings → Get Started.
Amazon supports authenticator apps (the most secure option), SMS text messages, and voice calls. Choose an authenticator app if possible — Google Authenticator, Microsoft Authenticator, or Authy all work well. Authenticator apps generate a 6-digit code every 30 seconds that's required at login, and unlike SMS, they can't be intercepted via SIM swapping. Our complete 2FA guide walks through setting up an authenticator app from scratch if you haven't used one before.
After setup, Amazon lets you mark certain trusted devices as not requiring 2FA each time. Use this feature selectively — only mark devices you physically control and that are protected by a screen lock. Never mark a shared or public computer as trusted.
Step 3: Review Saved Payment Methods and Addresses
Go to Account → Your Account → Payment options and review every saved card. Remove any cards you no longer use — fewer saved cards means less exposure if the account is ever compromised. If you see a card you don't recognize, remove it immediately and contact your bank.
Also check Account → Your Addresses and remove any old addresses that are no longer relevant. Attackers who gain access to your account will look for opportunities to add a new shipping address for fraudulent orders, so a cleaner address book makes suspicious changes more visible. When Amazon sends order confirmation emails, always check that the shipping address matches one you recognize.
Consider setting up an Amazon gift card balance for routine purchases instead of keeping a high-limit credit card saved. This limits your financial exposure — an attacker can only spend what's in the gift card balance. For larger purchases, a credit card is still preferable for chargeback protection, but reducing the number of saved cards reduces risk in any breach scenario.
Step 4: Check Recent Orders and Login Activity
Amazon provides two important audit trails worth reviewing regularly. First, go to Returns & Orders to check your recent order history for any orders you didn't place. Fraudulent orders are often shipped to reshipper addresses and may appear in your history as gift orders or as items being sent to an unfamiliar address. If you see anything suspicious, report it to Amazon customer service immediately, change your password, and enable or reset your 2FA.
Second, review devices signed into your account. Go to Account → Manage Your Content and Devices → Devices tab. You'll see every Amazon device and app signed in — Echo devices, Fire tablets, Kindle readers, and the Amazon app on phones. Remove any device you don't recognize. In the Preferences tab, you can also review registered deregistered devices and manage digital content access.
Amazon also sends email notifications for new sign-ins from unrecognized devices. Make sure these alerts are going to an email address you actively monitor, and treat any unexpected sign-in alert as an incident that requires immediate password change and 2FA review.
Step 5: Secure Connected Amazon Services
Modern Amazon accounts often have more connected services than people realize. If you use Alexa, review your voice history in the Alexa Privacy settings and consider enabling a voice code for purchases. Alexa can make purchases by voice by default — if you have an Echo in a shared space, voice purchasing should be restricted or disabled entirely.
If you use Amazon Pay on third-party sites, review the list of merchants at pay.amazon.com → Settings → Merchant agreements. Remove any merchants you no longer use. Each merchant connection is a potential access vector. Similarly, if you've used Sign In with Amazon on other websites, review and revoke access for sites you no longer use at amazon.com → Login & security → Apps and other services.
If you have an Amazon Web Services account linked to the same email, treat that as a separate high-priority security concern. AWS accounts should always use a dedicated, unique password and have MFA enabled on the root account — the financial and operational consequences of an AWS breach are far more severe than a retail account compromise.
Step 6: Recognize and Avoid Amazon Phishing
Amazon is one of the most impersonated brands in phishing campaigns. Attackers send emails that look like Amazon order confirmations, shipping notifications, or account alerts — but the links lead to fake login pages designed to steal your credentials. Knowing the difference protects you.
Legitimate Amazon emails come only from amazon.com domain addresses (e.g., shipment-tracking@amazon.com, no-reply@amazon.com). Any Amazon email from a Gmail address, a slightly misspelled domain (amazone.com, arnazon.com), or an unrelated domain is fraudulent. Amazon will never ask for your password, full credit card number, or Social Security number via email.
Before clicking any link in an Amazon email, hover over it to see the destination URL. Legitimate links go to amazon.com or its regional equivalents. If you receive a suspicious email about your account, go directly to amazon.com by typing it in your browser — never click the link. Check your account for any unusual activity directly on the site.
Our guide to spotting fake websites covers additional techniques for identifying phishing sites before you enter any credentials.
Step 7: What to Do If Your Amazon Account Is Compromised
If you suspect your Amazon account has been accessed without your authorization, act quickly through these steps:
Change your password immediately. Go to Login & security and set a new unique password using our password generator. If you can't log in because the attacker changed your password, use the "Forgot your password?" link to initiate recovery via your registered email.
Review and cancel any fraudulent orders. Go to Your Orders and look for any orders you didn't place. Contact Amazon customer service to report unauthorized orders and request refunds. Amazon has a dedicated fraud team for account compromise situations.
Remove any unfamiliar payment methods or addresses. Attackers sometimes add their own payment methods or shipping addresses. Check both lists and remove anything you don't recognize.
Sign out all other sessions. Go to Manage Your Content and Devices and remove any devices or sessions you don't recognize.
Secure your email account. An attacker who controls your email account can reset your Amazon password at will. Immediately secure your email with a strong unique password and 2FA — our guide to securing your email account covers this in detail.
Contact your bank. If any payment cards saved to Amazon were potentially exposed, notify your bank and monitor for unauthorized charges. You may want to request new card numbers as a precaution.
Amazon Account Security Checklist
Run through this list to verify your Amazon account is properly secured:
- ✅ Set a unique, randomly-generated password using a password generator
- ✅ Enable Two-Step Verification with an authenticator app
- ✅ Remove saved payment cards you no longer use
- ✅ Remove outdated shipping addresses
- ✅ Review recent order history for unauthorized purchases
- ✅ Audit signed-in devices and remove unrecognized ones
- ✅ Restrict or disable Alexa voice purchasing if you have an Echo
- ✅ Review Amazon Pay merchant connections
- ✅ Revoke Sign In with Amazon for services you no longer use
- ✅ Verify that email alerts for new sign-ins are reaching an inbox you monitor
Recommended Tools
For storing the strong passwords you generate, we recommend NordPass (zero-knowledge encryption, excellent free tier) or 1Password for families who share accounts. Both generate strong passwords automatically and fill them in your browser so you're never tempted to reuse something memorable.
For 2FA, the Google Authenticator or Authy apps are free and take five minutes to set up. See our complete 2FA guide for a walkthrough of getting started with authenticator apps. If you want to understand what to do when a data breach exposes your information, our data breach response guide covers next steps in detail.
See our full security tools guide for more recommendations on protecting your online accounts.
Recommended next step
See recommended security tools
Use the generator for new credentials, then store them in a manager built for long-term password hygiene.
See recommended security tools →Keep Improving Your Account Security
- Browse the phishing hub for the complete set of related guides.
- Google Authenticator vs. Authy: Which 2FA App Should You Use in 2026?
- How to Secure Your Microsoft Account: Passwords, 2FA, and Recovery Options
- How to Secure Your LinkedIn Account: Passwords, 2FA, and Privacy Settings
- Two-Factor Authentication Guide: How to Enable 2FA on Every Important Account