My New Kindle Went Astray…Pre-Loaded With My Credit Card Info

The cloud of invisible information that surrounds is is a wonderful thing, but there are dangers as well. Brandon ordered a Kindle as a gift for his girlfriend, and upgraded to one-day shipping, but the package went astray. Amazon overnighted a new Kindle and things were glorious…until Brandon started receiving purchase confirmations of Kindle apps and content using his credit card and e-mail address. His girlfriend wasn’t making the purchases. So who was?

Last week I placed an order on Amazon which I use frequently like most of the universe for various purchases. I was ordering the Kindle as a gift for my girlfriend. Wanting to expedite the process, I decided to pay for the one day shipping for only $15. The next day I watched as the tracking info never updated. This isn’t uncommon for quick deliveries because often the package arrives before the systems know what’s going on. When it didn’t arrive that day, I was disappointed, but understand things happen.

Knowing Amazon usually has exceptional customer service; I called up rather late at night (10:30pm EST) and spoke to a friendly agent. She refunded me my $15 for shipping and explained to me the package seemed to hit a snag at some point and it would arrive within the next two days. Again, I was irritated by the delay but understand things happen and went on with my life.

Two days go by and the package still does not show up. Now frustrated one notch higher than I was before, I called up customer service again. This customer service agent again was very friendly, but explained the Kindle had been lost in shipment. Explaining how I’ve now waited several days past when I originally wanted the package, they offered to next day me another Kindle as soon as they possibly could. Amazingly the Kindle arrived 14 hours later, and on a Saturday no less!

I gave the gift to my girlfriend and she was very happy with it. I was happy with the response Amazon gave me despite what happened being beyond their control.

Over the past few days I started getting weird emails from Amazon. I would get a dozen plus emails at a time displaying purchases made on a Kindle. I asked my girlfriend if she had used my email to register the Kindle thinking that could explain the purchases showing up in my email. This wasn’t the case as she explained to me that she used her own information to register it. I let it go for a day thinking it may be just an error of some sort. All of the purchases up to that point were for free apps.

The next day I got another hoard of emails and that’s when it hit me. The first Kindle that was lost in shipment was being used by someone, and better yet, this someone had access to all of my information including the credit card I used to purchase the Kindle!!!

I immediately called Amazon and explained what was going on. This time it took some effort to really get the customer agents to understand what I was saying. At first they thought I was telling them that my girlfriend was making purchases on her kindle using my credit card. After I explained to them that this wasn’t the case and she had registered the Kindle with her own card and email, they finally understood what I was saying.

My suspicions were confirmed. Someone else had gotten their hands on the first Kindle lost in shipment and because the Kindle came preloaded with my name, email, address and credit card information, this person(s) was able to make purchases on this Kindle. I spoke with the customer service agents who after understanding did their best to help me. They refunded all the purchases that were made. By the time I discovered this, the fraudulent user had made several big purchases of entire TV seasons. They also deactivated the Kindle so the person could no longer use it.

I was chatting with my girlfriend as this happened while I was at work, and as soon as the deactivation occurred my girlfriend informed me that now her Kindle had been shutdown. The customer service agents had deactivated either the wrong one, or both Kindles. I now had to reinitiate a chat and explain this to another customer service agent. Now that the story had grown more complicated, it required yet even more details and time to get the agent to understand the situation. Better yet, now my girlfriend had to call Amazon and prove to them that she was who she was, and that I was who I was so they could reactivate the Kindle.

Forty-five minutes later, my girlfriend’s Kindle was back in action. I have yet to receive any more emails informing me of purchases being made on my account which is a good sign.

I love Amazon. They make my life so much easier. What I do not like is them sending out extremely critical information pre-loaded onto Kindles. No one should be able to simply open a box and begin purchasing items on someone else’s credit card. I am lucky the user of the lost Kindle seemed to not really understand this because they didn’t begin purchasing anything until they were 3 days into it.

I am usually quite careful with my personal information, and it really bothered me that it was so available to someone else. I just wanted to let the Consumerist know about this so prospective buyers of Kindles or other electronic products can be wary of what is being stored in the device before you ever get your hands on it. I will admit I made the purchase rather quickly, but I didn’t see anything about having the Kindle pre-loaded with information. While they are trying to make people’s lives convenient, and I’m sure for anyone who got their Kindle it was, it had the opposite effect on mine.

By the way, my girlfriend loves the Kindle. I like it too, but it immediately left a bad taste in my mouth for dealing with all the issues in getting one (and subsequently getting rid of one which I never got in the first place…)

Comments

Edit Your Comment

  1. AstroPig7 says:

    That is a serious security risk. What the hell were they thinking?

    • Nigerian prince looking for business partner says:

      I’m guessing they think the damage that can be done with 1 Click Ordering enabled is outweighed by the number of people who want it to work immediately after opening the box.

      • cosby says:

        Yep. It is a big feature that the thing can be pretty much ready to go out of the box. I’ve seen cell phones sent out pre activated as well. No real difference. In this case the device comes ready to use. You can avoid this by marking it as a gift, then you need to activate it.

        • vliam says:

          Not quite.

          You have to setup your WiFi connection first. If you are technologically literate enough to get past that point, surely you can login at Amazon on the thing.

          If you can’t get past the WiFi connection, having your account and billing info already loaded isn’t going to help much.

          /no 3G on the Fire
          //you must use WiFi

    • rugman11 says:

      At the very least, they could make you enter your password the first time you actually buying stuff.

      • elangomatt says:

        I would be OK with it if they asked for a password whenever you purchase something. I guess that defeats the purpose of their 1 click purchase stuff though. I get annoyed at my iPad where I have to type in my password to install anything, even a free update to a free app. It is bad enough that you have to type in the password for free apps at all.

        • Ben says:

          All you have to do is change a setting in the Settings app and you won’t have to type your password in every time.

          • Platypi {Redacted} says:

            That would be great, but I can’t find the setting for it! It doesn’t seem to be in the STORE section, is it somewhere else?

          • crb042 says:

            The problem is that the default setting is “go ahead and spend someone else’s money”.
            The default should be to require the password, and it should also require confirming the password one last time before enabling one-click buying (kind of like their website does).

      • maxamus2 says:

        Maybe they did and the password was 12345.

    • pegr says:

      This is a serious violation of the PCI DSS, Payment Card Industry Data Security Standard. The op should call their credit card issuer.

      • GTI2.0 says:

        No, it’s not. The thief had no access to the credit card information, which is what PCI dictates. They were simply able to place orders using stored payment information, which PCI does not dictate.

    • Difdi says:

      They were thinking how nifty, cool and convenient their feature was, without ever once considering ways it could go wrong. This is why you really need a cynic on each project team (or at least at the supervisory level), to prevent things like this from happening.

      If your average blog commenter can see why it might be a bad idea, you’d think a techie type would…but some people really are just that sheltered.

  2. Nigerian prince looking for business partner says:

    I think Amazon’s biggest mistake is shipping out Kindles in boxes that have the word “Kindle” all over them.

    As for being pre-registered and pre-loaded with you Amazon account, many people would see this as a bonus, since it pretty much works out of the box. I also recall seeing a warnings about this when I bought mine. But I think the warnings had more to do with gift giving than theft.

    • bendee says:

      “I think Amazon’s biggest mistake is shipping out Kindles in boxes that have the word “Kindle” all over them. “

      Agreed – while I can’t speak for new iPhones, when Apple shipped me a replacement one a couple years ago, they sent it in a generic package where even the name on the return address was something like ‘Warehouse’.

      • MrEvil says:

        All of the Apple gear my company orders comes in non-descript plain cardboard boxes with little in the return address.

    • nugatory says:

      At the very least when the kindle arrives, it should make you enter your amazon password before anything works. Simple fix that would stop these issues, but still be convenient.

  3. Platypi {Redacted} says:

    I am no expert, but when I bought my kids Kindles for Christmas, they were automatically registered with my Amazon account. They didn’t have my actual credit card or anything, but were connected to my account. If they had gotten lost, someone could have started buying apps and books from Amazon, but they wouldn’t have my CC# to go on a spree elsewhere. There is a section in Amazon where you can manage your Kindles, I am guessing to stop this kind of thing, you should immediately go Deregister a missing Kindle. Not something the OP would know to do, but a quick way to end the purchases.

    • elangomatt says:

      Thanks for typing out my post for me. I am sure the kindle had all of his account information pre-loaded for convenience, but I don’t think any of his personal information was actually ever in jeopardy unless the recipient of the lost kindle figured out some way to hack his password from the files on the Kindle. I don’t think there is any easy way to see even the password info, and I am sure the credit card info isn’t stored on the kindle. It would just be connected to an account which has the CC info on Amazon’s servers.

    • Platypi {Redacted} says:

      That said, Amazon policy should be updated to deregister a Kindle reported lost in shipment.

  4. deathbecomesme says:

    You can change your purchase options at the Amazon site. You also get an email about “purchases” for free times/apps. Just go to the site and change your ordering preferences so that way the person can no longer order anything without authorization and get Amazon to refund you any damages

  5. TheMansfieldMauler says:

    It wasn’t preloaded with your credit card, it was preloaded with your amazon account information. The credit card is attached to your amazon account and stays on the amazon secure servers, not on your kindle. You can go to your account settings and delete the payment method if you want (but probably need one there for kindle stuff).

  6. FatLynn says:

    I got an open box laptop from BB that came preloaded with the returner’s CC#, SSN, and all sorts of other good stuff!

  7. notovny says:

    This is one of the reasons that, when I bought one from Amazon with Christmas gift cards, I seriously considered buying it as a Gift Purchase, even though it was going to me.

    If I had, I’d have had to manually enter my login information upon its arrival.

    As it turns out, I decided not to, since my neighborhood is sufficiently unsafe that UPS doesn’t leave packages out, and the Kindle was delivered safely to my hands on the arrival date.

  8. conquestofbread says:

    I just got a Kindle as a gift from my mother last week.

    They do warn you that if you’re sending it as a gift, to check the box when ordering so that the box it ships in is a regular Amazon box, and will not be linked to the account it was bought with.

    I’d probably do that anyway as a precaution, even if it wasn’t a gift, because the actual registration only took a minute. I’m surprised they don’t have more problems like this, especially since the pre-loaded ones ship in the Kindle box.

  9. Audiyoda28 says:

    Who at Amazon thought it would be a good idea to preload that sort of information on a Kindle? I suppose the concept of a gift is well beyond their scope of thinking.

  10. areaman says:

    Wow. Amazon REALLY likes it when their customers gives the gift that keeps giving.

  11. pop top says:

    My mom got a Kindle Fire for Christmas and we had to load all of her information onto it and specifically attach it to her Amazon account. I wonder what the difference was.

  12. Straspey says:

    OTOH -

    I wanted to buy a Barnes & Noble Color Nook for my wife’s birthday a few months ago.

    I walked into a big B & N store in Manhattan and went up to the Nook desk, where I spent a few minutes chatting in person with a friendly and knowledgeable Nook specialist.

    I selected the Nook, along with a cover and a renewal of my wife’s B & N membership, which had expired – paid for the entire purchase with my credit card, and took it straight home, where I gift-wrapped it myself and gave it to my wife in person for her birthday.

    She uses it every single day, has never had a problem with it, and she absolutely loves it.

    • delicatedisarray says:

      and…

      I went to Target, purchased my Kindle and cover. I use it almost every single day, I have never had a problem with it, and I absolutely love it.

      Just because one person had a problem with a Kindle doesn’t automatically make any other e-reader better than it.

      (I bought mine at Target because I am super impatient and didn’t want to wait for it in the mail.)

    • elangomatt says:

      You do realize that there are many more stores than B&N has where you can walk in and pick up a Kindle and probably a case too. Registering the Kindle to your Amazon account is stupidly easy and you don’t need any kind of Kindle “specialist” to do so.

      • Awesome McAwesomeness says:

        Agreed. I got my dad’s Kindle from Target and it was fast and easy for him to set up and use. I got a Fire, which I ordered from Amazon and my 9 year old figured it out within minutes.

    • Coffee says:

      Funny…my wife purchased me a Kindle through Amazon.com a year ago and she didn’t even have to go to a store. She clicked “purchased”, then waited for the package to arrive, hid it from me, wrapped it, then gave it to me on my birthday. Amazing!

      In contrast, I’ve read horror stories about people going to brick & mortars, purchasing electronics, then going home and finding out that the box contains nothing more than a brick or an oven door. When they’ve gone to return the items, they’ve been called liars by the people working in returns. It sure is nice to deal with Amazon, which takes a customer is always right stance (for example, when my Kindle cover was causing the unit to reset, they credited my account with enough money to purchase the cover-with-light that didn’t have the same issue…how nice!).

      TL;DR – no system is perfect…there are always going to be the occasional glitched when you’re dealing with millions of transactions. No need to be smarmy.

      • magnetic says:

        I bought a Kindle this year from Fred Meyer, and things went perfectly well. Unfortunately, I somehow got the darn thing stolen within 48 hours of owning it. The most galling thing is that this was a replacement Kindle for the one I broke. Like any sucker, I just got a refurb to replace the replacement. At this point, it’s a $400 Kindle. I was nervous about a refurb, but so far so good.

  13. DanKelley98 says:

    Hello? Preload his account/credit card info? What dumba** came up with this “convenience”??

  14. bholley says:

    Hey Everyone-

    I am the Brandon from this article. To clear a couple things up I’ve read in the comments:

    By asking my girlfriend exactly the steps she went through in her registering process, I was able to gather what information was available for viewing. My name, email address, physical address were all available. The CC# was not the full number, so it probably could not be used elsewhere, however it was able to be used on any Kindle purchases.

    By the time I caught all of this something like $80 worth of Apps and TV shows had been purchased.

    -Brandon

    • bholley says:

      Like I said in the article as well, I made the purchase rather quickly. I suppose that is my own fault as I didn’t expect the device to come preloaded. However, I don’t think this really changes anything because if I had ordered the Kindle for myself, I likely would’ve opted FOR the pre-loaded information anyway. If that one was lost I’d still be in the same situation.

      • Kate says:

        I’ve never heard of devices coming pre-loaded, and I probably wouldn’t have noticed unless they made a big deal about it at the top of the product description.

        Thanks for letting us know about this.

  15. invisibelle says:

    The pre-registered Kindle does make it easier for people like my parents who are a bit derpy with technology to buy stuff, so I wonder if Amazon just decided it was worth the liability of situations like OP’s. If that’s the case… sucks for OP.

    • Nigerian prince looking for business partner says:

      I’m guessing that’s their logic too. If the device is stolen and somebody racks up a few hundred dollars worth of movie purchases, Amazon can deactivate the device, refund the money, and they aren’t physically out anything. With 1 Click Ordering, you can’t change a shipping address, so the damage a thief can do is pretty minimal and easily mitigated.

  16. slightlyjaded says:

    So some of these comments seem to clear up the biggest issue–that the Kindle ships connected to your Amazon account, not with your full CC info pre-loaded.

    But here’s what I don’t get: Why doesn’t it ask you for a password to make a purchase? Even if you have one-click ordering enabled on your account, shouldn’t it demand a password at least ONCE? Like the first time you’re accessing your Amazon account from a new device?

    • mikedt says:

      Or god forbid you leave your kindle laying around the house and your kid orders hundreds of dollars worth of stuff.

      This is why Apple requires you to enter the password for every purchase unless those purchases are made within a 15min window.

  17. dush says:

    Why are these devices pre-loaded with any personal information at all?
    That’s good to know so I never spend money on one of these.

  18. nvaillancourt says:

    When you order a Kindle from Amazon, you have the option to check a box letting Amazon know that it is a gift. When you do that, your account/cc info is not pre-loaded. When I bought my mom’s Kindle, Amazon made it pretty clear that this was an option and what it meant. Sounds like it is the safest route when ordering these regardless of whether or not it is actually a gift.

  19. nvaillancourt says:

    When you order a Kindle from Amazon, you have the option to check a box letting Amazon know that it is a gift. When you do that, your account/cc info is not pre-loaded. When I bought my mom’s Kindle, Amazon made it pretty clear that this was an option and what it meant. Sounds like it is the safest route when ordering these regardless of whether or not it is actually a gift.

  20. nvaillancourt says:

    When you order a Kindle from Amazon, you have the option to check a box letting Amazon know that it is a gift. When you do that, your account/cc info is not pre-loaded. When I bought my mom’s Kindle, Amazon made it pretty clear that this was an option and what it meant. Sounds like it is the safest route when ordering these regardless of whether or not it is actually a gift.

  21. mikedt says:

    So if you give a kindle as a gift, the recipient receives it with your account info?

    Preloading account info seems like a mistake in so many situations I surprised they do it.

  22. vliam says:

    This is the reason that not accepting gift cards as a form of payment for Prime is bad policy.

    Pre-loading CC info is just plain stupid.

    I can’t wait to see the Amazon defenders converge on this one.

  23. Quake 'n' Shake says:

    That’s interesting. I bought a Kindle Fire for my wife. It was set up for me, but she simply registered it under her account. I never bothered to check to see if it was pre-loaded with all my info because it never occurred to me.

    • bholley says:

      Thats what my girlfriend did too. It wasn’t until I realized what was going on with the other Kindle that I asked her and she told me all that information was already on it.

  24. etz says:

    didn’t matter for me when I bought a Fire as a gift. It still came in the box proudly labeled with the Kindle Fire logo on it even though I specifically checked the “this is a gift” checkbox. I was very annoyed because it totally ruined the surprise.

  25. leprofie says:

    Some fault here lies with the OP. You give way too much information. That’s why it takes forever for customer service to figure out what your problem is.

    • bholley says:

      If you could kindly enlighten me to how you would present the problem I will gladly take note of it and try to optimize my approach in the future.

  26. leprofie says:

    Some fault here lies with the OP. You give way too much information. That’s why it takes forever for customer service to figure out what your problem is.

  27. KDO says:

    Thanks for this report. I’m planning to purchase a Kindle, and wasn’t sure whether to go through Amazon or buy at my local Staples store. Guess which I’ll pick now?! I know Amazon.com asks you to input your password again before any purchases – does the Kindle not do that? I’m buying it for my daughter, who will use my account, so that would be nice to know.

    • Thalia says:

      You can set it to link to your account automatically, or not. Just like with one click ordering. If you enable it, no further PW requests are made.

  28. ganzhimself says:

    WTF?!? Why doesn’t the Kindle Fire require you to put in your account password to complete a purchase? My mind is blown that this simple security feature was left out of the design of this product. Glad that the tablet I bought requires me to input my account’s password when I want to purchase something… About the last thing I need to do on top of losing the tablet is have someone start racking up app or book purchases on my tablet… And to think that the poor OP wasn’t even the one who lost it? Blows my mind how careless a company can be. There must be a way Amazon can remotely deactivate or deauthorize the tablet from using his account, right? Sad, because the KF seems to be a half-way decent tablet aside from the obvious glaring security flaws.

    • ganzhimself says:

      Oh, I see, they can deactivate them remotely. That’s at least good. I missed that part.

      But, seriously, why are they shipping them linked to an account ready to buy whatever with a tap of a finger? It must be a huge hassle for a user to input their Amazon.com account info and password when they unbox the Kindle Fire. Jeez. Hearing things like this just blow my mind how such a great company can do some really boneheaded things.

  29. HogwartsProfessor says:

    Thanks for posting this. I can’t get a Kindle now, but it reminded me I had a package from Amazon going to the (former) office. I emailed my old boss and asked him to call or email when it arrives so I can go get it. If it were UPS or FedEx I could ask the seller to redirect, but it’s USPS.

    I think if I do buy one eventually, I’ll go retail. Less chance of this happening and instant gratification in the same box.

  30. ned4spd8874 says:

    Very scary indeed. At least ask for a damn password at least ONCE Amazon! Geez.

  31. abberz3589 says:

    When you buy a kindle, there’s an option to go ahead and register it with your information, or to leave it blank.

    Not trying to blame OP but it sounds like he clicked the box to have it registered with his info.

    • vliam says:

      Actually, you have it backwards.

      When you purchase a Kindle, it is loaded with your account information by default. Optionally, you can chose the “This will be a gift” checkbox.

      However, the OP probably assumed that checking this was unnecessary as he would intercept the package and wrap it, or whatever, before giving it to the intended recipient. I’ve purchased many gifts through Amazon and never selected this option because I give the item to the person directly. I’m not drop-shipping them a gift.

      Unfortunately, in this case, your not just accidentally including a copy of Amazon’s packing list but a fully functional direct connection to your billing account.

  32. scottd34 says:

    Leaving out unnecessary details helps in making sure that other things like your girlfriends kindle being shut off dosent happen.

    I have people do this to me all the time, give the whole story in a confusing way which takes 5 times longer just to figure out what the customer wants.

    Instead, the shutoff of the girlfriends kindle could have been avoided by just saying that kindle 1 was lost in the mail and you are now getting purchase emails.

    Also, what kind of company preloads a customers account on a device?! Seems like a stupid thing to do. Anyone who cant figure out how to enter a username and password onto a screen with 2 prompts (username and password) prompt shouldnt be using technology anyway.

  33. Kira says:

    Sigh… If OP was smart he could have de registered the Kindle easily on his own very quickly before any of the big purchases were made. It’s right there on the website.