Recently, Groove Life, a U.S.-based brand that's been selling on Amazon for nearly a decade, lost $375,000 after their Seller Central account was hacked. Despite having two-factor authentication enabled at every allowable point and running a tight security operation with only one admin login, Amazon allowed a Swiss bank account to be added to their disbursement settings. Every dollar of their balance was swept out without any warning or secondary verification.
The founder, Peter Goodwin, shared the devastating details on LinkedIn: Amazon kept all $302,000 in ad spend and fees that drove that revenue, offered no phone support (only email tickets with random agents), and after a week replied with: "We are not liable, as the transfer originated from your account." There was no record of a foreign login, no evidence of compromised credentials, no IP evidence, no two-step authenticator logs. Just "sorry, have a nice day."
If you're using your original Amazon Seller Central login (the one you used to set up your account) for everyday work, you're leaving your business vulnerable to a catastrophic hack. Here's why this matters and what you need to do immediately to protect your account.
Why Your Admin Login Is a Security Liability
Think of your Amazon Seller Central admin account like the master key to your entire business. It has unrestricted access to:
- Bank account and payment information
- Tax documentation and business details
- Advertising credit cards
- User permissions and account settings
- Email and phone number changes for notifications
When hackers gain access to an admin account, they can change everything - including the notification email address that would normally alert you to suspicious activity. By the time you realize something is wrong, your disbursements could be flowing to a Swiss bank account (as Groove Life discovered), and Amazon will likely claim zero responsibility for recovering your funds.
How Hackers Gain Access
The risk isn't just theoretical. Here's how it typically happens:
Keystroke Loggers: Malware installed on your computer can record every password you type, including your Amazon login credentials. If you're signing in as an admin daily, you're giving hackers repeated opportunities to capture those credentials.
Phishing Attacks: Hackers send sophisticated emails that appear to be from Amazon, tricking you into entering your credentials on fake websites that look identical to Seller Central.
Computer Compromise: If your computer is hacked or taken over remotely, anyone signed into an admin account gives the attacker full control over your Amazon business.
Session Hijacking: Even with two-factor authentication enabled, hackers can sometimes exploit active login sessions or find vulnerabilities in Amazon's security measures (as the Groove Life case demonstrates), where proper 2FA was in place but the hack still occurred.
The more frequently you sign in as an admin, the more opportunities hackers have to intercept your credentials. And once they're in, they move fast - changing email addresses, bank accounts, and locking you out before you even know what happened.
The Notification Email Vulnerability
Here's what many sellers don't realize:
You don't need admin access to change notification settings in Amazon Seller Central.
This creates a dangerous scenario:
- Hacker gains access to your admin account
- First step: Change the emergency notification email to their own email
- Next: Change the bank account information
- Your disbursements start going to the hacker's account
- You don't receive any warnings because the notification email was already changed
By the time you notice a missing disbursement, the money could be long gone - potentially to an overseas account where recovery is nearly impossible.
The Solution: Never Use Your Admin Login for Daily Tasks
The fix is straightforward but requires immediate action. Here's what you need to do:
Step 1: Create a New Standard User Account for Yourself
Your current login (the one associated with your business email like businessname@gmail.com) should be reserved exclusively for admin-level changes. Create a new user account with your personal email or a variation of your business email.
Example:
- Admin account (use rarely): businessname@gmail.com
- Daily-use account (use constantly): yourname@businessname.com or yourname.business@gmail.com
Step 2: Set Proper Permissions for Your New Account
When you create your new standard user account, grant it "Edit" rights across all necessary areas:
- Inventory management
- Advertising
- Reports and analytics
- Fulfillment settings
- Customer communications
A properly configured standard user can do everything you need for daily operations. They just can't make high-level changes like:
- Modifying bank account information
- Changing deposit methods
- Updating tax information
- Altering credit cards used for advertising
- Granting or removing user permissions
Step 3: Secure Your Admin Account
Once you've created your standard user account:
- Change the admin password to something strong and unique
- Enable Two-Factor Authentication (2FA) on the admin account
- Document the admin credentials in a secure password manager (not in an unencrypted file)
- Limit knowledge of admin credentials to only 1-2 trusted people
- Never grant universal admin rights to employees, VAs, or agency partners
Step 4: Establish an Admin Access Schedule
You should only need to sign in as the admin a few times per year:
- When onboarding new employees or agency partners
- When updating bank account information
- When adding new credit cards for advertising
- Quarterly security audits to verify nothing has changed
- Annual password updates
If you're checking your disbursements regularly (which you should be), you'll immediately notice if one doesn't arrive on schedule. That's your first line of defense against bank account changes.
Complete Amazon Seller Account Security Checklist
Beyond fixing the admin login mistake, here are additional security measures every Amazon seller should implement:
User Management Best Practices
Remove Unused Users Immediately
- Delete any users who were added but never fully set up
- When employees leave your company, remove their access the same day
- Notify your agency or VA team if you part ways with someone who had account access
Audit Existing Users Quarterly
- Review who has access to your account
- Verify permission levels are appropriate for each user's role
- Remove admin rights from anyone who doesn't absolutely need them (hint: almost nobody needs them)
Use Role-Based Permissions
- Give team members only the access they need for their specific responsibilities
- Marketing team doesn't need inventory access
- Product team doesn't need advertising access
- Finance team doesn't need listing access
Technical Security Measures
Enable Two-Factor Authentication (2FA)
- Required for admin account (non-negotiable)
- Highly recommended for all user accounts
- Use an authenticator app rather than SMS when possible
Use a Password Manager
- Generate strong, unique passwords for each account
- Never reuse passwords across different services
- Popular options: LastPass, 1Password, Bitwarden, NordPass
- Keep the password manager itself secured with a strong master password
Maintain Computer Security
- Keep antivirus software updated and active
- Don't click suspicious email links, even if they appear to be from Amazon
- Use a VPN when accessing Seller Central from public WiFi
- Regularly scan for malware, especially if your computer behaves strangely
Monitor Bank Account Changes
- Amazon implements a 3-day hold on bank account changes, but hackers have found ways to manipulate this
- Check your deposit methods monthly by signing in as admin
- Set up alerts with your accountant to flag any missed disbursements
- Know your normal disbursement schedule (typically every 2 weeks on the same day)
Notification and Monitoring
Verify Notification Settings
- Sign in as admin quarterly to confirm notification emails are correct
- Check that your phone number for emergency contacts hasn't changed
- Review all email addresses receiving account notifications
Financial Monitoring
- Track every disbursement on a shared calendar
- Set up accounting alerts for missing Amazon payments
- Reconcile your bank account against expected Amazon payouts weekly
Activity Monitoring
- Review your Account Health regularly for unauthorized changes
- Check for unfamiliar products added to your catalog
- Monitor for unexpected changes to existing listings
What to Do If Your Account Is Already Compromised
If you discover your account has been hacked:
Immediate Actions
- Attempt to change your password immediately if you still have access
- Contact Amazon Seller Support through every available channel (phone, email, chat)
- Contact your bank to alert them about potential fraudulent transfers
- File a report with the Internet Crime Complaint Center (IC3)
- Document everything : Take screenshots, save emails, note timestamps
Recovery Process
Amazon's recovery process can be slow and frustrating. Be prepared to:
- Verify your identity using registered email, phone number, and billing information
- Provide business documentation proving ownership
- Wait days or even weeks for account restoration
- Potentially lose revenue during the recovery period
Post-Recovery Security
Once you regain access:
- Immediately change all passwords
- Remove any unauthorized users
- Verify bank account and payment information
- Check notification settings
- Implement all security measures outlined in this article
- Consider engaging an Amazon account security specialist
The Real Cost of Poor Security
The Groove Life case illustrates the true cost of inadequate account security:
- $375,000 stolen and unrecoverable
- $302,000 in ad spend and fees that Amazon kept while offering no support
- No phone support, only email tickets with random agents
- Amazon's response: "We are not liable". Zero accountability despite the platform allowing international bank account changes without proper verification
- Countless hours dealing with unhelpful support
- The devastating realization that even "doing everything right" (tight security, 2FA, single admin) may not be enough
And here's the truly frightening part: Peter Goodwin noted there was no evidence the hack came from their account. No foreign login records, no compromised credentials, no IP evidence. Yet Amazon claims it "originated from your account" and accepts zero liability.
For a smaller seller, even a fraction of this impact could be business-ending. The time to implement proper security isn't after you've been hacked. It's right now.
A Simple Change That Makes All the Difference
Creating a separate user account for daily operations takes less than 10 minutes. Securing your admin credentials and implementing the other measures in this checklist might take an hour.
Compare that to $375,000 in stolen funds, Amazon keeping your ad spend while offering no support, and discovering that even with proper security measures, you may still be vulnerable to sophisticated attacks.
The security mistake isn't complex, and neither is the solution. Stop signing in as the Amazon account owner for daily tasks. Create a standard user account, lock down your admin credentials, and only access that admin account when making high-level changes a few times per year.
Your future self and your bank account will thank you.
Need Help Securing Your Amazon Business?
At Elbert Mountain, we help Amazon Brands implement robust security practices and optimize their operations for sustainable growth. If you're concerned about your account security or want expert guidance on protecting your Amazon business,
contact us today.
