I might be being pedantic, but the only mention of 2FA in the OP is:

"As a security conscious user who follows the best practices like: using unique passwords, 2FA, only using a secure computer and being able to spot phishing attacks from a mile away, I would have thought my accounts and details would be be pretty safe? Wrong."

Are you sure the author enabled 2FA on his Amazon retail account, or was it only enabled on his AWS account? The two systems do not share the same 2FA.

FYI I enabled 2FA on my Amazon retail account and when I called customer support they verified it. Once the verification failed and they refused to give me support.

Anyone else confirm a similar story with 2FA and support? Anyone willing to explicitly test this out?

There's no reason to assume he wasn't using 2FA. The title says "backdoor" and that's the point: they didn't verify identity... they asked for name, email and a nearby address.

> Actually, I do have 2FA enabled on my account. But I don't think I had it enabled at the time for the very first attack.

https://news.ycombinator.com/item?id=10965111

I don't think he was using 2FA; if he was, Amazon CS would not have given him the information (or at least should not have, based on their own policies): https://www.amazon.com/gp/help/customer/display.html?nodeId=....

Sorry, I did skim it but must have missed it! :-}

In any case, I will leave my comment so that folks who come across this thread have a handy reference for turning on 2FA on their Amazon accounts.