TL; DR: I've just spent several hours chasing a socially engineered (not password compromised) stolen Kindle through a series of phone calls, chats, virtual shipping addresses, UPS tracking numbers and more. Amazon Kindle Support is, and continues to be truly amazing. Yesterday I got an email from Amazon that said: I'm writing to follow-up on our recent chat conversation. No, all the links are valid, email return path is correct, and I confirmed I've received emails like this before. They were able to get the Amazon Customer Service to accept that they were me without my password or any additional verification. She talks to a supervisor and says she can't send them to me because the chat logs contain the address that the bad guy wants to redirect to.

Of course, the automated system can't NOT send the follow up, which is why we're here now.

If that automated email hadn't gone out I wouldn't have noticed this hack until I checked my Amazon Recent Orders at some point in the future.

ASIDE: It's rather ironic that the bad guy's address has more privacy than I do. I can confirm that we still expect to ship your order in time to be delivered to you by February 12th, 2013. The phone folks at Amazon are very consistent, but the chat and email support is, in this case at least, demonstrably spotty.

Then I get this email a few minutes later: Looks like they are so efficient that they got the Kindle on the truck already. So, this is a social engineering hack, not a "password compromised" hack.

I login to Amazon's "Manage Your Kindle" page, and sure enough, there's already 'Scott's 2nd Kindle' sitting there, ready to go. Sue looks through their details and says there are a of chats with "Scott" using their Live Chat system.

I want to point out here that I'm talking to a human on the phone here. Sue is SUPER nice, SUPER knowledgeable and immediately I can tell she gets it, so someone give Sue G. She says she's taking it to Fraud and I should hear from them soon. At this point I call Amazon and explain the situation to a human.It's not just Deregistered (disassociated from my account) now, but it's remotely deactivated.However, I still don't want the bad guy to succeed.Sue also mentions that the bad guy asked that the customer representative "not bother to send a follow up email, as I never check my email anyway." The bad guy is consistent in this behavior, always asking to avoid the return emails so I won't see them.