Imagine if a budding identity thief had a free, user-friendly, publicly searchable database that contained the name, location, date of birth, and mother’s maiden name of millions of people. Enter Amazon registries. We already know that Amazon collects plenty of personal information and data that can be arduous for its users to obtain, but the company also readily shares your information for anyone to access when you set up a registry. Because the default visibility settings of registries for weddings, birthdays, new babies, and other occasions are preset to public, Amazon reveals to the world information that financial institutions and other service providers request for identity authentication — and that identity thieves can use to take over your life.

Amazon's registry creation landing page.

Amazon’s registry creation landing page.

Screenshot: The Intercept

Identity Theft Registries

Amazon requires that certain information be provided when setting up a registry. For a wedding registry, Amazon requires the first and last names of both partners, the wedding date, the number of guests attending, and a mailing address. The default share setting is to make the registry searchable not only on Amazon but also via the third-party wedding planning website The Knot. This has led to confusion from Amazon wedding registry users over how The Knot received their registry details. Similarly, when creating a baby registry, Amazon asks for a first and last name, expected due date, whether the baby is the parents’ first child, and a mailing address. The default visibility setting is also set to public and to appear on pregnancy and parenting websites The Bump, What to Expect, and Baby Center.

Anyone can search for a public registry (even without an Amazon account) with just a name or further specifying a date and location. In addition to the list of desired products, wedding registries show the names of both partners, the event location, and the event date. Baby registries return either the name of the upcoming baby or the names of the parents, their city and state, and the expected due date.

At first glance, only wedding registries for weddings happening between 2020 to 2032 and baby registries with due dates between 2020 to 2023 can be searched for. However, there are ways to bypass the date restrictions to access registries from years prior. In the case of multiple results, wedding and baby registries display the top 100 matches, and if no date parameters are entered, search results may contain entries outside the default date ranges. For example, even though Amazon only lets you select dates from 2020 onward, if you don’t specify an exact range when searching a common name, you could get results from, say, 2008.

Perhaps the more critical vulnerability in Amazon’s date range search, however, is that the fields can be modified using the developer tools functionality available in browsers like Chrome and Firefox. A cursory search with modified date fields brought up wedding registries dating as far back as 2004, and baby registries dating back all the way to 2006. So someone could discover the details of a registry set up for a present-day 16-year-old. Who knows how this information could be weaponized in two years, once such a teen becomes a legal adult?

A redacted search result page for baby registries, modified to display results from 2006, despite Amazon's official form only allowing date ranges from 2020 to 2023.

A redacted search result page for baby registries, modified to display results from 2006, despite Amazon’s official form only allowing date ranges from 2020 to 2023.

Screenshot: The Intercept

(Widely) Shared Secrets

Knowledge-based authentication, known as KBA, is a form of identity authentication favored by service providers such as financial institutions that relies on shared secrets: information that is only known to you and your bank, email provider, or other service. For example, if you lose the password to your bank account, you can regain access by entering information that most people likely don’t know about you, like your mother’s maiden name or your date of birth.

Security questions like this have been around for a while. Banks have used mother’s maiden name as a form of identity authentication since at least 1882. But today these so-called secrets are inevitably shared much more broadly than account holders anticipate, resulting in harrowing cases of identities getting stolen with personal details used for authentication.

An early use of 'mother's maiden name' as a form of knowledge-based authentication in Frank Miller's 1882 Telegraphic Code to Insure Privacy and Secrecy in the Transmission of Telegrams.

An early use of mother’s maiden name as a form of knowledge-based authentication in Frank Miller’s 1882 book “Telegraphic Code to Insure Privacy and Secrecy in the Transmission of Telegrams.”

Screenshot: The Intercept

Using multiple Amazon registries could reveal massive amounts of information not just about living people but even of a baby yet to be born. A wedding registry would show the mother’s maiden name, and a birth registry would list the projected date of birth, location, and either the expected child’s or the parents’ names. Should the baby not be born on their expected due date, there’s always the Amazon birthday gift registry to crosscheck. The location and date of the birth can, in turn, be used to deduce a partial Social Security number.

Using newborns for identity fraud is not a new phenomenon. The practice of adopting a deceased baby’s identity was popularized in Frederick Forsynth’s 1971 novel “The Day of the Jackal,” in which an assassin trawls small parish graveyards to locate a dead child whose identity he could assume in order to apply for a passport in their name.

While the technique of taking over the identity of a dead child is still used today, Amazon’s public baby registries have made it far easier to target those who haven’t been born yet. Identity thieves no longer need to peruse musty county registrar offices for birth certificates when they can just search for registries online.

Privacy Measures

While there are copious other ways to find personal information sprinkled throughout the internet, such as on social media profiles and genealogy websites, your Amazon registry doesn’t need to be another.

Because Amazon registries are public by default, users have to manually toggle the privacy settings either to “shareable,” which makes a registry accessible only via a direct link, or “private,” making it visible only to the creators. Another option to mitigate data exposure is to fudge the expected due date, so Amazon doesn’t display the actual date.

Default privacy settings on Amazon's baby registry creation page. By default, registries can be searched for and are viewable by anyone without even requiring an Amazon account, and are also shared on three third-party sites, The Bump, What to Expect, and BabyCenter.

Default privacy settings on Amazon’s baby registry creation page.

Screenshot: The Intercept

Also take into account that alongside the treasure trove of personal information public registries afford identity thieves, the products themselves pose an additional security risk. Anyone could browse a gift registry to see which products have known vulnerabilities to exploit, such as baby monitors that allow remote access to their video feeds.

Once a registry’s purpose has been served, there’s little reason not to delete it, rather than leave it lingering for 16-odd years, as some users have inadvertently done. While a wedding registry is straightforward to delete, Amazon’s steps for deleting a baby registry are unclear, with step one cryptically instructing to “Go to your .” Perhaps the best preemptive solution is not to use a faulty, privacy-eroding service in the first place.

Amazon's instructions for deleting a baby registry.

Amazon’s instructions for deleting a baby registry.

Screenshot: The Intercept