Table of Contents
By Nate Hoffelder
We’ve been contacted by a couple of our readers who have, unfortunately, had their Createspace accounts hacked, and we felt this was something you all needed to be aware of. We are pleased to provide this guest post by Nate Hoffelder on the topic. If you have a Createspace account, you will definitely want to read this.
Authors who have an account on Createspace should go change their passwords immediately — and while they’re at it, they should also double check their payment details.
Reports of Hacking
This story has for the most part been ignored by the press, but starting some time in March or April 2018, hackers began to target author accounts on Createspace.
I have read multiple independent reports in several closed Facebook groups, Reddit, and on Kbaords dated in April, June, July, August, and as late as the first week of November from authors who say that someone hacked their CS account.
Many of the reports sound like this:
I woke up this morning to read this email:
“This is an automated message confirming that royalty payment information has been updated in your CreateSpace account. If you did not make any changes to this information, please use the Contact Support feature in your account to reach our Customer Service team.”
I thought it was a random email that was a mistake. But it wasn’t. I called Createspace and indeed, someone had hijacked my account and deleted my payment information and substituted their Name and direct deposit information. I am due to get paid in about a week, so I am thankful they did not receive any of my payments before I caught it.
I’ve had to change my email, password and update payment info again.
It is not clear at this time how the hackers are gaining access. At least one author said they used a complex and unique password on their Createspace account, and yet they were still hacked. All we know right now is that Createspace accounts are still getting hacked, and for that reason I strongly urge that authors change their password on their Createspace account double check their payment details.
While it is true that Createspace automatically sends out emails when payment details are changed, you do not want to take the chance that the email they sent you got lost.
Take Action
Go change your password today, and make sure it is both long enough that it’s hard to guess and simple enough that it is easy to remember. XKCD has comic that explains why.
Amazon was contacted before this post was published, but did not respond.
Nate Hoffelder has been building and running WordPress sites since 2010. He blogs about indie publishing and helps authors connect with readers by customizing websites to suit each author’s voice. You may have heard of his site, The Digital Reader, mentioned on podcasts such as The Creative Penn, Wordslinger, or Sell More Books Show. In his spare time, he fosters dogs for A Forever Home, a local rescue group.
Photo: BigStockPhoto
OMG. What a news… It’s really surprising news. Thank you so much.
Book pirates have hijacked PDF files of my books (and many others) and are selling them on line. In my case, the only way they could have gotten these files is from Createspace or KDP.
Neither of them seem very concerned.
Are you sure they actually have the file?
The reason I ask is that most of the time those sites claim to have a PDf but are actually running a phishing scam on their “customers”. The sites are using the appearance of having your ebook as bait so they can get someone’s credit card, which can then be sold online.
I have a different problem: I found my book cover and back-cover copy on a website I’d never heard of, for sale about $1.50 more than the CreateSpace price. How did it get there? The site (jet.com) says they “trust” their sellers and protect them, so won’t give me contact info for the seller and don’t see to care that this is unethical. I confess, I make so little on that book that I haven’t pushed hard enough to get to the bottom of it, but I think I’ll contact CreateSpace now.
I’m confused. I thought all the payments are now being made through KDP since print books are moved from Create Space.
When I checked my account on CreateSpace, it still had $1.30 in it. I can only hope they’ll pay me later this month.
I think that there’s also people with books still in CreateSpace that haven’t moved them over yet.
This surprised me too, Amber. But I guess Amazon still hasn’t moved everyone over to KDP print, and accounts are still being hacked.
Wow! Thanks for this heads-up.
Welcome!
It didn’t occur to me until I went over there to change the information, but here’s what you can also do while you’re at CreateSpace:
Remove your credit card information. If you’re books are not there, you won’t be ordering any more books, so why leave the information there? Deleting it is easy.
I went online to a strong random password generator and found a 16-letter combination.
I double-checked the banking information, as you recommended.
Best of all, I downloaded all the reports of payments and sales. I don’t know if I’ll need them, but it did tell me how many of each book they sold and how much I was paid for them. Once they take the site online, it’s gone!
Great advice, Bill!
Quote: It is not clear at this time how the hackers are gaining access. At least one author said they used a complex and unique password on their Createspace account, and yet they were still hacked.
That is disturbing. Mostly likely, there’s a Createspace insider leaking these passwords or Createspace staff are so ill-trained they fall for social engineering hacks.
“Social engineering is the art of getting people to give you the information you are seeking, rather than breaking into a system to get it. Among the most sought after bits of information is the username and password.”
https://null-byte.wonderhowto.com/how-to/hack-like-pro-ultimate-social-engineering-hack-0150355/
As that article suggests, it is also possible that the person mentioned used that difficult password at multiple sites. That’s why it is a good idea to use apps that make it easier to have a separate password for every website you use.