Did you read the full article? Didn't you notice how the attacker got the last 4 digits?

### Amazon actually gave the attacker full control of the Amazon account. ###

All the attacker had to do was simply call amazon and ask to add a new credit card, the only verification was billing address. The attacker called back in 5 mins asking to change the email account on file, which required the last 4 digits of the fake card just added. The attacker then did a password reset.

Basically, most people don't realize Amazon had a HUGE GAPING wide whole in their security. Any attacker could steal any ones Amazon account! These are accounts that have thousands of dollars of affilate money, AWS servers running major web sites, credit cards on file, etc.

So yes, the fact that Amazon gave the last 4 digits out isn't a big deal, you are right. These numbers are printed on receipts. However, the fact that they gave the whole account away is a big deal.

Apparently this should be easy to fix

Your CC can only be used for validation if you made a purchase with it.

At the very least, he system needs to raise big red flags if a CC added very recently is used for validation. A system I built a few years back would alert customer service if any of the validating data was less than a month old, and would let them use it if it was less than a week old. (So yeah, if you forgot your password in the week after you changed address, you were locked out for a week. That was a business risk deemed "acceptable" by the client.)

Anyone running anything remotely serious on AWS should have 2 factor auth enabled I hope