I’m not requesting them, nor is my wife. I just checked and the only way to get them generated is if you login w/ your known password and have 2FA turned on. Requesting a new/forgotten password generates an email, not a OTP. So this is someone trying to log in w/ my actual account password and triggering a OTP to my phone.
My passwords are complex. As they should be. And I change them from time to time. As I think through where this specific, complex password is stored. I can think of only these:
Prime Videos - Roku (my wife and I use)
My iPhone (only I use)
my Mac (only I use)- saved password w/ my browser.
Home Assistant Alexa Integration - which I just had to reauthorize a few days ago.
I’m NOT pointing fingers at anyone or anything. I’m just posting this bc something strange is going on and I’m wondering if anyone else is seeing the same thing? OTP’s are great, and thankfully a decent line of defense in cases like this.
I’m seeing a general rise of cred stuffing attacks in general due to the number of major cred breaches last year. Chances are this cred made it in one of those. I wouldn’t look at anything nefarious on your config.
If you’re seeing that change the password immediately. (I assume you already have because you’re conscious of these things… or because Amazon change it one more time to something stupid hard put it in your password manager and go to passkey auth)
Oh yeah, passwords updated, of course. But Amazon credentials? Unless Amazon (or one of the other services I use) was hacked and we haven’t heard about it yet… not out of the realm of possibilities… lets see if anyone else has seen this before I jump to any conclusions.
I’ve noticed the same thing in the last few days and was about to post about it in the Alexa Media Player thread (and I likely still will) since that’s the only thing in HA that uses my Amazon OTP login.
it only happens right after I restart HA. Or at least that’s the only time I’ve noticed it. I think I’ve had it happen three times so far as well.
But my AMP integration is working fine without any intervention on my part.
I got the same - Amazon OTP passwords. Thought I was hacked changed the password > rebooted HA > works for hours and issue reappears. My Alexa player integration stopped working after few hours and I have configure. Reboot fixes it temporarily. Any fix?
I have the same problem. At first I thought I had been hacked and changed my already very secure password and made it more secure. Then I also thought about Home Assistant and restarted the integration just for fun. After the restart, a new OTP code was always sent by SMS, albeit with a slight delay.
Same here in Italy… Many OTP SMS since two weeks. Amazon stuff sends me an email in which they tell me there is nothing wrong in my account and no risk about security.
I changed my amazon password and since that (few hours) i see no SMS.
Hope it will be fixed asap!
AMP is a custom integration, not maintained by the HA team. The contributors to the AMP integration struggle to keep it running as best they can, but they really struggle hard. So report the problem to them, but don’t be harsh on them. They are volunteers, if they are hammered by requests they might stop. If they do, the integration will stop working in a matter of weeks, not months.
I’m getting the SMS every time I restart the Home Assistant or it gets an upgrade. I believe is the Amazon Media Player integration. At first I thought I was hacked too
So, 10 folks have now reported seeing this phenomenon, but I’m not convinced this is related in any way to AMP or HA. Do a search on “random Amazon OTP text messages” and you’ll find this is a somewhat common scam. I think we’re all now part of the scam. One of the solutions mentioned is ti use an “authentication app”.
I despise Google so I’m not using their app. There has to be alternatives.
I am also experiencing this. At first I could not understand why I was getting the texts at exact times like 9AM or 10PM. The I realized I had automations at thos times. I noticed that I get an OTP request when an automation using Alexa media player is run. I do have Nabu Casa. I am running 2025.2.5 of the core.
@jmdefino you gave me an idea…
Ok, I can actually reproduce this. I have some routines set up in the Alexa app. Things I can’t get HA to do like playing a radio station on Pandora at a certain time.
I just manually ran this routine and sure enough, it generated a OTP. It only did it once, so there may be a timeout involved, but this would appear to be an Amazon bug, not a HA or AMP bug.
I couldn’t reproduce it with my automations that use AMP after the first trigger of the OTP, but it’s possible it will. I’ll try later today.
