Amazon (non-AWS) is infamous for being vulnerable to social engineering attacks. I don't know if they've changed their polices more recently but they are (or were) often the first attack vector for social engineering. If you can get access to an Amazon account you can get the last 4 digits of the user's credit card number(s). You can then use that info to reset accounts over the phone with other companies.