Data leak: Amazon customer data were leaked (Oct. 2020)

[English]There has been a data leak incident at Amazon. Amazon employees have passed customer data, including their e-mail addresses, to third parties. The employees were fired and the affected customers were informed. I came across the issue in two places at once – here is some information.

A short note if you receive a notification from Amazon that the email address used for the customer account is being misused. This is with probably no phishing attempt, the message has been send by Amazon.

Is it phishing?

I just came across the following information on Facebook. A German user has received a notification from amazon.de which is quite strange. The recipient was informed about a data leak. The text reads in English as:

We are writing to let you know that your e-mail address was disclosed by an Amazon employee to a third-party in violation of our policies. As a result, we have fired the employee, referred them to law enforcement, and are supporting law enforcement criminal prosecution.

No other information related to your account was shared. This is not a result of anything you have done and there is no need for you to take any action. We apologize for this incident.

Amazon notification about data breach
(Amazon notification about data breach)

The message ended with an apology from Amazon. There was a lot of speculation on the Facebook thread about the notification was a 'phishing attempt'. But the original poster wrote, that, according to the headlines the mail actually came from amazon. And also the recipient's address fits. Also the link in the signature is correct and redirects to Amazon's page. So this message was mysterious, but has Amazon at it's origin.

Notes: The plain text source of such a mail (German edition) may be found within my German blog post. An appropriate way to check, if the mail is from Amazon is, to log in to the Amazon account. There should be the same notification.

An insider job at Amazon

I just read a minute ago this post from the colleagues from Bleeping Computer. Amazon recently fired employees who were responsible for passing on customer data, including email addresses that were known to Amazon, to third parties. This is a clear violation of company policy, Amazon says. After the incident, the company sent an e-mail notification to affected customers. However, this notification seems to have confused many Amazon customers. Tweets (here and here) from Amazon customers shows the confusion.

In the meantime it is clear that several Amazon employees were fired and more than one customer was affected. Motherboard has published this article on the subject and writes that there was a similar case at the daughter Ring in January 2020. Amazon itself is keeping a low profile about the incident and does not answer any questions – the above notification, which was sent to German and at least English speaking customers, is the only information. If European customers are affected, this is definitely a GDPR matter.

This entry was posted in Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *