Limited Employee Work Contact Information Exposed; Amazon Systems Remain Unaffected
Amazon has confirmed that a security breach at one of its third-party vendors led to the compromise of some employee data. The e-commerce giant assured that its own systems, including Amazon and Amazon Web Services (AWS), remain secure and unaffected by the incident.
In a statement issued to TechCrunch on Monday, Amazon spokesperson Adam Montgomery explained, “Amazon and AWS systems remain secure, and we have not experienced a security event. We were notified about a security event at one of our property management vendors that impacted several of its customers including Amazon. The only Amazon information involved was employee work contact information, for example work email addresses, desk phone numbers, and building locations.”
While Amazon did not disclose the number of employees affected, it emphasized that sensitive data such as Social Security numbers or financial details were not involved, as the unnamed vendor did not have access to such information. The company further stated that the vulnerability leading to the breach has since been addressed by the vendor.
The announcement follows claims by a threat actor on BreachForums, a notorious hacking platform, who alleged they had published data stolen from Amazon as part of a larger trove involving over 2.8 million lines of data. The individual, known as “Nam3L3ss,” claims to have exfiltrated data from 25 major organizations, as reported by cybersecurity firm Hudson Rock.
“What you have seen so far is less than .001% of the data I have,” the threat actor stated on the forum, boasting of “1,000 releases coming never seen before.”
The breach is reportedly connected to the MOVEit Transfer exploit, a major security incident in 2023. Attackers took advantage of a zero-day vulnerability in Progress Software’s MOVEit Transfer tool, affecting over 1,000 organizations worldwide. Among those targeted were the Oregon Department of Transportation (3.5 million records), the Colorado Department of Health Care Policy and Financing (four million records), and U.S. government contractor Maximus (11 million records). The attacks were linked to the Clop ransomware and extortion group.
Comments are closed.