Amazon has confirmed that attackers exposed data from some of its employees, with the perpetrators stating they intend to push data owners to prioritize user privacy.
What happened
Amazon recently confirmed that some of its employee data was exposed due to a breach in MOVEit Transfer, a widely used file transfer software exploited last year by a ransomware group. This hack led to millions of user records being published on a data leak forum, with Amazon reporting nearly 3 million records exposed, including phone numbers, email addresses, and office locations of its employees. Amazon clarified that the breach did not impact its core systems but instead involved one of its property management vendors.
Going deeper
The MOVEit Transfer hack, among the largest breaches last year, affected numerous companies due to a zero-day vulnerability. Major organizations, such as HSBC, UBS, HP, and McDonald’s, also suffered data exposure, with records spanning millions of individuals and revealing potentially sensitive details like email addresses and phone numbers.
While Amazon acknowledged the breach, they stated only employee work contact information was involved. However, this breach is part of a larger issue where past data from previous breaches has been organized and made accessible, lowering the threshold for potential malicious activity, such as social engineering and phishing attacks.
What was said
The hacktivist, operating under the name Nam3L3ss, defended their actions in a manifesto posted on the dark web, claiming to act as a “data security evangelist.” They noted they weren’t affiliated with any ransom groups, portraying their intentions as an attempt to prove poor data security practices.
Cybernews researchers pointed out that while this hack primarily involves old data, the organized presentation allows malicious actors to more easily exploit the information for larger campaigns. They warned that this structure enables attackers to quickly identify and target vulnerabilities within companies.
In the know
Hudson Rock found that companies experienced varying degrees of data exposure, from a few thousand to millions of records. Here’s a breakdown of the affected companies:
- Amazon: 2.86 million records
- MetLife: 585,000
- Cardinal Health: 407,000
- HSBC: 281,000
- Fidelity: 124,000
- U.S. Bank: 114,000
- HP: 104,000
- Canada Post: 70,000
- Delta Airlines: 57,000
- Applied Materials: 53,000
- Leidos: 53,000
- Charles Schwab: 49,000
- 3M: 49,000
- Lenovo: 45,000
- Bristol Myers Squibb: 37,000
- Omnicom Group: 37,000
- TIAA: 24,000
- UBS: 20,000
- Westinghouse: 18,000
- Urban Outfitters: 18,000
- Rush University: 16,000
- British Telecom: 15,000
- Firmenich: 13,000
- City National Bank: 9,000
- McDonald’s: 3,000
The big picture
This breach is a reminder of how even the most security-focused companies can be vulnerable when relying on third parties. For Amazon and others, the incident with MOVEit Transfer points to a hard truth: trust in data handling extends beyond internal systems to every partner and vendor. It shows how a single vulnerability, even outside a company’s walls, can have far-reaching effects, making data exposure more than just a technical issue—it’s a question of trust and resilience in a connected digital world.
FAQs
What is a zero-day vulnerability?
A zero-day vulnerability is a flaw in software or hardware that is unknown to the people responsible for fixing it. Because it has not yet been discovered or patched, hackers can exploit this weakness to gain unauthorized access to systems or data before any fix is available.
What is a phishing attack?
A phishing attack is a type of online scam where attackers pretend to be trustworthy sources—like banks or companies—in emails, messages, or websites to trick people into sharing sensitive information, such as passwords or credit card numbers.
What is social engineering?
Social engineering is a manipulation technique where attackers trick people into giving up confidential information or access. This often involves impersonating someone trustworthy or exploiting human psychology to bypass security measures without hacking directly into systems.
Farah Amod
