Amazon has confirmed that attackers exposed data from some of its employees, with the perpetrators stating they intend to push data owners to prioritize user privacy.
Amazon recently confirmed that some of its employee data was exposed due to a breach in MOVEit Transfer, a widely used file transfer software exploited last year by a ransomware group. This hack led to millions of user records being published on a data leak forum, with Amazon reporting nearly 3 million records exposed, including phone numbers, email addresses, and office locations of its employees. Amazon clarified that the breach did not impact its core systems but instead involved one of its property management vendors.
The MOVEit Transfer hack, among the largest breaches last year, affected numerous companies due to a zero-day vulnerability. Major organizations, such as HSBC, UBS, HP, and McDonald’s, also suffered data exposure, with records spanning millions of individuals and revealing potentially sensitive details like email addresses and phone numbers.
While Amazon acknowledged the breach, they stated only employee work contact information was involved. However, this breach is part of a larger issue where past data from previous breaches has been organized and made accessible, lowering the threshold for potential malicious activity, such as social engineering and phishing attacks.
The hacktivist, operating under the name Nam3L3ss, defended their actions in a manifesto posted on the dark web, claiming to act as a “data security evangelist.” They noted they weren’t affiliated with any ransom groups, portraying their intentions as an attempt to prove poor data security practices.
Cybernews researchers pointed out that while this hack primarily involves old data, the organized presentation allows malicious actors to more easily exploit the information for larger campaigns. They warned that this structure enables attackers to quickly identify and target vulnerabilities within companies.
Hudson Rock found that companies experienced varying degrees of data exposure, from a few thousand to millions of records. Here’s a breakdown of the affected companies:
This breach is a reminder of how even the most security-focused companies can be vulnerable when relying on third parties. For Amazon and others, the incident with MOVEit Transfer points to a hard truth: trust in data handling extends beyond internal systems to every partner and vendor. It shows how a single vulnerability, even outside a company’s walls, can have far-reaching effects, making data exposure more than just a technical issue—it’s a question of trust and resilience in a connected digital world.
A zero-day vulnerability is a flaw in software or hardware that is unknown to the people responsible for fixing it. Because it has not yet been discovered or patched, hackers can exploit this weakness to gain unauthorized access to systems or data before any fix is available.
A phishing attack is a type of online scam where attackers pretend to be trustworthy sources—like banks or companies—in emails, messages, or websites to trick people into sharing sensitive information, such as passwords or credit card numbers.
Social engineering is a manipulation technique where attackers trick people into giving up confidential information or access. This often involves impersonating someone trustworthy or exploiting human psychology to bypass security measures without hacking directly into systems.