Amazon has confirmed that a “security event” involving a third-party vendor led to the exposure of employee data.
.jpg "Amazon")
In a statement provided to TechCrunch on Monday, Amazon spokesperson Adam Montgomery confirmed the breach, noting that employee information had been compromised. “Amazon and AWS systems remain secure, and we have not experienced a security event. We were notified about a security incident involving one of our property management vendors that affected several customers, including Amazon. The data that was compromised consisted solely of employee work contact information, such as work email addresses, desk phone numbers, and building locations,” Montgomery explained.
Amazon did not disclose how many employees were affected by the breach. The company clarified that the third-party vendor in question did not have access to sensitive data like Social Security numbers or financial information and confirmed that the vendor has since addressed the security vulnerability responsible for the breach.
This confirmation follows reports that a threat actor claimed to have published data stolen from Amazon on the hacking site BreachForums. The individual, operating under the alias “Nam3L3ss,” claims to have access to more than 2.8 million lines of data, allegedly sourced from last year’s mass exploitation of MOVEit Transfer.
Hudson Rock, a cybersecurity firm, reports that the threat actor has claimed to have published data stolen from 25 major organizations. “What you have seen so far is less than .001% of the data I have,” the threat actor reportedly stated, adding that they have plans to release 1,000 more data dumps never seen before.
TechCrunch has reached out to the other organizations listed by the threat actor but has yet to receive additional responses.
The MOVEit breach, attributed to attackers exploiting a zero-day vulnerability in Progress Software’s file-transfer software, was one of the largest hacks of 2023. The breach, linked to the notorious Clop ransomware and extortion group, impacted over 1,000 organizations. High-profile incidents included the Oregon Department of Transportation (3.5 million records stolen), the Colorado Department of Health Care Policy and Financing (4 million), and U.S. government services contractor Maximus (11 million).