On Monday, e-commerce giant Amazon confirmed that some of its employee data was compromised following a โsecurity eventโ at one of its third-party property management vendors (via TechCrunch).
Despite the severity of the security incident, the company has assured that its own systems, including those of Amazon Web Services (AWS), remain secure.
It also added that the security breach at the vendor was limited to work-related contact details, like employee work emails, desk phone numbers, and building locations, and no sensitive information, like Social Security numbers or financial data, was compromised.
โAmazon and AWS systems remain secure, and we have not experienced a security event,โ said Adam Montgomery, an Amazon spokesperson, in a statement to TechCrunch.
โWe were notified about a security event at one of our property management vendors that impacted several of its customers, including Amazon. The only Amazon information involved was employee work contact information, for example, work email addresses, desk phone numbers, and building locations.โ
While Amazon didnโt disclose the number of employees affected, it did mention that the security vulnerability responsible for the data breach has since been resolved at the vendorโs end.
Amazon’s confirmation followsย a report from cybersecurity vendor Hudson Rock, who spotted the stolen information published on the hacking forum by a threat actor using the alias โNam3L3ss.โ
It said that the stolen information posted on BreachForums, a notorious site in the hacking community, included data from Amazon and 24 other major organizations, including MetLife, HP, HSBC, and Canada Post.
According to Hudson Rock, the threat actor claims to possess over 2.8 million lines of individual Amazon employee contact information, including their full names.
The firm also reported that the threat actor claimed to have leaked only less than .001% of the total stolen data, promising more releases in the future.
The cybersecurity firm says the stolen information dates back to May 2023, when a zero-day critical vulnerability in MOVEIt, a popular file transfer platform used by many companies, was exploited.
This flaw allowed an unauthenticated attacker to bypass authentication protocols through an SQL injection, potentially grantingย unauthorized access to the MOVEit Transfer database and gaining access to sensitive data.
The notorious Clop ransomware and extortion gang were claimed to be behind the MOVEit breach, which was the biggest hack of 2023.
For example, the Oregon Department of Transportation in the U.S. had 3.5 million records stolen.
In contrast, the Colorado Department of Health Care Policy and Financing and a U.S. government contractor, Maximus, had 4 million and 11 million records stolen, respectively.