Amazon Confirms Data Breach Affecting the Data of 2.8 Million of Its Employees
Key Takeaways
- Amazon was recently hit by a data breach that compromised the personal details of 2.8 million employees.
- The main vulnerability lies in a file transfer software called MOVEit. Amazon’s property service management vendor used this software for its internal operations.
- So when the hacker group, identified as Nam3L3ss, struck and stole the data of 25 organizations, Amazon became one of the victims.
Amazon has confirmed a data breach that compromised the data of 2.8 million of its employees. Stolen data includes names, addresses, work phone numbers, email IDs, and building locations of affected employees.
So far, it looks like sensitive information such as financial information, government IDs and Social Security numbers are safe.
The company’s core systems are also fine. The breach took place through a third-party vendor that’s responsible for managing its property details. The vendor has not been named.
Amazon also refused to comment on exactly how many employees’ information has been compromised. However, we managed to find the exact number through screenshots that were allegedly published by the hacker.
Speaking of the hacker, a group called Nam3L3ss has claimed responsibility for the attack. They posted about their successful campaign on BreachForums where it claimed to have stolen over 250TB worth of data.
It also said that the data it has published is only 0.001% of its total stock which apparently consists of information taken from over 1,000 breaches. In the end, it also warned the companies to keep an eye out for posts about the leaks, indicating that they might have very sensitive details in their hands.
More About the Breach
The breach was first noticed by cybersecurity firm Hudson Rock. In its report, it revealed that the main cause of the breach was a file transfer software called MOVEit.
The unnamed vendor used this software for its internal operations, not knowing that it had a major security vulnerability.
The vulnerability, which is being tracked as CVE-2023-34362, is a critical SQL injection flaw that allowed the hacker group to break into the software’s vulnerable system and extract information.
By the end of the process, the group had managed to steal the data of at least 25 organizations (including Amazon) and steal 2.8 million lines of data.
This isn’t the first time that the MOVEit breach has affected an organization. The latest hit is part of a much larger chain of attacks that started in May last year and has affected many other renowned organizations such as Lenovo, HP, Delta Airlines, and HSBC.
Progress Software, the company that owns MOVEit has also commented on the issue and said that this is not a new flaw. Instead, it’s an extension of the zero-day vulnerability that was discovered last year.
Last year, the vulnerability was exploited by a group called the Cl0p ransomware gang. Researchers are yet to find out whether Nam3L3ss conducted an independent attack or simply bought the already stolen data from Cl0p or its associates.
Regardless of whether this is a new vulnerability or not, it’s a major security concern. The good thing is as per reports, the unnamed vendor has already resolved the security issue.
Add Techreport to Your Google News Feed
Get the latest updates, trends, and insights delivered straight to your fingertips. Subscribe now!
Subscribe now
The Tech Report editorial policy is centered on providing helpful, accurate content that offers real value to our readers. We only work with experienced writers who have specific knowledge in the topics they cover, including latest developments in technology, online privacy, cryptocurrencies, software, and more. Our editorial policy ensures that each topic is researched and curated by our in-house editors. We maintain rigorous journalistic standards, and every article is 100% written by real authors.