Amazon has confirmed a significant data breach that has impacted its employees and several other major companies. The breach, which dates back to May 2023, exposed sensitive information, including email addresses, phone numbers, and organizational structures of employees from over 25 companies, including Amazon, HP, Lenovo, Delta Airlines, and HSBC. The stolen data was linked to a vulnerability in MOVEit, a widely used file transfer software. This vulnerability, identified in mid-2023, allowed hackers to exploit a critical flaw in the system, bypassing authentication protocols to access secure data repositories.
The breach was carried out by a hacker known as Nam3L3ss, who leveraged the MOVEit vulnerability (CVE-2023-34362) to infiltrate multiple systems and exfiltrate confidential data. The hacker made the stolen information public, releasing it on a cybercrime forum and alerting others to the scale of the breach. This incident has raised concerns about the security of file transfer systems used by corporations, given the sensitive nature of the data that was exposed.
In response to the breach, Amazon issued a statement through spokesperson Adam Montgomery, clarifying that the breach was related to a third-party vendor’s system, not Amazon’s internal infrastructure. Montgomery emphasized that the breach did not affect sensitive employee data such as social security numbers or financial information. Instead, the compromised data primarily included work-related contact information, such as employee email addresses, desk phone numbers, and building locations. Amazon assured customers that its systems remain secure, despite the security event at one of its property management vendors.
While Amazon and other affected companies have taken steps to mitigate the impact of the breach, the incident highlights the growing threat posed by vulnerabilities in third-party services. Organizations that rely on external vendors for critical services must remain vigilant and ensure robust security protocols are in place to prevent similar breaches in the future. This breach also serves as a reminder for companies to continuously evaluate and update their cybersecurity measures to protect sensitive information and prevent unauthorized access.