Amazon has admitted that employee data was compromised after a “security event” at a third-party vendor.
In a statement provided to TechCrunch on Monday, Amazon spokesperson Adam Montgomery confirmed that employee information was involved in the data breach.
“Amazon and AWS systems remain secure and there have been no security events. We are one of our property management vendors and have been notified of a security event that impacted multiple customers, including Amazon. The only Amazon information involved was the employee's work contact information (e.g., work email address, desk phone number, building location, etc.), Montgomery said.
Amazon did not say how many employees were affected by the breach. The company noted that the anonymous third-party vendor did not have access to sensitive data such as social security numbers or financial information, and said the vendor had fixed the security vulnerability that caused the data breach.
This confirmation came after the attackers claimed to have published data stolen from Amazon on the notorious hacking site BreachForums. The individual claims to have over 2.8 million rows of data, which they claim was stolen during a massive MOVEit Transfer exploit last year.
The attacker, operating under the alias “Nam3L3ss,” claims to have released data allegedly stolen from 25 major organizations, according to a report by cybersecurity firm Hudson Rock.
“What you've seen so far is less than 0.001% of the data I have,” the attacker claims. “We have 1,000 releases coming up that we've never seen before.”
TechCrunch has reached out to other organizations listed by the threat actors, but has not yet received further responses.
The MOVEit breach, in which attackers exploited a zero-day vulnerability in Progress Software's file transfer software, was the biggest hack of 2023.
These hacks are claimed by the notorious Klopp ransomware and extortion gang, and include the Oregon Department of Transportation (3.5 million records stolen), the Colorado Department of Health Care Policy and Finance (4 million) and the U.S. Government. impacted more than 1,000 organizations, including Maximus (11 million yen), a major service contract company.