- Fred Greaves/Reuters
- Amazon told some customers on Wednesday that their email address and name had been exposed.
- Amazon informed customers in an email that it happened because of a “technical error.”
- The company did not release an estimate of the number of customers affected by the breach.
- One security expert said that Amazon’s email to customers “could be viewed as one of the worst breach notes in history.”
Amazon told some customers on Wednesday that their email address and name had been exposed because of a “technical error.” Beta News was first to report the breach.
Here’s what the email to customers said, according to text shared on Amazon’s seller forums:
We’re contacting you to let you know that our website inadvertently disclosed your email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.
Sincerely, Customer Service
Though Amazon told customers that they would not need to change their passwords, a list of confirmed email addresses does leave customers vulnerable to things like brute-force hacking, in which a hacker tries to enter a user’s account by trying commonly used passwords until successful.
“We have fixed the issue and informed customers who may have been impacted,” a representative for Amazon said in a statement.
The company did not explain how or where the information became visible but said it was not a breach of Amazon’s website or systems.
Some customers who received the email responded with confusion on social media.
“This email is more alarming than it is helpful,” one customer said on Twitter.
Another suggested the leaked emails and names might result in customers appearing on spam lists.
“Not nearly good enough Amazon,” the person tweeted.
— Dwayne ???????? (@AbolitionOf) November 21, 2018
Ooookay. Disclosed it when, and to whom? Was other information associated with it, like my name? This email is more alarming than it is helpful. And sent from a "no-reply" address? Based on headers this appears to be a legit email. @amazon pic.twitter.com/sikJvX8lbk
— Adam Meyer (@apmeyer) November 21, 2018
Another @AmazonUK @amazon #dataleak #Amazon
Dismissive email saying we need do nothing ignores the fact that with both our email and names leaked we are likely to be victims of phishing scams and end up on spam lists. Not nearly good enough Amazon. pic.twitter.com/HPVhxFh2uc
— Anthony Cooke (@AntSaysThis) November 21, 2018
Andy Norton, an online security expert at the network security provider Lastline, didn’t mince words when sharing his thoughts on Amazon’s email to customers.
“The Amazon ‘breach’ note that was shared with customers states that the affected users don’t need to take any further action if the names and emails were inadvertently disclosed to unknown parties,” Norton said in an email.
Instead, he said Amazon should have advised customers to be careful when opening email and to be on the lookout for phishing scams.
“Because the cybersecurity and e-commerce industries are undoubtedly on edge ahead of the holiday shopping rush, this could be viewed as one of the worst breach notes in history,” Norton said.
“It is creating confusion and uneasiness, and creating more questions than answers, when it should have done the opposite.”