Amazon warns customers it leaked their names and email addresses

What aren't you telling us Amazon, and why?

Amazon warns customers it leaked their names and email addresses

This morning I received a number of messages from Amazon customers who had received an email purporting to come from the company. The emails warned that their email addresses and names had been leaked.

The email read as follows:

Hello,

We’re contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.

Sincerely,
Customer Service
http://Amazon.com

Was the email really from Amazon?

Most of the people who forwarded it to me thought the message was suspicious. Why wouldn’t Amazon refer to them by name rather than just saying “Hello”? Why was there a link to the http (rather than https) version of Amazon’s website? How could they possibly issue an advisory like this about a security breach without offering more information about what had happened and over what time period, and where folks could find out more? Why was there no link to some kind of confirmation on Amazon’s own website?

It all seemed very odd. I publicly wondered whether perhaps scammers had made a mistake by forgetting to include a link to a phishing site.

Well, as The Register found out, despite appearances the email did *really* come from Amazon.

All Amazon’s PR team is prepared to say, however, is an utterly detail-free repetition of the content of the email:

We have fixed the issue and informed customers who may have been impacted.”

So we don’t know what happened, we can’t assess how serious it is, we can’t tell you how many customers are affected, or why Amazon sent out such a suspicious-looking email in the first place.

Unsuprisingly, customers aren’t impressed.

What aren’t you telling us Amazon, and why?

Tags: , , ,

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , ,

6 Responses

  1. Jean

    November 22, 2018 at 1:57 am #

    Sounds like a criminal is working on the inside, if you ask me.

  2. Barry

    November 22, 2018 at 7:13 am #

    Is the ICO aware of this and if so is it something they should be investigating? If they aren’t aware, then Amazon are in double breach of the Data Protection Act by not informing the ICO.

    • Joey L in reply to Barry.

      November 26, 2018 at 9:05 am #

      Sounds like a GDPR breach if two items of PII are leaked.

  3. Peter Austin

    November 22, 2018 at 9:53 am #

    An utter shambles for Amazon PR. The reputational damage is huge, compared to being more open.

    But on the legals, they have done nothing wrong yet:
    (1) Amazon only has to inform data subjects and a regulator if there’s “a high risk to the rights and freedoms of natural persons”.
    (2) Even if Amazon need to inform properly, with more detail so it’s GDPR-compliant, they don’t have to do that yet. The requirements are: without undue delay (to data subjects), or 72 hours plus as much extra time as they can justify taking (to the regulator).
    (3) It would probably be the Irish Regulator not the UK ICO

  4. Jeff

    November 22, 2018 at 7:24 pm #

    Names and emails were exposed. That’s it. This isn’t really a big deal… surely not as big a deal the tin foil hat author makes it out to be

    • Joey L in reply to Jeff.

      November 26, 2018 at 9:07 am #

      Yes Jeff, a GDPR breach is not a big deal.
      </sarcasm>
      A serious GDPR breach can incur a fine of up to 6% of Amazon’s global group of companies. In 2017, that was US$177.866 billion. Do the maths.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.