Amazon Confirms Employee Data Breach After MOVEit Hack

Amazon has verified that employee data was compromised due to a “security event” at a third-party vendor

Adam Montgomery, an Amazon spokesperson, verified to TechCrunch on Monday that employee information had been compromised in a data breach.

“We have not encountered a security event, and the systems of Amazon and AWS are secure.” A security incident at one of our property management vendors, which affected numerous customers, including Amazon, was reported to us. Montgomery stated that the sole Amazon information was employee work contact information, such as cubicle phone numbers, email addresses, and building locations.

Amazon did not disclose the number of personnel affected by the breach. It was noted that the unnamed third-party vendor cannot access sensitive data, such as financial information or Social Security numbers. The vendor also stated that it had resolved the security vulnerability responsible for the data compromise.

The substantiation results from a threat actor’s assertion that data stolen from Amazon was published on the infamous hacking site BreachForums. The individual asserts that they possess over 2.8 million lines of data, which they allege were stolen during the mass exploitation of MOVEit Transfer last year.

Hudson Rock, a cybersecurity firm, reports that the threat actor, who goes by the alias “Nam3L3ss,” has claimed to have published data purportedly stolen from 25 significant organizations.

The threat actor stated, “The data you have viewed thus far is less than 001% of the data I possess.” “I have 1,000 releases that have never been seen before.”

The threat actor has provided TechCrunch with contact information for the other organizations listed; however, it has not yet received any additional responses.

The most significant cyberattack of 2023 was the MOVEit breach, which occurred when attackers exploited a zero-day vulnerability in Progress Software’s file-transfer software.

The Oregon Department of Transportation (3.5 million records stolen), the Colorado Department of Health Care Policy and Financing (four million), and U.S. government services contracting giant Maximus (11 million) were among the over 1,000 organizations that were affected by these hacks, which were claimed by the infamous Clop ransomware and extortion gang.