This morning I received a number of messages from Amazon customers who had received an email purporting to come from the company. The emails warned that their email addresses and names had been leaked.
The email read as follows:
We’re contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.
Was the email really from Amazon?
Most of the people who forwarded it to me thought the message was suspicious. Why wouldn’t Amazon refer to them by name rather than just saying “Hello”? Why was there a link to the http (rather than https) version of Amazon’s website? How could they possibly issue an advisory like this about a security breach without offering more information about what had happened and over what time period, and where folks could find out more? Why was there no link to some kind of confirmation on Amazon’s own website?
It all seemed very odd. I publicly wondered whether perhaps scammers had made a mistake by forgetting to include a link to a phishing site.
Well, as The Register found out, despite appearances the email did *really* come from Amazon.
All Amazon’s PR team is prepared to say, however, is an utterly detail-free repetition of the content of the email:
“We have fixed the issue and informed customers who may have been impacted.”
So we don’t know what happened, we can’t assess how serious it is, we can’t tell you how many customers are affected, or why Amazon sent out such a suspicious-looking email in the first place.
Unsuprisingly, customers aren’t impressed.
I received the same email from @amazon. It contained zero details and pathetic assurances. I am a loyal prime customer and want answers. So far their response is underwhelming. #amazon #databreach https://t.co/34IulsJk98
— April Sharp (@SharpApril) November 21, 2018
What aren’t you telling us Amazon, and why?