Amazon warns customers it leaked their names and email addresses

What aren’t you telling us Amazon, and why?

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Amazon warns customers it leaked their names and email addresses

This morning I received a number of messages from Amazon customers who had received an email purporting to come from the company. The emails warned that their email addresses and names had been leaked.

The email read as follows:

Hello,

We’re contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.

Sincerely,
Customer Service
http://Amazon.com

Was the email really from Amazon?

Most of the people who forwarded it to me thought the message was suspicious. Why wouldn’t Amazon refer to them by name rather than just saying “Hello”? Why was there a link to the http (rather than https) version of Amazon’s website? How could they possibly issue an advisory like this about a security breach without offering more information about what had happened and over what time period, and where folks could find out more? Why was there no link to some kind of confirmation on Amazon’s own website?

It all seemed very odd. I publicly wondered whether perhaps scammers had made a mistake by forgetting to include a link to a phishing site.

Sign up to our free newsletter.
Security news, advice, and tips.

Well, as The Register found out, despite appearances the email did *really* come from Amazon.

All Amazon’s PR team is prepared to say, however, is an utterly detail-free repetition of the content of the email:

“We have fixed the issue and informed customers who may have been impacted.”

So we don’t know what happened, we can’t assess how serious it is, we can’t tell you how many customers are affected, or why Amazon sent out such a suspicious-looking email in the first place.

Unsuprisingly, customers aren’t impressed.

What aren’t you telling us Amazon, and why?


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

6 comments on “Amazon warns customers it leaked their names and email addresses”

  1. Jean

    Sounds like a criminal is working on the inside, if you ask me.

  2. Barry

    Is the ICO aware of this and if so is it something they should be investigating? If they aren't aware, then Amazon are in double breach of the Data Protection Act by not informing the ICO.

    1. Joey L · in reply to Barry

      Sounds like a GDPR breach if two items of PII are leaked.

  3. Peter Austin

    An utter shambles for Amazon PR. The reputational damage is huge, compared to being more open.

    But on the legals, they have done nothing wrong yet:
    (1) Amazon only has to inform data subjects and a regulator if there's "a high risk to the rights and freedoms of natural persons".
    (2) Even if Amazon need to inform properly, with more detail so it's GDPR-compliant, they don't have to do that yet. The requirements are: without undue delay (to data subjects), or 72 hours plus as much extra time as they can justify taking (to the regulator).
    (3) It would probably be the Irish Regulator not the UK ICO

  4. Jeff

    Names and emails were exposed. That's it. This isn't really a big deal… surely not as big a deal the tin foil hat author makes it out to be

    1. Joey L · in reply to Jeff

      Yes Jeff, a GDPR breach is not a big deal.
      </sarcasm>
      A serious GDPR breach can incur a fine of up to 6% of Amazon's global group of companies. In 2017, that was US$177.866 billion. Do the maths.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.