A Hacker Claims to Have Leaked 80,000 Amazon Users' Passwords and Personal Information

A Hacker Claims to Have Leaked 80,000 Amazon Users' Passwords and Personal Information
Source: AP
Source: AP

July 12, 2016, 4:51 p.m.: This story has been updated. 

Amazon claimed in an email that the hack is illegitimate: "We have confirmed that this information did not come from Amazon's servers, and that the accounts in question are not legitimate Amazon customer accounts."

In response to Amazon's claims, hacker @0x2Taylor said in a DM that "the server was owned by Amazon and the funny thing is those logins did work but they quickly disabled all the accounts."

A hacker declared war on the Baton Rouge Police Department after one of its officers shot and killed Alton Sterling. Just hours after leaking thousands of police records online, the hacker has a new target — Amazon. 

The hacker — @0x2Taylor — said in a Twitter direct message that he and a friend "breached a server" owned by Amazon that contained database files with more than 80,000 Kindle users' information. 

"When they first got Kindles and set them up, all their stuff was being logged and put into a database," @0x2Taylor said. He added that the database includes a user's email, password, city, state, phone number, zip code, user-agent, LastLoginIP, Proxy IP and street. He sent us several emails and passwords in an effort to legitimize the breach. 

"If I don't receive a payment from them the data will be posted online along with an older dump," he said. 

@0x2Taylor is asking for $700 "because the attack was easy" and hopes that this will prompt Amazon to implement better security measures to prevent these types of attacks against their systems. 

"Personally I don't want to leak the data," he said. 

He tweeted a screenshot of the leaked information to Amazon at 9:35 a.m. Eastern. At 10:17 a.m., he said in a direct message, "It's going up now. They're ignoring me." 

As of 11:09 a.m. Eastern, the database leak has been uploaded to encrypted cloud storage site MEGA

"Given all this data I would have no reason to believe this isn't valid," Vice President of Operations at cybersecurity firm Synack Tony Gambacorta said on the phone. He added, "On a surface level this seems like this would be legit." 

Looking through the leaked information, Gambacorta said he was "definitely" able to see phone numbers, street addresses, email addresses, the last time a user logged in (7:33 p.m. on June 5th of this year, meaning this isn't old data), how many times that user tried to log in, how many times he successfully logged in and his login source IP address. 

However, it appears this is more of a privacy issue than a security issue. The passwords all appear to follow the same structure, meaning, the passwords in the leak likely aren't the same ones you might use for your LinkedIn or bank account — they are likely passwords auto assigned by a system, Gambacorta said. But it's still a major data dump, and even if it's not a huge security risk, it's an invasion of privacy and points to vulnerabilities in Amazon's system.

"I wouldn't want to find my name on this list," Gambacorta said. 

Gambacorta said he's seen other people make similar claims in a more "Dr. Evil" style, demanding millions or billions of dollars, but the fact that this hacker just wants a couple hundred bucks indicates he is probably just looking for attention.

This isn't the first time Amazon faced such an issue. In November 2015, the company force-reset some users' passwords, ZDNet reported, emailing them to say it "recently discovered that your [Amazon] password may have been improperly stored on your device or transmitted to Amazon in a way that could potentially expose it to a third party." 

Read more:
• You've Heard of Anonymous — Now Meet OurMine, the Hackers Targeting the Tech Elite
• Hacker Declared War on the Baton Rouge Police After Shooting Death of Alton Sterling 
• Anonymous Hacker Hijacks Hundreds of ISIS Accounts With a Barrage of LGBTQ Love

How much do you trust the information in this article?

Melanie Ehrenkranz

Melanie is a writer covering technology and the future. She can be reached at melanie@mic.com.

MORE FROM

Why it’s crucial for Californians to turn off their lights during the upcoming solar eclipse

Officials are hoping residents can offset major energy losses by keeping the lights off.

You can help NASA with your solar eclipse observations on Aug. 21

You'll be an eclipse scientist.

Scientists are pretty sure that deep inside the moon, there’s water

The explosive story of water on the moon.

I lived in constant email anxiety before I learned how to unsend them

Stop living in fear.

The six words that will make you sound smarter than all your friends when watching the eclipse

What is an umbra? How does the Saros cycle work? The total solar eclipse, explained.

Do you have little freckles in your eyes? This might be why.

Remember to protect your eyes.

Why it’s crucial for Californians to turn off their lights during the upcoming solar eclipse

Officials are hoping residents can offset major energy losses by keeping the lights off.

You can help NASA with your solar eclipse observations on Aug. 21

You'll be an eclipse scientist.

Scientists are pretty sure that deep inside the moon, there’s water

The explosive story of water on the moon.

I lived in constant email anxiety before I learned how to unsend them

Stop living in fear.

The six words that will make you sound smarter than all your friends when watching the eclipse

What is an umbra? How does the Saros cycle work? The total solar eclipse, explained.

Do you have little freckles in your eyes? This might be why.

Remember to protect your eyes.