A Hacker Claims to Have Leaked 80,000 Amazon Users' Passwords and Personal Information

Impact

July 12, 2016, 4:51 p.m.: This story has been updated. 

Amazon claimed in an email that the hack is illegitimate: "We have confirmed that this information did not come from Amazon's servers, and that the accounts in question are not legitimate Amazon customer accounts."

In response to Amazon's claims, hacker @0x2Taylor said in a DM that "the server was owned by Amazon and the funny thing is those logins did work but they quickly disabled all the accounts."

A hacker declared war on the Baton Rouge Police Department after one of its officers shot and killed Alton Sterling. Just hours after leaking thousands of police records online, the hacker has a new target — Amazon. 

The hacker — @0x2Taylor — said in a Twitter direct message that he and a friend "breached a server" owned by Amazon that contained database files with more than 80,000 Kindle users' information. 

"When they first got Kindles and set them up, all their stuff was being logged and put into a database," @0x2Taylor said. He added that the database includes a user's email, password, city, state, phone number, zip code, user-agent, LastLoginIP, Proxy IP and street. He sent us several emails and passwords in an effort to legitimize the breach. 

"If I don't receive a payment from them the data will be posted online along with an older dump," he said. 

@0x2Taylor is asking for $700 "because the attack was easy" and hopes that this will prompt Amazon to implement better security measures to prevent these types of attacks against their systems. 

"Personally I don't want to leak the data," he said. 

He tweeted a screenshot of the leaked information to Amazon at 9:35 a.m. Eastern. At 10:17 a.m., he said in a direct message, "It's going up now. They're ignoring me." 

As of 11:09 a.m. Eastern, the database leak has been uploaded to encrypted cloud storage site MEGA

"Given all this data I would have no reason to believe this isn't valid," Vice President of Operations at cybersecurity firm Synack Tony Gambacorta said on the phone. He added, "On a surface level this seems like this would be legit." 

Looking through the leaked information, Gambacorta said he was "definitely" able to see phone numbers, street addresses, email addresses, the last time a user logged in (7:33 p.m. on June 5th of this year, meaning this isn't old data), how many times that user tried to log in, how many times he successfully logged in and his login source IP address. 

However, it appears this is more of a privacy issue than a security issue. The passwords all appear to follow the same structure, meaning, the passwords in the leak likely aren't the same ones you might use for your LinkedIn or bank account — they are likely passwords auto assigned by a system, Gambacorta said. But it's still a major data dump, and even if it's not a huge security risk, it's an invasion of privacy and points to vulnerabilities in Amazon's system.

"I wouldn't want to find my name on this list," Gambacorta said. 

Gambacorta said he's seen other people make similar claims in a more "Dr. Evil" style, demanding millions or billions of dollars, but the fact that this hacker just wants a couple hundred bucks indicates he is probably just looking for attention.

This isn't the first time Amazon faced such an issue. In November 2015, the company force-reset some users' passwords, ZDNet reported, emailing them to say it "recently discovered that your [Amazon] password may have been improperly stored on your device or transmitted to Amazon in a way that could potentially expose it to a third party." 

Read more: