Yesterday, some Amazon customers received an email stating that their names and email addresses have been revealed due to a ‘technical error’. There have been several reports of this on the internet.
What is exposed?
Amazon said that the users need not change their passwords. Only the emails and names of the Amazon customers have been exposed. As per the information shared by Amazon, passwords and payment information like credit cards seem to be unaffected. The worst that could happen is that your email will get a bunch of spam emails.
The company did not reveal further information about the compromise. The number of affected users/email addresses and where this information is available is not known. Amazon told CNBC that the Amazon website and systems were not breached.
In a statement, Amazon said; “We have fixed the issue and informed customers who may have been impacted.”
The exact contents of the emails read:
We’re contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.
What are people saying
A matter of surprise was that Amazon did not recommend changing the passwords of affected accounts. Also, the email signature had a capital A in the Amazon URL and had “http://” instead of “https://”.
Woke up to this email from Amazon. Cool…thanks for the technical error. “There is no need for you to change your password or take any other action.” Well @AmazonHelp I’m changing my password anyway. #Amazon #AmazonEmail #TechnicalError pic.twitter.com/OAheQ4MPLD
— A.C. Junior (@OfficialMisterC) November 21, 2018
Amazon’s legit been sending out notices saying sorry we exposed your email address. Seems likely related to this https://t.co/21cRB2dHTk… Besides the brevity, what’s giving people pause is they sign the email https://t.co/KDiteRFaeR Why cap the “a” and why no https://? Strange pic.twitter.com/mwty3GmCN1
— briankrebs (@briankrebs) November 21, 2018
Amazon customers are also concerned if the email originally was from Amazon due to the discrepancies in the email signature. Here are tweets displaying a chat with Amazon customer care. The responses from the Amazon customer care are also vague and they insist that the exposed information is not available publically.
— Kevin Wolf (@YaBoyKevinnn) November 21, 2018
— Patty (@notenoughnamez) November 21, 2018
Amazon sellers get customer information
A comment on Hacker News reads: “If you were one of my customers I looked at your house, judged your grass, found you on LinkedIn and Facebook, Instagram, mortgages, mugshots, everything lol. The sellers also get your full name and address even on fulfilled by Amazon.”
This comment might be an exaggeration or an over-enthusiastic seller. Other sellers do confirm that the names and addresses are seen but not the emails. The Amazon terms of service also prohibits the sellers from contacting the customers directly for any other purpose than the order.
Another seller said that they get this to confirm the shipping address.
This is where EU seems better off with a GDPR article that says companies need to inform users of data breaches. But even that gives an option which says “describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects, approximate number of personal data records concerned,”
So doesn’t look like Amazon intends to disclose any further information about this incident and assures that there is no need to worry.
This story appeared first on betanews after several Amazon customers reported it online.
*** This is a Security Bloggers Network syndicated blog from Security News – Packt Hub authored by Prasad Ramesh. Read the original post at: https://hub.packtpub.com/email-and-names-of-amazon-customers-exposed-due-to-technical-error-number-of-affected-users-unknown/