Amazon Vendor Breach Leaks Millions Of Employee Records

Amazon confirmed a data breach exposing the email addresses, phone numbers, and building locations of its employees. The breach stemmed from a security incident at one of Amazon’s property management vendors, as reported by 404 Media.

The compromised information was subsequently published on a crime-focused forum, according to Amazon’s statement to 404 Media.

The data leak includes over 2.8 million lines of information, featuring employees’ names, work contact details, and their assigned work locations.

The cybersecurity firm Hudson Rock says that this breach is part of a larger wave of attacks linked to a critical MOVEit vulnerability (CVE-2023-34362) exploited by a user named Nam3L3ss.

The flaw, discovered in mid-2023, allowed hackers to bypass security protocols, resulting in significant corporate data leaks across finance, healthcare, technology, and retail sectors.

Hudson Rock cybersecurity firm flagged the MOVEit incident, linking it to exposed directories from 25 major companies, revealing names, emails, phone numbers, and internal structures—valuable for phishing and identity theft.

In a statement to The Verge, Amazon spokesperson Adam Montgomery explained that the company was “notified about a security event at one of our property management vendors that impacted several of its customers, including Amazon.”

He added, “The only Amazon information involved was employee work contact information, for example work email addresses, desk phone numbers, and building locations.”

Amazon clarified to 404 Media that the vendor involved only received basic employee contact information, with no access to more sensitive data like Social Security numbers, government IDs, or financial information.

According to Amazon, the vendor has now fixed the security vulnerability responsible for the breach, as reported by 404 Media.

This breach underscores the persistent risks associated with third-party vendor vulnerabilities, highlighting how they can impact large companies like Amazon, even when their core systems, including Amazon Web Services, remain unaffected.