Edit: As I noted at the end of this post, Amazon has denied the story.
Mic reported on Friday that a hacker penetrated Amazon’s servers and made off with over info from over 80,000 accounts.
A hacker declared war on the Baton Rouge Police Department after one of its officers shot and killed Alton Sterling. Just hours after leaking thousands of police records online, the hacker has a new target — Amazon.
The hacker — @0x2Taylor — said in a Twitter direct message that he and a friend “breached a server” owned by Amazon that contained database files with more than 80,000 Kindle users’ information.
“When they first got Kindles and set them up, all their stuff was being logged and put into a database,” @0x2Taylor said. He added that the database includes a user’s email, password, city, state, phone number, zip code, user-agent, LastLoginIP, Proxy IP and street. He sent us several emails and passwords in an effort to legitimize the breach.
“If I don’t receive a payment from them the data will be posted online along with an older dump,” he said.
@0x2Taylor is asking for $700 “because the attack was easy” and hopes that this will prompt Amazon to implement better security measures to prevent these types of attacks against their systems.
“Personally I don’t want to leak the data,” he said.
He tweeted a screenshot of the leaked information to Amazon at 9:35 a.m. Eastern. At 10:17 a.m., he said in a direct message, “It’s going up now. They’re ignoring me.”
The hacker posted the data dump on Mega. It’s no longer available, but according to one security researcher who saw it the data this is more of a privacy issue than a security issue. The passwords follow a pattern, which means they were likely assigned by the system and not created by users.
“Given all this data I would have no reason to believe this isn’t valid,” Vice President of Operations at cybersecurity firm Synack Tony Gambacorta told Mic. He added, “On a surface level this seems like this would be legit.”
I’m not terribly concerned, for a couple reasons. For one thing, comments made about the data dump suggest that it’s test data rather than account info:
out of 84k lines, there's 1219 unique first names, with frequency from 46-94. gfj, lrn2stats
— Mark Steward (@marksteward) July 9, 2016
And another techie noted that all of the emails mentioned in the data dump came from just three email providers.
oops.. half those numbers.. forgot each email is listed twice
hotmail 28229 – yahoo 27979 – gmail 27691
— MyChickenNinja (@MyChickenNinja) July 9, 2016
The other reason I’m not concerned is that there’s no evidence that Amazon has informed anyone of an account breach.
No emails have been forwarded to me, nor have I found mentions of them on MobileRead, Amazon’s support forums, or on Kboards.
In the past Amazon has reset user passwords following possible security breaches. Those password resets have made the news back in March, and in November of last year. Amazon has in fact been sending emails to users with news of password resets since 2011, and I have found no evidence that anyone has gotten an email in the past week.
In short, the most likely possibility is that the hacker made off with a set of dummy data which Amazon’s developers were likely using for testing Amazon’s website. That is embarrassing for Amazon, but not a reason for us to panic.
Edit: And it might not even be Amazon’s data. Amazon responded to my queries, telling me that:
We have confirmed that this information did not come from Amazon’s servers, and that the accounts in question are not legitimate Amazon customer accounts.
Edit: NetworkWorld dug into the data, and they don’t think this is real either.
I checked out the data, too, choosing five names at random. Google Maps placed three of the addresses in locations without houses, such as in the middle of the woods or half way between two houses down a country road.
As for phone numbers for those five people, none of the calls connected. Three gave an error message about the “number or code you dialed is incorrect,” one had a weird fast busy signal, and the fifth resulted in “the person you called is unavailable right now.”
All of the email addresses seem to be in a weird format, such as [email protected], [email protected], [email protected] For each of the five names, the corresponding passwords were way too random, too secure, ranging from 8 to 11 capital letters mixed with numbers. Of course, that was testing only five of the reportedly 83,899 individuals included in the data dump.
Brian Wallace, aka @botnet_hunter, is a security researcher and member of the Cylance SPEAR team. He examined the Amazon data and found quite a few problems. Hebelieves “the data does not belong to legitimate users and there is no need for concern to Amazon users.” The data has been generated, Wallace said, but he is not sure if it is “fake data or bot accounts.”
So basically there’s no story here.
It’s a non-story.
But I could be wrong, and right now Amazon has yet to comment on the breach. So if you are concerned then you should reset your password. I have queried Amazon. It it responds, I will update this post.
image by The Preiser Project