Update, Nov. 13, 2024: This story, originally published Nov. 12, added comments from security professionals as well addressing comments from Amazon customers who insist that their personal details were compromised during the MOVEit cyber attack in 2023.
Amazon has confirmed that some data was breached during the spate of MOVEit software exploits that started during May 2023. The MOVEit cyber attacks hit several large organizations, including the BBC, British Airways, Shell and several government agencies, as hackers targeted a critical SQL injection vulnerability, CVE-2023-34362, in the software. But as the news breaks, more than a year on, that Amazon data was breached, customers now want to know if their accounts are safe and whether they should change their passwords.
Amazon Has Not Experienced A Security Event, A Spokesperson Said
A statement released by Amazon spokesperson Adam Montgomery on Nov. 11 has clarified the nature of the data breach and denied that Amazon or Amazon Web Services had “experienced a security incident.” The MOVEit exploit impacted an unnamed third-party property management vendor that includes Amazon as one of its customers. “We were notified about a security event at one of our property management vendors that impacted several of its customers including Amazon,” the Amazon spokesperson, Adam Montgomery, said.
The good news is that there would appear to be no impact upon customer accounts or credentials. “The only Amazon information involved was employee work contact information,” Montgomery said, “for example, work email addresses, desk phone numbers, and building locations.”
What Do Security Professionals Say About The News That Hackers Have Accessed Amazon Employee Data?
Forbes contributor Lars Daniel said the breach was carried out by a threat actor going by the name of Nam3L3ss — oh, the irony. They recently posted data from 25 organizations, including Amazon, and warned there is an archive in excess of 250TB that includes “entire databases from exposed web sources including mysql, postgres, SQL Server databases and backups, azure databases and backups etc.”
While it is, obviously, good news that Amazon customer data was not impacted by the MOVEit breach, the bad news is that third-party supplier security continues to be in the hacker crosshairs. “This update to an older vulnerability exploit reinforces how third-party software remains one of the largest and least manageable cybersecurity risks organizations face,” Joe Silva, CEO at cybersecurity vendor Spektion, said, “including large and technically sophisticated enterprises.”
While the MOVEit attacks from last year haven’t had anywhere near the same media coverage this year, it’s old news to a large degree, this latest update shows that attackers are continuing to monetize the compromised data. “Nam3L3ss is not thought to be a part of the initial MOVEit attack,” Kevin Robertson, chief operating officer at Acumen Cyber, said, “but some of its data has landed in their hands, which provides evidence of how stolen data markets across the dark web.” The Amazon update also serves as a timely reminder, Robertson said, “for organizations to prioritise their supply chain resilience, because once data is stolen and ends up on the dark web, it rarely goes away.”
There are many lessons to be learned from both the original MOVEit compromise of an Amazon third-party contractor and the fallout that has continued in the many months that followed. “One of the main lessons is that any place where your data resides is a place that data can be compromised,” Roger Grimes, data-driven defense evangelist at KnowBe4, said. “Every vendor relationship that either has access to your network and data or who you send data to, for whatever reason, is a new place for a potential compromise.”
Some Amazon Customers Are Convinced That Their Data Was Compromised And Used Fraudulently Following The MOVEit Cyber Attack
Since the publication of this news story, I have been contacted by numerous Amazon customers across various methods of communication but with one thing in common: they insist that their accounts were hacked during the MOVEit attack in 2023. The problem here is that an article such as this one stars up memories of events past and, without wishing to patronize anyone who has found themselves victim to an account compromise, made connections that simply aren’t there. I apologize for not replying to all of you individually, that would simply have taken too much time, but if you are reading this be assured that just because your account was compromised around Black Friday or Cyber Monday week, or earlier in 2023, does not mean that MOVEit hackers were to blame. Another common thread connecting those who contacted me was that phrase “I clicked on the link which took me straight to my Amazon account.” This is, I’m afraid, the giveaway that these were opportunist phishing attacks taking advantage of interest in the Black Friday sales, and nothing more.
Therefore, the advice that Amazon customers do not need to change their passwords or check their credit cards for signs of fraud reasons the same.