In a significant development that underscores the lasting impact of 2023’s MOVEit vulnerability, Amazon has confirmed that employee data was compromised through a third-party property management vendor. The breach, revealed by a threat actor known as “Nam3L3ss,” exposes the continuing ripple effects of one of last year’s most devastating supply chain attacks.
The Attack Vector
The compromise stems from the notorious MOVEit Transfer vulnerability, CVE-2023-34362, a critical SQL injection flaw that allowed unauthenticated attackers to gain unauthorized access to vulnerable systems. The vulnerability, first exploited in May 2023, enabled attackers to bypass authentication and potentially access sensitive data stored within the MOVEit Transfer database, a widely used managed file transfer solution in enterprise environments.
Threat Actor Profile: Nam3L3ss
Nam3L3ss has emerged as a significant player in the cybercrime landscape. They recently posted over 2.8 million lines of Amazon employee data on BreachForums, alongside data from 25 other major organizations. The threat actor claims to have “well over 250TB of archived database files” and warns that they “download entire databases from exposed web sources including mysql, postgres, SQL Server databases and backups, azure databases and backups etc.”. Nam3L3ss claimed that the published data represents “less than .001%” of their total cache, threatening to release information from up to 1,000 previously unseen breaches.
Nam3L3ss has explicitly warned companies to “pay attention” to these leaks, highlighting the exposure of sensitive details including cost center codes and internal organizational structures. While the MOVEit vulnerability was previously exploited by the Cl0p ransomware gang, researchers cannot yet confirm whether this data came from Cl0p, its affiliates, or whether Nam3L3ss conducted independent exploits.
The Compromised Data
The exposed Amazon dataset includes employee work contact information, email addresses, desk phone numbers, and building locations. While Amazon spokesperson Adam Montgomery confirmed the breach, he emphasized in a statement to TechCrunch that core Amazon and Amazon Web Services, or AWS, systems remained secure.
“Amazon and AWS systems remain secure, and we have not experienced a security event. We were notified about a security event at one of our property management vendors that impacted several of its customers including Amazon. The only Amazon information involved was employee work contact information, for example work email addresses, desk phone numbers, and building locations,” Montgomery said.
Broader Impact
This incident is part of a larger campaign that has affected numerous major corporations, including Lenovo, HP, HSBC, and McDonald’s. The MOVEit attacks have impacted over 2,000 organizations and exposed the data of more than 62 million individuals. The campaign represents one of the most extensive data theft operations in recent history, with victims ranging from private corporations to government agencies.
The breach highlights the persistent vulnerability of supply chain security and the critical importance of vendor risk management. Despite the initial MOVEit vulnerability being discovered and patched in 2023, organizations continue to face consequences from this security incident, demonstrating how supply chain compromises can have long-lasting effects on corporate security postures. This incident also serves as a stark reminder that even tech giants with sophisticated security measures can fall victim to third-party vulnerabilities.