Amazon has been quietly notifying users of a data breach, with the shopping behemoth “inadvertently” revealing email addresses of shoppers. The confession came by way of a brief email sent to those affected, though Amazon is being cagey with the full details, much to the chagrin of people concerned about their data.
“We’re contacting you to let you know that our website inadvertently disclosed your email address due to a technical error,” one version of Amazon’s terse email reads. “The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.”
Another version of the email received by some customers also suggests that their name was revealed, in addition to their email address.
What Amazon’s message doesn’t include, however, is any more detail as to what happened. There’s no indication of how the disclosure happened, nor to whom the emails might have been visible. Amazon also fails to mention for how long it exposed email addresses, and whether it has any record of how often they might have been accessed.
Similarly galling, there’s also no apology from the retailer. Indeed the email itself bears more resemblance to a lackluster phishing attempt than Amazon’s usual graphics-filled promotional messages.
Amazon has been keen to downplay the impact of its security goof. “We have fixed the issue and informed customers who may have been impacted,” the company said in a statement, though did not say how many people might have been affected. It did, however, insist that neither its website nor systems were hacked.
The suggestion that users need not change their password, however, runs at odds with the general security advice given following most inadvertent exposures of personally-identifiable data. After all, simply having confirmation of a real email address and name could be a solid starting point for someone to begin an actual phishing attempt.
One possibility that some customers have raised is that Amazon had shared user contact information with third-party sellers. Indeed, some report having received emails from such sellers, asking them to modify negative product reviews they had left.
Update: Amazon has been in touch to reiterate that the company’s website and servers were not breached, and that it is notifying customers out of caution more than anything else. There’s still no official word on how many customers were affected, what caused the email and name disclosure, what steps Amazon took to address it, whether or not the exposed data was accessed by anybody who should not have had access to it, and for how long it was exposed. We’ll update if we find out more.